Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, 4.0
Configuring the Switch for the Firewall Services Module
Downloads: This chapterpdf (PDF - 451.0KB) The complete bookPDF (PDF - 4.66MB) | Feedback

Configuring the Switch for the Firewall Services Module

Table Of Contents

Configuring the Switch for the Firewall Services Module

Switch Overview

Verifying the Module Installation

Verifying Traffic Through the Firewall Services Module

Verifying the Firewall Services Module State

Assigning VLANs to the Firewall Services Module

VLAN Guidelines

Assigning VLANs to the FWSM

Adding Switched Virtual Interfaces to the MSFC

SVI Overview

Configuring SVIs

Customizing the FWSM Internal Interface

Configuring the Switch for Failover

Assigning VLANs to the Secondary Firewall Services Module

Adding a Trunk Between a Primary Switch and Secondary Switch

Ensuring Compatibility with Transparent Firewall Mode

Enabling Autostate Messaging for Rapid Link Failure Detection

Managing the Firewall Services Module Boot Partitions

Flash Memory Overview

Setting the Default Boot Partition

Resetting the FWSM or Booting from a Specific Partition


Configuring the Switch for the Firewall Services Module


This chapter describes how to configure the Catalyst 6500 series switch or the Cisco 7600 series router for use with the FWSM. Before completing the procedures in this chapter, configure the basic properties of your switch, including assigning VLANs to interfaces, according to the documentation that came with your switch.

This chapter includes the following sections:

Switch Overview

Verifying the Module Installation

Verifying Traffic Through the Firewall Services Module

Verifying the Firewall Services Module State

Assigning VLANs to the Firewall Services Module

Adding Switched Virtual Interfaces to the MSFC

Customizing the FWSM Internal Interface

Configuring the Switch for Failover

Managing the Firewall Services Module Boot Partitions

Switch Overview

You can install the FWSM in the Catalyst 6500 series switches or the Cisco 7600 series routers. The configuration of both series is identical, and the series are referred to generically in this guide as the "switch." The switch includes a switch (the supervisor engine) as well as a router (the MSFC).

The switch supports Cisco IOS software on both the switch supervisor engine and the integrated MSFC router.


Note The Catalyst operating system software is not supported.


The FWSM runs its own operating system.


Note Because the FWSM runs its own operating system, upgrading the Cisco IOS software does not affect the operation of the FWSM.


See the "Using the MSFC" section for more information about the MSFC.

Some FWSM features interact with Cisco IOS features, and require specific Cisco IOS software versions. See the "Switch Hardware and Software Compatibility" section for more information. The following features involve Cisco IOS software, and are described in the feature sections:

Route Health Injection—See the "Configuring Route Health Injection" section.

PISA integration—See the "Permitting or Denying Application Types with PISA Integration" section.

Virtual Switching System (VSS) support—No FWSM configuration required.


Note For Cisco IOS software Version 12.2(18)SX6 and earlier, for each FWSM in a switch, the SPAN reflector feature is enabled. This feature enables multicast traffic (and other traffic that requires central rewrite engine) to be switched when coming from the FWSM. The SPAN reflector feature uses one SPAN session. To disable this feature, enter the following command:

Router(config)# no monitor session servicemodule
 
   

Verifying the Module Installation

To verify that the switch acknowledges the FWSM and has brought it online, view the module information using the following command:

Router> show module [mod-num | all]
 
   

The following is sample output from the show module command:

Router> show module
Mod Ports Card Type                              Model              Serial No.
--- ----- -------------------------------------- ------------------ -----------
  1    2  Catalyst 6000 supervisor 2 (Active)    WS-X6K-SUP2-2GE    SAD0444099Y
  2   48  48 port 10/100 mb RJ-45 ethernet       WS-X6248-RJ-45     SAD03475619
  3    2  Intrusion Detection System             WS-X6381-IDS       SAD04250KV5
  4    6  Firewall Module                        WS-SVC-FWM-1       SAD062302U4
 
   

Note The show module command shows six ports for the FWSM; these are internal ports that are grouped together as an EtherChannel. See the "Customizing the FWSM Internal Interface" section for more information.


Verifying Traffic Through the Firewall Services Module

To verify that traffic is flowing through the FWSM, view the module information using the following command:

Router> show firewall module [mod-num | traffic]
 
   

The following is sample output from the show firewall module traffic command:

Router> show firewall module 11 traffic
Firewall module 11:
 
Specified interface is up, line protocol is up (connected)
  Hardware is EtherChannel, address is 0014.1cd5.bef6 (bia 0014.1cd5.bef6)
  MTU 1500 bytes, BW 6000000 Kbit, DLY 10 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Full-duplex, 1000Mb/s, media type is unknown
  input flow-control is on, output flow-control is on 
  Members in this channel: Gi11/1 Gi11/2 Gi11/3 Gi11/4 Gi11/5 Gi11/6 
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0
  Queuing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 10000 bits/sec, 17 packets/sec
     8709 packets input, 845553 bytes, 0 no buffer
     Received 745 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 input packets with dribble condition detected
     18652077 packets output, 1480488712 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out
 
   

Verifying the Firewall Services Module State

To verify the state of the FWSM, view the module information by entering the following command:

Router> show firewall module [mod-num | state]
 
   

The following is sample output from the show firewall module state command:

Router> show firewall module 11 state
Firewall module 11:
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: 3,6,7,20-24,40,59,85,87-89,99-115,150,188-191,200,250,
     501-505,913,972
Pruning VLANs Enabled: 2-1001
Vlans allowed on trunk: 
Vlans allowed and active in management domain: 
Vlans in spanning tree forwarding state and not pruned: 
 
   

Assigning VLANs to the Firewall Services Module

This section describes how to assign VLANs to the FWSM. The FWSM does not include any external physical interfaces. Instead, it uses VLAN interfaces. Assigning VLANs to the FWSM is similar to assigning a VLAN to a switch port; the FWSM includes an internal interface to the Switch Fabric Module (if present) or the shared bus.


Note See the switch documentation for information about adding VLANs to the switch and assigning them to switch ports.


This section includes the following topics:

VLAN Guidelines

Assigning VLANs to the FWSM

VLAN Guidelines

See the following guidelines for using VLANs with the FWSM:

You can use private VLANs with the FWSM. Assign the primary VLAN to the FWSM; the FWSM automatically handles secondary VLAN traffic.

You cannot use reserved VLANs.

You cannot use VLAN 1.

If you are using FWSM failover within the same switch chassis, do not assign the VLAN(s) you are reserving for failover and stateful communications to a switch port. However, if you are using failover between chassis, you must include the VLANs in the trunk port between the chassis.

If you do not add the VLANs to the switch before you assign them to the FWSM, the VLANs are stored in the supervisor engine database and are sent to the FWSM as soon as they are added to the switch.

Assigning VLANs to the FWSM

In Cisco IOS software, create up to 16 firewall VLAN groups, and then assign the groups to the FWSM. For example, you can assign all the VLANs to one group, or you can create an inside group and an outside group, or you can create a group for each customer. Each group can contain unlimited VLANs.

You cannot assign the same VLAN to multiple firewall groups; however, you can assign multiple firewall groups to an FWSM and you can assign a single firewall group to multiple FWSMs. VLANs that you want to assign to multiple FWSMs, for example, can reside in a separate group from VLANs that are unique to each FWSM.

To assign VLANs to the FWSM, perform the following steps:


Step 1 To assign VLANs to a firewall group, enter the following command:

Router(config)# firewall vlan-group firewall_group vlan_range
 
   

The firewall_group argument is an integer.

The vlan_range can be one or more VLANs (2 to 1000 and from 1025 to 4094) identified in one of the following ways:

A single number (n)

A range (n-x)

Separate numbers or ranges by commas. For example, enter the following numbers:

5,7-10,13,45-100
 
   

Note Routed ports and WAN ports consume internal VLANs, so it is possible that VLANs in the 1020-1100 range might already be in use.

If you configure the VLANs in the FWSM configuration, and then later assign the VLANs to the FWSM on the switch using this procedure, then those VLANs are brought administratively up on the FWSM even if they were configured to be shut down. To shut them down, enter the following commands at the FWSM CLI:

interface vlan number
shutdown


Step 2 To assign the firewall groups to the FWSM, enter the following command:

Router(config)# firewall module module_number vlan-group firewall_group
 
   

The firewall_group is one or more group numbers:

A single number (n)

A range (n-x)

Separate numbers or ranges by commas. For example, enter the following numbers:

5,7-10
 
   

The following example shows how you can create three firewall VLAN groups: one for each FWSM, and one that includes VLANs assigned to both FWSMs:

Router(config)# firewall vlan-group 50 55-57
Router(config)# firewall vlan-group 51 70-85
Router(config)# firewall vlan-group 52 100
Router(config)# firewall module 5 vlan-group 50,52
Router(config)# firewall module 8 vlan-group 51,52
 
   

The following is sample output from the show firewall vlan-group command:

Router# show firewall vlan-group
Group vlans
----- ------
   50 55-57
   51 70-85
   52 100
 
   

The following is sample output from the show firewall module command, which shows all VLAN groups:

Router# show firewall module
Module Vlan-groups
  5    50,52
  8    51,52
 
   

Adding Switched Virtual Interfaces to the MSFC

A VLAN defined on the MSFC is called a switched virtual interface. If you assign the VLAN used for the SVI to the FWSM (see the "Assigning VLANs to the Firewall Services Module" section), then the MSFC routes between the FWSM and other Layer 3 VLANs.

This section includes the following topics:

SVI Overview

Configuring SVIs

SVI Overview

For security reasons, by default, only one SVI can exist between the MSFC and the FWSM. For example, if you misconfigure the system with multiple SVIs, you could accidentally allow traffic to pass around the FWSM by assigning both the inside and outside VLANs to the MSFC. (See Figure 2-1.)

Figure 2-1 Multiple SVI Misconfiguration

However, you might need to bypass the FWSM in some network scenarios. Figure 2-2 shows an IPX host on the same Ethernet segment as IP hosts. Because the FWSM in routed firewall mode only handles IP traffic and drops other protocol traffic like IPX (transparent firewall mode can optionally allow non-IP traffic), you might want to bypass the FWSM for IPX traffic. Make sure to configure the MSFC with an access list that allows only IPX traffic to pass on VLAN 201.

Figure 2-2 Multiple SVIs for IPX

For transparent firewalls in multiple context mode, you need to use multiple SVIs because each context requires a unique VLAN on its outside interface (See Figure 2-3). You might also choose to use multiple SVIs in routed mode so you do not have to share a single VLAN for the outside interface.

Figure 2-3 Multiple SVIs in Multiple Context Mode

Configuring SVIs

To add an SVI to the MSFC, perform the following steps:


Step 1 (Optional) To allow you to add more than one SVI to the FWSM, enter the following command:

Router(config)# firewall multiple-vlan-interfaces
 
   

Step 2 To add a VLAN interface to the MSFC, enter the following command:

Router(config)# interface vlan vlan_number 
 
   

Step 3 To set the IP address for this interface on the MSFC, enter the following command:

Router(config-if)# ip address address mask
 
   

Step 4 To enable the interface, enter the following command:

Router(config-if)# no shutdown
 
   

The following example shows a typical configuration with multiple SVIs:

Router(config)# firewall vlan-group 50 55-57
Router(config)# firewall vlan-group 51 70-85
Router(config)# firewall module 8 vlan-group 50-51
Router(config)# firewall multiple-vlan-interfaces
Router(config)# interface vlan 55
Router(config-if)# ip address 10.1.1.1 255.255.255.0
Router(config-if)# no shutdown
Router(config-if)# interface vlan 56
Router(config-if)# ip address 10.1.2.1 255.255.255.0
Router(config-if)# no shutdown
Router(config-if)# end
Router#
 
   

The following is sample output from the show interface command:

Router# show interface vlan 55
Vlan55 is up, line protocol is up 
  Hardware is EtherSVI, address is 0008.20de.45ca (bia 0008.20de.45ca)
  Internet address is 10.1.1.1/24
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  ARP type:ARPA, ARP Timeout 04:00:00
  Last input never, output 00:00:08, output hang never
  Last clearing of "show interface" counters never
  Input queue:0/75/0/0 (size/max/drops/flushes); Total output drops:0
  Queueing strategy:fifo
  Output queue :0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
  L2 Switched:ucast:196 pkt, 13328 bytes - mcast:4 pkt, 256 bytes
  L3 in Switched:ucast:0 pkt, 0 bytes - mcast:0 pkt, 0 bytes mcast
  L3 out Switched:ucast:0 pkt, 0 bytes 
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     4 packets output, 256 bytes, 0 underruns
     0 output errors, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out
 
   

Customizing the FWSM Internal Interface

The connection between the FWSM and the switch is a 6-GB 802.1Q trunking EtherChannel. This EtherChannel is automatically created when you install the FWSM. On the FWSM side, two NPs connect to three Gigabit Ethernet interfaces each, and these interfaces comprise the EtherChannel. The switch distributes traffic to the interfaces in the EtherChannel according to a distribution algorithm based on session information; load sharing is not performed on a per-packet basis, but rather on a flow basis. In some cases, the algorithm assigns traffic unevenly between the interfaces and, therefore, between the two NPs. Aside from not utilizing the full processing potential of the FWSM, consistent inequity can result in unexpected behavior when you apply resource management to multiple contexts. (See the "Configuring a Class" section for more information.)

To change the load-balancing method, enter the following command:

Router(config)# port-channel load-balance {dst-ip | dst-mac | dst-port | src-dst-ip | 
src-dst-mac | src-dst-port | src-ip | src-mac | src-port}
 
   

The default is src-dst-ip.

Configuring the Switch for Failover

To configure the switch for failover, see the following topics:

Assigning VLANs to the Secondary Firewall Services Module

Adding a Trunk Between a Primary Switch and Secondary Switch

Ensuring Compatibility with Transparent Firewall Mode

Enabling Autostate Messaging for Rapid Link Failure Detection

Assigning VLANs to the Secondary Firewall Services Module

Because both units require the same access to the inside and outside networks, you must assign the same VLANs to both FWSMs on the switch(es). See the "Assigning VLANs to the Firewall Services Module" section.

Adding a Trunk Between a Primary Switch and Secondary Switch

If you are using inter-switch failover (see the "Intra- and Inter-Chassis Module Placement" section), then you should configure an 802.1Q VLAN trunk between the two switches to carry the failover and state links. The trunk should have QoS enabled so that failover VLAN packets, which have the CoS value of 5 (higher priority), are treated with higher priority in these ports.

To configure the EtherChannel and trunk, see the documentation for your switch.

Ensuring Compatibility with Transparent Firewall Mode

To avoid loops when you use failover in transparent mode, use switch software that supports BPDU forwarding. See the "Switch Hardware and Software Compatibility" section for more information about switch support for transparent firewall mode.

Do not enable LoopGuard globally on the switch if the FWSM is in transparent mode. LoopGuard is automatically applied to the internal EtherChannel between the switch and the FWSM, so after a failover and a failback, LoopGuard causes the secondary unit to be disconnected because the EtherChannel goes into the err-disable state.

Enabling Autostate Messaging for Rapid Link Failure Detection

Using Cisco IOS software Release 12.2(18)SXF5 and higher, the supervisor engine can send autostate messages to the FWSM about the status of physical interfaces associated with FWSM VLANs. For example, when all physical interfaces associated with a VLAN go down, the autostate message tells the FWSM that the VLAN is down. This information lets the FWSM declare the VLAN as down, bypassing the interface monitoring tests normally required for determining which side suffered a link failure. Autostate messaging provides a dramatic improvement in the time the FWSM takes to detect a link failure (a few milliseconds as compared to up to 45 seconds without autostate support).

The switch supervisor sends an autostate message to the FWSM when:

The last interface belonging to a VLAN goes down.

The first interface belonging to a VLAN comes up.


Note The switch supports autostate messaging only if you install a single FWSM in the chassis.


Autostate messaging is disabled by default. To enable autostate messaging in Cisco IOS software, enter the following command:

Router(config)# firewall autostate
 
   

Managing the Firewall Services Module Boot Partitions

This section describes how to reset the FWSM from the switch, and how to manage the boot partitions on the Flash memory card. This section includes the following topics:

Flash Memory Overview

Setting the Default Boot Partition

Resetting the FWSM or Booting from a Specific Partition

Flash Memory Overview

The FWSM has a 128-MB Flash memory card that stores the operating system, configurations, and other data. The Flash memory includes six partitions, called cf:n in Cisco IOS software commands:

Maintenance partition (cf:1)—Contains the maintenance software. Use the maintenance software to upgrade or install application images if you cannot boot into the application partition, to reset the application image password, or to display the crash dump information.

Network configuration partition (cf:2)—Contains the network configuration of the maintenance software. The maintenance software requires IP settings so that the FWSM can reach the TFTP server to download application software images.

Crash dump partition (cf:3)—Stores the crash dump information.

Application partitions (cf:4 and cf:5)—Stores the application software image, system configuration, and ASDM. By default, Cisco installs the images on cf:4. You can use cf:5 as a test partition. For example, if you want to upgrade your software, you can install the new software on cf:5, but maintain the old software as a backup in case you have problems. Each partition includes its own startup configuration.

Security context partition (cf:6)—64 MB are dedicated to this partition, which stores security context configurations (if desired) and RSA keys in a navigable file system. Other partitions do not have file systems that allow you to perform common tasks such as listing files. This partition is called disk when using the copy command.

Setting the Default Boot Partition

By default, the FWSM boots from the cf:4 application partition. However, you can choose to boot from the cf:5 application partition or into the cf:1 maintenance partition. Each application partition has its own startup configuration.

To change the default boot partition, enter the following command:

Router(config)# boot device module mod_num cf:n
 
   

Where n is 1 (maintenance), 4 (application), or 5 (application).

To view the current boot partition, enter the following command:

Router# show boot device [mod_num]
 
   

For example:

Router# show boot device
[mod:1 ]:
[mod:2 ]:
[mod:3 ]:
[mod:4 ]: cf:4
[mod:5 ]: cf:4
[mod:6 ]:
[mod:7 ]: cf:4
[mod:8 ]:
[mod:9 ]:
 
   

Resetting the FWSM or Booting from a Specific Partition

This section describes how to reset the FWSM or boot from a specific partition. You might need to reset the FWSM if you cannot reach it through the CLI or an external Telnet session. You might need to boot from a non-default boot partition if you need to access the maintenance partition or if you want to boot from a different software image in the backup application partition. The maintenance partition is valuable for troubleshooting.

The reset process might take several minutes.

When you reset the FWSM, you can also choose to run a full memory test. When the FWSM initially boots, it only runs a partial memory test. A full memory test takes approximately six minutes.


Note To reload the FWSM when you are logged into the FWSM, enter reload or reboot. You cannot boot from a non-default boot partition with these commands.


To reset the FWSM, enter the following command:

Router# hw-module module mod_num reset [cf:n] [mem-test-full]
 
   

The cf:n argument is the partition, either 1 (maintenance), 4 (application), or 5 (application). If you do not specify the partition, the default partition is used (typically cf:4).

The mem-test-full option runs a full memory test, which takes approximately 6 minutes.

The following example shows how to reset the FWSM installed in slot 9. The default boot partition is used.

Router# hw-module module 9 reset
 
   
Proceed with reload of module? [confirm] y
% reset issued for module 9
 
   
Router#
00:26:55:%SNMP-5-MODULETRAP:Module 9 [Down] Trap
00:26:55:SP:The PC in slot 8 is shutting down. Please wait ...