Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, 4.1
Specifications
Downloads: This chapterpdf (PDF - 428.0KB) The complete bookPDF (PDF - 8.06MB) | Feedback

Specifications

Table Of Contents

Specifications

Switch Hardware and Software Compatibility

Catalyst 6500 Series Requirements

Cisco 7600 Series Requirements

Licensed Features

Physical Attributes

Feature Limits

Managed System Resources

Fixed System Resources

Rule Limits

Default Rule Allocation

Rules in Multiple Context Mode

Reallocating Rules Between Features


Specifications


This appendix lists the specifications of the FWSM and includes the following sections:

Switch Hardware and Software Compatibility

Licensed Features

Physical Attributes

Feature Limits

Managed System Resources

Fixed System Resources

Rule Limits

Switch Hardware and Software Compatibility

You can install the FWSM in the Catalyst 6500 series switches or the Cisco 7600 series routers. The configuration of both series is identical, and the series are referred to generically in this guide as the "switch." The switch includes a switch (the supervisor engine) as well as a router (the MSFC 2).

The switch supports Cisco IOS software on both the switch supervisor engine and the integrated MSFC router.


Note The Catalyst operating system software is not supported.

The FWSM does not support a direct connection to a switch WAN port because WAN ports do not use static VLANs. However, the WAN port can connect to the MSFC, which can connect to the FWSM.


The FWSM runs its own operating system.

This section includes the following topics:

Catalyst 6500 Series Requirements

Cisco 7600 Series Requirements

Catalyst 6500 Series Requirements

Table 1 shows the supervisor engine version and software.

Table 1 Support for FWSM on the Catalyst 6500

 
FWSM Features:
 
Supervisor Engines 1
PISA Integration
Route Health Injection
Virtual Switching System
Cisco IOS Software Release

12.2(18)SXF and higher

720, 32

No

No

No

12.2(18)SXF2 and higher

2, 720, 32

No

No

No

12.2(33)SXI

720-10GE

No

Yes

Yes

12.2(33)SXI

720, 32

No

Yes

No

12.2(33)SXI2

720-10GE

No

Yes

Yes

12.2(33)SXI2

720, 32

No

Yes

No

12.2(18)ZYA

32-PISA

Yes

No

No

Cisco IOS Software Modularity Release

12.2(18)SXF4

720, 32

No

No

No

1 The FWSM does not support the supervisor 1 or 1A.


Cisco 7600 Series Requirements

Table 2 shows the supervisor engine version and software.

Table 2 Support for FWSM on the Cisco 7600

 
FWSM Features:
 
Supervisor Engines 1
PISA Integration
Route Health Injection
Virtual Switching System
Cisco IOS Software Release

12.2(33)SRA

720, 32

No

No

No

12.2(33)SRB

720, 32

No

No

No

12.2(33)SRC

720, 32, 720-1GE

No

No

No

12.2(33)SRD

720, 32, 720-1GE

No

No

No

12.2(33)SRE

720, 32, 720-1GE

No

No

No

12.2(33)SRE2

720-3C-1GE

No

No

No

1 The FWSM does not support the supervisor 1 or 1A.


Licensed Features

The FWSM supports the following licensed features:

Multiple security contexts. The FWSM supports two contexts plus one admin context for a total of three security contexts without a license. For more than three contexts, obtain one of the following licenses:

20

50

100

250

GTP/GPRS support.

BGP stub support.

Physical Attributes

Table A-3 lists the physical attributes of the FWSM.

Table A-3 Physical Attributes 

Specification
Description

Bandwidth

CEF256 line card with a 6-Gbps path to the Switch Fabric Module (if present) or the 32-Gbps shared bus.

Memory

1-GB RAM.

128-MB Flash memory.

Modules per switch

Maximum four modules per switch.

If you are using failover, you can still only have four modules per switch even if two of them are in standby mode.


Feature Limits

Table A-4 lists the feature limits for the FWSM.

Table A-4 Feature Limits 

Specification
Context Mode
Single
Multiple

AAA servers (RADIUS and TACACS+)

16

4 per context

Failover interface monitoring

250

250 divided between all contexts

Filtering servers (Websense Enterprise and Sentian by N2H2)

16

4 per context

Fragmented packets

If the FWSM receives a fragment set that is originally 8782 Bytes or smaller, then it reassembles the set and transmits it back on the wire, but the fragment size may be different than what was received.

If the FWSM receives a fragment set that is originally 8783 Bytes or larger, then:

If the frame is the first packet in a connection (as in the case of ICMP) then the FWSM reassembles the first 8782 Bytes and pass those on, but the remaining fragments are dropped.

If the frame is not the first packet in a connection, then the FWSM reassembles the first 8782 bytes and passes those on, and the remaining fragments are also passed on, but without the reassembly check.

Jumbo Ethernet packets

8500 Bytes

8500 Bytes

Security contexts

N/A

250 security contexts (depending on your software license).

Syslog servers

4 per context

VLAN interfaces

   

Routed Mode

256

100 per context

The FWSM has an overall limit of 1000 VLAN interfaces divided between all contexts. You can share outside interfaces between contexts, and in some circumstances, you can share inside interfaces.

Transparent Mode

8 pairs

8 pairs per context


Managed System Resources

Table A-5 lists the managed system resources of the FWSM. You can manage these resources per context using the resource manager. See the "Configuring Resource Management" section.

Table A-5 Managed System Resources 

Specification
Context Mode
Single
Multiple

MAC addresses (transparent firewall mode only)

65,536

65,536 divided between all contexts

Hosts allowed to connect through the FWSM, concurrent

262,144

262,144 divided between all contexts

Inspection engine connections, rate

10,000 per second

10,000 per second divided between all contexts

IPSec management connections, concurrent

5

5 per context

Maximum of 10 divided between all contexts

ASDM management sessions, concurrent1

5

Up to 5 per context

Maximum of 80 divided between all contexts

NAT translations (xlates), concurrent

262,144

262,144 divided between all contexts

SSH management connections, concurrent2

5

5 per context

Maximum of 100 divided between all contexts

System log messages, rate

30,000 per second for messages sent to the FWSM terminal or buffer

25,000 per second for messages sent to a syslog server

30,000 per second divided between all contexts for messages sent to the FWSM terminal or buffer

25,000 per second divided between all contexts for messages sent to a syslog server

TCP or UDP connections3 4 between any two hosts, including connections between one host and multiple other hosts, concurrent and rate

999,9005

170,000 per second

999,900 divided between all contexts5

170,000 per second divided between all contexts

Telnet management connections, concurrent2

5

5 per context

Maximum of 100 connections divided between all contexts.

1 ASDM sessions use two HTTPS connections: one for monitoring that is always present, and one for making configuration changes that is present only when you make changes. For example, the system limit of 80 ASDM sessions represents a limit of 160 HTTPS connections.

2 The admin context can use up to 15 Telnet and SSH connections.

3 Embryonic connections are included in the total number of connections. If you configure an embryonic connection limit, then embryonic connections above the limit are not counted.

4 The FWSM might take up to 500 ms to remove a connection that is marked for deletion. Because any traffic on the connection is dropped during this period, you cannot initiate a new connection to the same destination using the same source and destination ports until the connection is deleted. Although most TCP applications do not reuse the same ports in back-to-back connections, RSH might reuse the same ports. If you use RSH or any other application that reuses the same ports in back-to-back connections, the FWSM might drop packets.

5 Because PAT requires a separate translation for each connection, the effective limit of connections using PAT is the translation limit (256 K), not the higher connection limit. To use the connection limit, you need to use NAT, which allows multiple connections using the same translation session.


Fixed System Resources

Table A-6 lists the fixed system resources of the FWSM.

Table A-6 Fixed System Resources 

Specification
Context Mode
Single
Multiple

AAA connections, rate

80 per second

80 per second divided between all contexts

Downloaded ACEs for network access authorization

3,500

3,500 divided between all contexts

ACL logging flows, concurrent

32,768

32,768 divided between all contexts

Alias statements

512

512 divided between all contexts

ARP table entries, concurrent

65,536

65,536 divided between all contexts

DNS inspections, rate

5000 per second

5000 per second divided between all contexts

Global statements

4204

4204 divided between all contexts

Inspection statements

32

32 per context

NAT statements

2048

2048 divided between all contexts

Packet reassembly, concurrent

30,000

30,000 fragments divided between all contexts

Route table entries, concurrent

32,768

32,768 divided between all contexts

Shun statements

5120

5120 divided between all contexts

Static NAT statements

2048

2048 divided between all contexts

TFTP sessions, concurrent1

999,100

999,100 divided between all contexts

URL filtering requests

200 per second causes 50% CPU usage

200 per second causes 50% CPU usage divided between all contexts

User authentication sessions, concurrent

51,200

51,200 divided between all contexts

User authorization sessions, concurrent

153,600

Maximum 15 sessions per user.

153,600 divided between all contexts

Maximum 15 sessions per user.

1 In FWSM Version 1.1, the number of TFTP sessions was limited to 1024 sessions.


Rule Limits

The FWSM supports a fixed number of rules for the entire system. This section includes the following topics:

Default Rule Allocation

Rules in Multiple Context Mode

Reallocating Rules Between Features

Default Rule Allocation

Table A-7 lists the default number of rules for each feature type.


Note Some access lists use more memory than others. Depending on the type of access list, the actual limit the system can support will be less than the maximum. See the "Maximum Number of ACEs" section for more information about ACEs and memory usage.


Table A-7 Default Rule Allocation 

 
Context Mode
Specification
Single
Multiple (Maximum per Partition) with 12 1 pools

AAA Rules

8744

1345

ACEs

100,567

14,801

established commands2

624

96

Filter Rules

3747

576

ICMP, Telnet, SSH, and HTTP Rules

2498

384

Policy NAT ACEs3

2498

384

Inspect Rules

5621

1537

Total Rules

124,923

19,219

1 Use the show resource rule command to view the default values for partitions other than 12.

2 Each established command creates a control and data rule, so this value is doubled in the Total Rules value.

3 This limit is lower than in release 2.3.


Rules in Multiple Context Mode

In multiple context mode with the default of 12 memory partitions, each context supports the maximum number of rules listed in Table A-7; the actual number of rules supported in a context might be more or less, depending on how many contexts you have and how many partitions you configure. See the "About Memory Partitions" section for information about memory distribution among contexts.

If you reduce the number of partitions, the maximum number of rules is recalculated and might not match the total system number available for 12 partitions. To view the maximum number of rules for partitions, enter the following command in the system execution space:

hostname(config)# show resource rule
 
   

For example, the following is sample output from the show resource rule command, and shows the maximum rules as 19219 per partition with 12 partitions (this is an example only, and might differ from the actual number of rules for your system):

hostname(config)# show resource rule
 
   
             Default  Configured  Absolute
 CLS Rule     Limit      Limit      Max
-----------+---------+----------+---------
 Policy NAT     384        384        833
 ACL          14801      14801      14801
 Filter         576        576       1152
 Fixup         1537       1537       3074
 Est Ctl         96         96         96
 Est Data        96         96         96
 AAA           1345       1345       2690
 Console        384        384        768
-----------+---------+----------+---------
 Total        19219      19219
 
   
Partition Limit - Configured Limit = Available to allocate
      19219     -      19219       =           0
 
   

Reallocating Rules Between Features

You can reallocate rules from one feature to another feature.


Note In multiple context mode, you can also set the rule allocation per partition, which overrides the global setting in this section. See the "Reallocating Rules Between Features for a Specific Memory Partition" section.


Guidelines


Caution Failure to follow these guidelines might result in dropped access list configuration as well as other anomalies, including ACL tree corruption.

The target partition and rule allocation settings must be carefully calculated, planned, and preferably tested in a non-production environment prior to making the change to ensure that all existing contexts and rules can be accommodated.

When failover is used, both FWSMs need to be reloaded at the same time after making partition changes. Reloading both FWSMs causes an outage with no possibility for a zero-downtime reload. At no time should two FWSMs with a mismatched number of partitions or rule limits synchronize over failover.

Detailed Steps

To reallocate rules, perform the following steps:


Step 1 To view the total number of rules available, the default values, current rule allocation, and the absolute maximum number of rules you can allocate per feature, enter the following command:

hostname(config)# show resource rule
 
   

For multiple context mode, enter this command in the system execution space. It shows the number of rules per partition. See the "About Memory Partitions" section for more information about partitions.

For example, the following is sample output from the show resource rule command, and shows the maximum rules as 124923 in single mode (this is an example only, and might differ from the actual number of rules for your system):

hostname(config)# show resource rule
 
   
             Default  Configured  Absolute
 CLS Rule     Limit      Limit      Max
-----------+---------+----------+---------
 Policy NAT    2498       2498      10000
 ACL         100567     100567     100567
 Filter        3747       3747       7494
 Fixup         5621       5621      10000
 Est Ctl        624        624        624
 Est Data       624        624        624
 AAA           8744       8744      10000
 Console       2498       2498       4996
-----------+---------+----------+---------
 Total       124923     124923
 
   
Partition Limit - Configured Limit = Available to allocate
     124923     -     124923       =           0
 
   

Step 2 To view the number of rules currently being used so you can plan your reallocation, enter one of the following commands.

In single mode or within a context, enter the following command:

hostname(config)# show np 3 acl count 0
 
   

In multiple context mode system execution space, enter the following command:

hostname(config)# show np 3 acl count partition_number
 
   

For example, the following is sample output from the show np 3 acl count command, and shows the number of inspections (Fixup Rule) close to the maximum of 9216. You might choose to reallocate some access list rules (ACL Rule) to inspections.

hostname(config)# show np 3 acl count 0
 
   
-------------- CLS Rule Current Counts --------------
CLS Filter Rule Count       :             0
CLS Fixup Rule Count        :          9001
CLS Est Ctl Rule Count      :             4
CLS AAA Rule Count          :            15
CLS Est Data Rule Count     :             4
CLS Console Rule Count      :            16
CLS Policy NAT Rule Count   :             0
CLS ACL Rule Count          :         30500
CLS ACL Uncommitted Add     :             0
CLS ACL Uncommitted Del     :             0 
...
 
   

Note The established command creates two types of rules, control and data. Both of these types are shown in the display, but you allocate both rules by setting the number of established commands; you do not set each rule separately.


Step 3 To reallocate rules between features, enter the following command (in multiple context mode, enter it in the system execution space). If you increase the value for one feature, then you must decrease the value by the same amount for one or more features so the total number of rules does not exceed the system limit. See Step 1 to use the show resource rule command for the total number of rules allowed.

hostname(config)# resource rule nat {max_policy_nat_rules | current | default | max} 
acl {max_ace_rules | current | default | max} 
filter {max_filter_rules | current | default | max} 
fixup {max_inspect_rules | current | default | max} 
est {max_established_rules | current | default | max} 
aaa {max_aaa_rules | current | default | max} 
console {max_console_rules | current | default | max}
 
   

In multiple context mode, this command sets the rule allocation per partition. You must enter all arguments in this command. This command takes effect immediately.

The nat max_nat_rules arguments set the maximum number of policy NAT ACEs, between 0 and 10,000.

The acl max_nat_rules arguments set the maximum number of ACEs, between 0 and the system limit. The system limit depends on single or multiple context mode, and how many memory partitions you configured. For single mode, the value is 100,567. For multiple mode, see Step 1 to use the show resource rule command.

The filter max_nat_rules arguments set the maximum number of filter rules, between 0 and 6000.

The fixup max_nat_rules arguments set the maximum number of inspect rules, between 0 and 10,000.

The est max_nat_rules arguments set the maximum number of established commands, between 0 and 716. The established command creates two types of rules, control and data. Both of these types are shown in the show np 3 acl count and show resource rules display, but you set both rules using the est keyword, which correlates with the number of established commands. Be sure to double the value you enter here when comparing the total number of configured rules with the total number of rules shown in the show commands.

The aaa max_nat_rules arguments set the maximum number of AAA rules, between 0 and 10,000.

The console max_nat_rules arguments set the maximum number of ICMP, Telnet, SSH, and HTTP rules, between 0 and 4000.

The current keyword keeps the current value set.

The default keyword sets the maximum rules to the default.

The max keyword sets the rules to the maximum allowed for the feature. Be sure to set other features lower to accommodate this value.


For example, to reallocate 1000 rules from the single-mode default 74,188 ACEs to inspections (default 4147), enter the following command:

hostname(config)# resource rule nat default acl 73188 filter default fixup 5157 est 
default aaa default console default
 
   

In multiple context mode with 12 partitions, to reallocate 100 ACEs (default 10,633) to inspections (default 1417) as well as all but one established rule (default 70) to filter (default 425), enter the following command:

hostname(config)# resource rule nat default acl 10533 filter 494 fixup 1517 est 1 aaa 
default console default