Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, 4.1
Configuring Interface Parameters
Downloads: This chapterpdf (PDF - 510.0KB) The complete bookPDF (PDF - 8.06MB) | Feedback

Configuring Interface Parameters

Table Of Contents

Configuring Interface Parameters

Security Level Overview

Configuring Interfaces for Routed Firewall Mode

Guidelines and Limitations

Configuring an Interface

Configuring Interfaces for Transparent Firewall Mode

Information About Interfaces in Transparent Mode

Information About Bridge Groups

Information About Device Management

Guidelines and Limitations

Configuring Transparent Firewall Interfaces for Through Traffic

Assigning an IP Address to a Bridge Group

Adding a Management Interface

Allowing Communication Between Interfaces on the Same Security Level

Configuring Inter-Interface Communication

Configuring Intra-Interface Communication

Turning Off and Turning On Interfaces


Configuring Interface Parameters


This chapter describes how to configure each interface for a name, security level, and IP address. For transparent firewall, you also need to configure a bridge group for each interface pair.

This chapter includes the following sections:

Security Level Overview

Configuring Interfaces for Routed Firewall Mode

Configuring Interfaces for Transparent Firewall Mode

Allowing Communication Between Interfaces on the Same Security Level

Turning Off and Turning On Interfaces

Security Level Overview

Each interface must have a security level from 0 (lowest) to 100 (highest). For example, you should assign your most secure network, such as the inside host network, to level 100. While the outside network connected to the Internet can be level 0. Other networks, such as DMZs can be in between. You can assign interfaces to the same security level. See the "Allowing Communication Between Interfaces on the Same Security Level" section for more information.

The level controls the following behavior:

Inspection engines—Some inspection engines are dependent on the security level. For same security interfaces, inspection engines apply to traffic in either direction.

NetBIOS inspection engine—Applied only for outbound connections.

OraServ inspection engine—If a control connection for the OraServ port exists between a pair of hosts, then only an inbound data connection is permitted through the FWSM.

Filtering—HTTP(S) and FTP filtering applies only for outbound connections. For same security interfaces, you can filter traffic in either direction.

NAT control—When you enable NAT control, you must configure NAT for hosts on a higher security interface (inside) when they access hosts on a lower security interface (outside).

Without NAT control, or for same security interfaces, you can choose to use NAT between any interface, or you can choose not to use NAT. Keep in mind that configuring NAT for an outside interface might require a special keyword.

established command—This command allows return connections from a lower security host to a higher security host if there is already an established connection from the higher level host to the lower level host.

If you enable communication between same security interfaces (see the "Allowing Communication Between Interfaces on the Same Security Level" section), you can configure established commands for both directions.

Configuring Interfaces for Routed Firewall Mode

This section includes the following topics:

Guidelines and Limitations

Configuring an Interface

Guidelines and Limitations

See the following guidelines for configuring an interface:

Multiple Context Mode Guidelines

You can only configure context interfaces that you already assigned to the context in the system configuration using the allocate-interface command.

All allocated interfaces are enabled by default, no matter what the state of the interface is in the system execution space. However, for traffic to pass through the interface, the interface also has to be enabled in the system execution space. If you shut down an interface in the system execution space, then that interface is down in all contexts that share it. See the "Turning Off and Turning On Interfaces" section.

Configure the context interfaces from within each context.

Configure failover interfaces in the system configuration; do not configure failover interfaces with this procedure. See Chapter 14, "Configuring Failover," for more information.

VLAN ID Guidelines

You can add any VLAN ID to the configuration, but only VLANs that are assigned to the FWSM by the switch can pass traffic. To view all VLANs assigned to the FWSM, use the show vlan command.

If you add an interface for a VLAN that is not yet assigned to the FWSM by the switch, the interface will be in the down state. When you assign the VLAN to the FWSM, the interface changes to an up state. See the show interface command for more information about interface states.

Failover Guidelines

If you are using failover, do not use this section to name interfaces that you are reserving for failover and Stateful Failover communications. See Chapter 14, "Configuring Failover," to configure the failover and state links.

Configuring an Interface

Before you can allow traffic through the FWSM, you need to configure an interface name and an IP address. You should also change the security level from the default, which is 0. If you name an interface "inside" and you do not set the security level explicitly, then the FWSM sets the security level to 100.

To configure an interface, perform the following steps:


Step 1 To specify the interface you want to configure, enter the following command:

hostname(config)# interface {vlan number | mapped_name}

In multiple context mode, enter the mapped name if one was assigned using the allocate-interface command.

For example, enter the following command:

hostname(config)# interface vlan 101

Step 2 To name the interface, enter the following command:

hostname(config-if)# nameif name

The name is a text string up to 48 characters, and is not case-sensitive. You can change the name by reentering this command with a new value. Do not enter the no form, because that command causes all commands that refer to that name to be deleted.


Note After you set the name for an interface, the security-level is automatically changed to 0. However, if the name is "inside," then the security level becomes 100.


Step 3 To set the security level, enter the following command:

hostname(config-if)# security-level number

Where number is an integer between 0 (lowest) and 100 (highest).

If you change the security level of an interface, and you do not want to wait for existing connections to time out before the new security information is used, you can clear the connections using the clear local-host command.

Step 4 To set the IP address, enter the following command:

hostname(config-if)# ip address ip_address [mask] [standby ip_address]

The standby keyword and address is used for failover. See Chapter 14, "Configuring Failover," for more information.


Note To set an IPv6 address, see the "Configuring IPv6 on an Interface" section on page 10-2.



The following example configures parameters for VLAN 101:

hostname(config)# interface vlan 101
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100
hostname(config-if)# ip address 10.1.1.1 255.255.255.0

The following example configures parameters in multiple context mode for the context configuration. The interface ID is a mapped name.

hostname/contextA(config)# interface int1
hostname/contextA(config-if)# nameif outside
hostname/contextA(config-if)# security-level 100
hostname/contextA(config-if)# ip address 10.1.2.1 255.255.255.0

Configuring Interfaces for Transparent Firewall Mode

This section includes the following topics:

Information About Interfaces in Transparent Mode

Configuring Transparent Firewall Interfaces for Through Traffic

Assigning an IP Address to a Bridge Group

Adding a Management Interface

Information About Interfaces in Transparent Mode

This section includes the following topics:

Information About Bridge Groups

Information About Device Management

Guidelines and Limitations

Information About Bridge Groups

A transparent firewall connects the same network on its inside and outside interfaces. Each pair of interfaces belongs to a bridge group, to which you must assign a management IP address. You can configure up to eight bridge groups of two interfaces each. Each bridge group connects to a separate network. Bridge group traffic is isolated from other bridge groups; traffic is not routed to another bridge group within the FWSM, and traffic must exit the FWSM before it is routed by an external router back to another bridge group in the FWSM.

You might want to use more than one bridge group if you do not want the overhead of security contexts, or want to maximize your use of security contexts. Although the bridging functions are separate for each bridge group, many other functions are shared between all bridge groups. For example, all bridge groups share a system log server or AAA server configuration. For complete security policy separation, use security contexts with one bridge group in each context.


Note The FWSM does not support traffic on secondary networks; only traffic on the same network as the management IP address is supported.


Information About Device Management

For device management, you have two available mechanisms:

Any bridge group management address—Connect to the bridge group network on which your management station is located.

Separate management interface—The management interface is not part of any bridge group. This interface is especially useful in multiple context mode where you can share a single management interface across multiple contexts.

See the following guidelines for the management interface:

You can have only a single management interface in single mode or per context. Note that some contexts can use one interface while others can use a different interface, so long as each context only uses one management interface each.

The management interface IP address can be on a separate network from any bridge group networks, or can be on the same network as a bridge group network.

If you share the interface across multiple contexts, then the interface IP address must be on the same network in each context.

You can only share the management VLAN across multiple transparent contexts; you cannot also share this VLAN with a routed context.

Guidelines and Limitations

See the following guidelines for configuring an interface:

Multiple Context Mode Guidelines

You can only configure context interfaces that you already assigned to the context in the system configuration using the allocate-interface command.

All allocated interfaces are enabled by default, no matter what the state of the interface is in the system execution space. However, for traffic to pass through the interface, the interface also has to be enabled in the system execution space. If you shut down an interface in the system execution space, then that interface is down in all contexts that share it.

Configure the context interfaces from within each context.

Configure failover interfaces in the system configuration; do not configure failover interfaces with this procedure. See Chapter 14, "Configuring Failover," for more information.

VLAN ID Guidelines

You can add any VLAN ID to the configuration, but only VLANs that are assigned to the FWSM by the switch can pass traffic. To view all VLANs assigned to the FWSM, use the show vlan command.

If you add an interface for a VLAN that is not yet assigned to the FWSM by the switch, the interface will be in the down state. When you assign the VLAN to the FWSM, the interface changes to an up state. See the show interface command for more information about interface states.

Failover Guidelines

If you are using failover, do not use this section to name interfaces that you are reserving for failover and Stateful Failover communications. See Chapter 14, "Configuring Failover," to configure the failover and state links.

Configuring Transparent Firewall Interfaces for Through Traffic

To assign an interface to a bridge group, set the name, and set the security level, perform the following steps:


Step 1 To identify the interface, enter the following command:

hostname(config)# interface {vlan number | mapped_name}

In multiple context mode, enter the mapped name if one was assigned using the allocate-interface command.

Step 2 To assign it to a bridge group, enter the following command:

hostname(config-if)# bridge-group number

Where number is an integer between 1 and 100. You can only assign two interfaces to a bridge group. You cannot assign the same interface to more than one bridge group.

Step 3 To name the interface, enter the following command:

hostname(config-if)# nameif name

The name is a text string up to 48 characters, and is not case-sensitive. You can change the name by reentering this command with a new value. Do not enter the no form, because that command causes all commands that refer to that name to be deleted. If you name an interface "inside" and you do not set the security level explicitly, then the FWSM sets the security level to 100.

Step 4 To set the security level, enter the following command:

hostname(config-if)# security-level number

Where number is an integer between 0 (lowest) and 100 (highest). By default, after you name the interface, the FWSM sets the security level to 0.


Assigning an IP Address to a Bridge Group

A transparent firewall does not participate in IP routing. The only IP configuration required for the FWSM is to set the management IP address for each bridge group. This address is required because the FWSM uses this address as the source address for traffic originating on the FWSM, such as system log messages or communications with AAA servers. You can also use this address for remote management access (for another method to manage the FWSM, see the "Adding a Management Interface" section).

To set the management IP address, perform the following steps:


Step 1 Identify the bridge group by entering the following command:

hostname(config)# interface bvi bridge_group_number

Step 2 Specify the IP address by entering the following command:

hostname(config-if)# ip address ip_address [mask] [standby ip_address]

Do not assign a host address (/32 or 255.255.255.255) to the transparent firewall. Also, do not use other subnets that contain fewer than 3 host addresses (one each for the upstream router, downstream router, and transparent firewall) such as a /30 subnet (255.255.255.252). The FWSM drops all ARP packets to or from the first and last addresses in a subnet. Therefore, if you use a /30 subnet and assign a reserved address from that subnet to the upstream router, then the FWSM drops the ARP request from the downstream router to the upstream router.

The FWSM does not support traffic on secondary networks; only traffic on the same network as the management IP address is supported.

The standby keyword and address is used for failover. See Chapter 14, "Configuring Failover," for more information.


The following example assigns VLANs 300 and 301 to bridge group 1, then sets the management address and standby address of bridge group 1:

hostname(config)# interface vlan 300
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100
hostname(config-if)# bridge-group 1

hostname(config-if)# interface vlan 301
hostname(config-if)# nameif outside
hostname(config-if)# security-level 0
hostname(config-if)# bridge-group 1

hostname(config-if)# interface bvi 1
hostname(config-if)# ip address 10.1.3.1 255.255.255.0 standby 10.1.3.2

Adding a Management Interface

In addition to each bridge group management IP address, you can add a separate management interface that is not part of any bridge group, and that allows only management traffic to the FWSM. For more information, see the "Information About Device Management" section.

To configure a management interface, perform the following steps:


Step 1 To specify the interface you want to configure, enter the following command:

hostname(config)# interface {vlan number | mapped_name}

In multiple context mode, enter the mapped name if one was assigned using the allocate-interface command.

For example, enter the following command:

hostname(config)# interface vlan 101

Step 2 To name the interface, enter the following command:

hostname(config-if)# nameif name

The name is a text string up to 48 characters, and is not case-sensitive. You can change the name by reentering this command with a new value. Do not enter the no form, because that command causes all commands that refer to that name to be deleted.

Step 3 To set the security level, enter the following command:

hostname(config-if)# security-level 100

This interface must be set to level 100.

Step 4 To set the IP address, enter the following command:

hostname(config-if)# ip address ip_address [mask] [standby ip_address]

The standby keyword and address is used for failover. See Chapter 14, "Configuring Failover," for more information.

Step 5 To set this interface to be management-only, enter the following command:

hostname(config-if)# management-only

This command is required; an interface without the management-only command will be ignored.


The following example configures interfaces for one bridge group each for three contexts, plus a shared management VLAN (see Figure 6-1).

Figure 6-1 Shared Management VLAN

Context A

hostname(config)# interface vlan500
hostname(config-if)# nameif mgmt
hostname(config-if)# security-level 0
hostname(config-if)# management-only
hostname(config-if)# ip address 10.0.0.1 255.0.0.0

hostname(config-if)# interface vlan101
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100
hostname(config-if)# bridge-group 10

hostname(config-if)# interface vlan102
hostname(config-if)# nameif outside
hostname(config-if)# security-level 0
hostname(config-if)# bridge-group 10

hostname(config-if)# interface bvi 10
hostname(config-if)# ip address 209.165.200.226 255.255.255.224

Context B

hostname(config)# interface vlan500
hostname(config-if)# nameif mgmt
hostname(config-if)# security-level 0
hostname(config-if)# management-only
hostname(config-if)# ip address 10.0.0.2 255.0.0.0
 
hostname(config-if)# interface vlan103
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100
hostname(config-if)# bridge-group 20

hostname(config-if)# interface vlan104
hostname(config-if)# nameif outside
hostname(config-if)# security-level 0
hostname(config-if)# bridge-group 20

hostname(config-if)# interface bvi 20
hostname(config-if)# ip address 209.165.201.2 255.255.255.224

Context C

hostname(config)# interface vlan500
hostname(config-if)# nameif mgmt
hostname(config-if)# security-level 0
hostname(config-if)# management-only
hostname(config-if)# ip address 10.0.0.3 255.0.0.0
 
hostname(config-if)# interface vlan105
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100
hostname(config-if)# bridge-group 30

hostname(config-if)# interface vlan106
hostname(config-if)# nameif outside
hostname(config-if)# security-level 0
hostname(config-if)# bridge-group 30 

hostname(config-if)# interface bvi 30
hostname(config-if)# ip address 209.165.202.129 255.255.255.224

Allowing Communication Between Interfaces on the Same Security Level

By default, interfaces on the same security level cannot communicate with each other, even if you configure NAT and access lists. Also, by default, traffic cannot enter and exit the same interface. This section describes how to configure inter-interface and intra-interface communication, and includes the following topics:

Configuring Inter-Interface Communication

Configuring Intra-Interface Communication

Configuring Inter-Interface Communication

Allowing communication between same security interfaces lets you configure more than 101 communicating interfaces. If you use different levels for each interface and do not assign any interfaces to the same security level, you can configure only one interface per level (0 to 100).


Note If you enable NAT control, you do not need to configure NAT between same security level interfaces. See the "NAT and Same Security Level Interfaces" section on page 16-14 for more information on NAT and same security level interfaces.


If you enable same security interface communication, you can still configure interfaces at different security levels as usual.

To enable interfaces on the same security level to communicate with each other, enter the following command:

hostname(config)# same-security-traffic permit inter-interface

To disable this setting, use the no form of this command.


Note If you use a same-security interface for both the outside and inside interfaces, you might want to enable the xlate-bypass command; in some situations, you can exceed the maximum number of xlates using that configuration (see the "Managed System Resources" section on page A-4 for limits). For example, without xlate-bypass, the FWSM creates xlates for all connections (even if you do not configure NAT). In a same-security-traffic configuration, the FWSM randomly chooses which same-security interface is the "inside" interface for the sake of creating xlates. If the FWSM considers the outside same-security interface as the "inside" interface, it creates xlates for every Internet host being accessed through it. If there is any application (or a virus) on the internal network that scans thousands of Internet hosts, all entries in the xlate table may be quickly exhausted.


Configuring Intra-Interface Communication

You can configure the FWSM to enable communication between two hosts on the same interface. Before you can enable this feature, you must first correctly configure the MSFC so that packets are sent to the FWSM MAC address instead of being sent directly through the switch to the destination host. Figure 6-2 shows a network where hosts on the same interface need to communicate. The following samples show the route-map command used to enable policy routing on the MSFC in the network shown in Figure 6-2:

Router(config)# route-map intra-inter3 permit 0
Router(config-route-map)# match ip address 103
Router(config-route-map)# set interface Vlan20
Router(config-route-map)# set set ip next-hop 10.6.34.7

Router(config)# route-map intra-inter2 permit 20
Router(config-route-map)# match ip address 102
Router(config-route-map)# set interface Vlan20
Router(config-route-map)# set set ip next-hop 10.6.34.7

Router(config)# route-map intra-inter1 permit 10
Router(config-route-map)# match ip address 101
Router(config-route-map)# set interface Vlan20
Router(config-route-map)# set set ip next-hop 10.6.34.7

Figure 6-2 Communication Between Hosts on the Same Interface

When you enable communication between two hosts on the same interface, keep in mind the following requirements:

Outside NAT is not supported.

You can configure static routes from one interface to another on the same security level.

To enable communication between hosts on the same security level, enter the following command:

hostname(config)# same-security-traffic permit intra-interface

To disable these settings, add no before the command.

Turning Off and Turning On Interfaces

All interfaces are enabled by default. If you disable or reenable the interface within a context, only that context interface is affected. But if you disable or reenable the interface in the system execution space, then you affect that VLAN interface for all contexts.

To disable an interface or reenable it, perform the following steps:


Step 1 To enter the interface configuration mode, enter the following command:

hostname(config)# interface {vlan number | mapped_name}

In multiple context mode in a context, enter the mapped name if one was assigned using the allocate-interface command.

Step 2 To disable the interface, enter the following command:

hostname(config)# shutdown

Step 3 To reenable the interface, enter the following command:

hostname(config)# no shutdown