Cisco IOS XR Virtual Firewall Configuration Guide, Release 3.7
Configuring the Management Interface on the Virtual Firewall
Download this chapter
Configuring the Management Interface on the Virtual FirewallConfiguring the Management Interface on the Virtual Firewall
Download the complete book
Cisco IOS XR Virtual Firewall Configuration GuideCisco IOS XR Virtual Firewall Configuration Guide (PDF - 4 MB)
give_us_feedback

Table Of Contents

Configuring the Firewall Management Interface

Contents

Information About Configuring the Firewall Management Interface

How to Configure Firewall Management Interfaces

Configuring the Management Interface on Cisco IOS XR

Troubleshooting Tips

Configuring the Management Interface on the VFW Application

Prerequisites

Configuring Remote Network Management Traffic Services

Creating and Configuring a Remote Management Class Map

Creating a Layer 3 and Layer 4 Remote Management Policy Map

Applying a Service Policy

Configuration Examples for Configuring Firewall Management Interfaces

MSB Management Interface Configuration: Example

VFW Application Management Interface Configuration: Example

Remote Network Management Traffic Services Configuration: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance


Configuring the Firewall Management Interface

This module describes how to configure the firewall management interface.

Feature History for Configuring Management Interfaces on the VFW Application

Release
Modification

Release 3.5.0

This feature was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.

Release 3.6.0

No modification.

Release 3.7.0

No modification.


Contents

Information About Configuring the Firewall Management Interface

How to Configure Firewall Management Interfaces

Configuration Examples for Configuring Firewall Management Interfaces

Additional References

Information About Configuring the Firewall Management Interface

The firewall management interface can be configured under each firewall context to provide a virtualized management interface (see Figure 7). The management interface can be used to connect management devices such as Telnet; Secure Shell (SSH) Protocol clients; and authentication, authorization, and accounting (AAA) servers.

Figure 7 Firewall Management Interface

The firewall management interface must be configured in the Cisco IOS XR software and on the corresponding management interface of the VFW application.

How to Configure Firewall Management Interfaces

This module includes the following sections:

Configuring the Management Interface on Cisco IOS XR

Configuring the Management Interface on the VFW Application

Configuring Remote Network Management Traffic Services

Configuring the Management Interface on Cisco IOS XR

This task provides a virtualized management interface for managing firewall contexts using Cisco IOS XR software. The firewall management interface must also be configured within the VFW application (see the "Configuring the Management Interface on the VFW Application" section) using a different IP address on the same subnet.

SUMMARY STEPS

1. configure

2. interface FirewallManagement number

3. ipv4 address ip-address/prefix

4. exit

5. firewall firewall-context-name follow-active

6. end
or
commit

7. show interfaces FirewallManagement number

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

RP/0/0/CPU0:router# configure

Enters global configuration mode.

Step 2 

interface FirewallManagement number

Example:

RP/0/0/CPU0:router(config)# interface firewallmanagement1

Specifies the interface.

Step 3 

ipv4 address ip-address/prefix

Example:

RP/0/0/CPU0:router(config-if)# ipv4 address 10.1.2.3/30

Specifies the IPv4 address of the interface. It must be a different IP address, but from the same subnet as the IP address configured for the management interface on the VFW application.

Step 4 

exit

Example:

RP/0/0/CPU0:router(config-if)# exit

Exits interface configuration mode.

Step 5 

firewall firewall-context-name follow-active

Example:

RP/0/0/CPU0:router(config)# firewall ctx1 follow-active

Attaches the management interface to a particular firewall context (ctx1) and attaches it to the active instance of the firewall (follow-active).

Step 6 

end

or

commit

Example:

RP/0/0/CPU0:router(config-if)# end

or

RP/0/0/CPU0:router(config-if)# commit

Saves configuration changes.

When you issue the end command, the system prompts you to commit changes: 

Uncommitted changes found, commit them before 
exiting (yes/no/cancel)? 
[cancel]:

Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.

Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.

Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.

Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.

Step 7 

show interfaces firewallmanagement number

Example:

RP/0/0/CPU0:router# show interfaces firewallmanagement1

Provides the status of the management interface. If the output does not display the status as up, the management interface is not operating properly. Refer to the "Troubleshooting Tips" section for additional information.

Troubleshooting Tips

To verify that the management interface is up, use the show interfaces firewallmanagement command to verify the interface: 

RP/0/0/CPU0:router# show interfaces firewallmanagement


FirewallManagement1 is up, line protocol is up 

  Interface state transitions: 4

  Hardware is Firewall Management Interface(s)

  Internet address is 88.88.88.88/24

  MTU 9216 bytes, BW 1000000 Kbit

     reliability 255/255, txload 0/255, rxload 0/255

  Encapsulation fmi,  loopback not set,

  Last clearing of "show interface" counters never

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 0 bits/sec, 0 packets/sec

     0 packets input, 0 bytes, 0 total input drops

     0 drops for unrecognized upper-level protocol

     Received 0 broadcast packets, 0 multicast packets

     0 packets output, 0 bytes, 0 total output drops

     Output 0 broadcast packets, 0 multicast packets

Configuring the Management Interface on the VFW Application

This task provides a virtualized management interface for managing firewall contexts at the firewall control point on the VFW application. The firewall management interface must also be configured on Cisco IOS XR software (see the "Configuring the Management Interface on Cisco IOS XR" section) using a different IP address on the same subnet.

Prerequisites

You must attach from the route processor to the VFW application before you can perform this task. See the "Attaching to the VFW Application" section on page VFC-14.

SUMMARY STEPS

1. configure

2. interface management name

3. ip address location

4. no shutdown

5. end

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

firewall/Admin# configure

Enters configuration mode. You are now within configuration mode of the VFW application.

Step 2 

interface management name

Example:

firewall/Admin(config)# interface management mgmnt

Configures a management interface.

Step 3 

ip address location

Example:

firewall/Admin(config-if-mgmt)# ip address 10.1.1.2 255.255.255.252

Specifies the IP address and mask of the interface. It must be a different IP address, but from the same subnet as the IP address configured for the management interface on the Cisco IOS XR software.

Step 4 

no shutdown

Example:

firewall/Admin(config-if-mgmt)# no shutdown

Enables the management interface.

Step 5 

end

Example:

firewall/Admin(config-if-mgmt)# end

firewall/Admin#

Ends the current configuration session and returns to EXEC mode.

Configuring Remote Network Management Traffic Services

You configure rules for remote access to the VFW application through the use of class maps, policy maps, and service policies. The following items summarize the role of each function in configuring remote network management access to the VFW application:

Class map—Provides the remote network traffic match criteria to permit traffic based on:

Remote access network management protocols (SSH, Telnet, ICMP)

Client source IP address

Policy map—Enables remote network management access for a traffic classification that matches the criteria listed in the class map.

Service policy—Activates the policy map and attaches the traffic policy to an interface or globally on all interfaces.

This section provides an overview on creating a class map, policy map, and service policy for remote network access.

Telnet and SSH remote access sessions are established to the VFW application on a per-context basis. For details on creating users and contexts, refer to the "Configuring Virtualization on the Virtual Firewall" module.

This section includes the following tasks:

Creating and Configuring a Remote Management Class Map

Creating a Layer 3 and Layer 4 Remote Management Policy Map

Applying a Service Policy

Creating and Configuring a Remote Management Class Map

To create a Layer 3 and Layer 4 class map to classify the remote network management traffic received by the VFW application, use the class-map type management configuration command. This command permits network management traffic to be received by the VFW application by identifying the incoming IP protocols that the VFW application can receive as well as the client source IP address and subnet mask as the matching criteria. A class map of type management defines the allowed network traffic as a form of management security for protocols such as SSH, Telnet, and ICMP.

There can be multiple match commands in a class map. You can configure class maps to define multiple management protocol and source IP address match commands in a group that you then associate with a traffic policy. The match-all and match-any keywords determine how the VFW application evaluates multiple match statements operations when multiple match criteria exist in a class map.

This task illustrates how to create a remote management class.

Prerequisites

You must attach from the route processor to the VFW application before you can perform this task. See the "Attaching to the VFW Application" section on page VFC-14.

SUMMARY STEPS

1. configure

2. class-map type management [match-all | match-any] cmap_name

3. [line_number] match protocol {http | https | icmp | snmp | ssh | telnet} {any | source-address ip_address mask}

4. exit

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

firewall/Admin# configure

firewall/Admin(config)#

Enters configuration mode. You are now within configuration mode of the VFW application.

Step 2 

class-map type management [match-all | match-any] cmap_name

Example: 
firewall/Admin(config)# class-map type 
management match-all SSH-TELNET_ALLOW_CLASS

Creates a management class map and enters class map configuration mode. The match-all and match-any keywords determine how the VFW application evaluates Layer 3 and Layer 4 network management traffic when multiple match criteria exist in a class map. The class map is considered a match if the match commands meet one of the following conditions:

match-all —All the match criteria listed in the class map are satisfied to match the network traffic class in the class map, typically match commands of the same type.

match-any—Any one of the match criteria listed in the class map is satisfied to match the network traffic class in the class map, typically match commands of different types.

Step 3 

[line_number] match protocol {http | https | icmp | snmp | ssh | telnet} {any | source-address ip_address mask}

Example: 
firewall/Admin(config-cmap-mgmt)# match 
protocol ssh source-address 172.16.10.0 
255.255.255.254

firewall/Admin(config-cmap-mgmt)# match 
protocol telnet source-address 172.16.10.0 
255.255.255.254

Identifies the network management protocols that are matched by the class map. You can include multiple match protocol commands in a class map. Valid protocols can be:

http—Hypertext Transfer Protocol (HTTP). See the "Configuring HTTP and HTTPS Management Traffic Services" section on page VFC-173 for more information.

https—Secure (SSL) Hypertext Transfer Protocol (HTTP). See the "Configuring HTTP and HTTPS Management Traffic Services" section on page VFC-173 for more information.

icmp—Internet Control Message Protocol (ICMP) messages to the VFW application.

snmp—Simple Network Management Protocol (SNMP). See the "Configuring SNMP on the Virtual Firewall" module for more information.

ssh—Secure Shell (SSH) remote connection to the VFW application. The VFW application supports the SSH remote shell functionality provided in SSH Version 1 and supports DES and 3DES ciphers.

Note SSH v1.x and v2 are entirely different protocols and are not compatible. Make sure that you use an SSH v1.x client when accessing the VFW application.

telnet—Telnet remote connection to the VFW application.

Step 4 

exit

Example:

firewall/Admin(config-cmap-mgmt)# exit

firewall/Admin#

Exits class map configuration mode.

Creating a Layer 3 and Layer 4 Remote Management Policy Map

This task outlines the steps to configure a Layer 3 and Layer 4 management traffic policy.

Prerequisites

You must attach from the route processor to the VFW application before you can perform this task. See the "Attaching to the VFW Application" section on page VFC-14.

SUMMARY STEPS

1. configure

2. policy-map type management first-match pmap_name

3. class cmap_name

4. [permit | deny]

5. exit

6. class map_name1 insert-before map_name2

7. class class-default

8. end

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

firewall/Admin# configure

Enters global configuration mode. You are now within configuration mode of the VFW application.

Step 2 

policy-map type management first-match pmap_name

Example: 
firewall/Admin(config)# policy-map type 
management first-match 
REMOTE_MGMT_ALLOW_POLICY

Creates a Layer 3 or Layer 4 policy map and enters policy map configuration mode. The VFW application executes the action for the first matching classification.

Step 3 

class cmap_name

Example: 
firewall/Admin(config-pmap-mgmt)# class 
L4_REMOTE_ACCESS_CLASS

Associates a previously defined class map with the Layer 3 and Layer 4 remote access policy map, and enters policy map class configuration mode. See the "Creating and Configuring a Remote Management Class Map" section.

Step 4 

permit

or

deny

Example: 
firewall/Admin(config-pmap-mgmt-c)# permit

Specifies whether to permit or deny the traffic defined by the class.

Step 5 

exit

Example:

firewall/Admin(config-pmap-mgmt-c)# exit

firewall/Admin#

Exits policy map class configuration mode.

Step 6 

class map_name1 insert-before map_name2

Example: 
firewall/Admin(config-pmap-mgmt)# class 
L4_SSH_CLASS insert-before 
L4_REMOTE_ACCESS_CLASS

(Optional) Manually inserts a previously defined class map ahead of a class map already contained in the policy map. Class map_name1 is inserted to the policy map before class map_name2. Enter an unquoted text string with no spaces and a maximum of 64 characters.

The VFW application does not save sequence reordering through the insert-before command as part of the configuration.

Step 7 

class class-default

Example: 
firewall/Admin(config-pmap-mgmt)# class 
class-default

(Optional) Associates the default class (class-default) with the Layer 3 and Layer 4 remote access policy map, and enters policy map class configuration mode. All network traffic that fails to meet the matching criteria in the named class maps belongs to the default traffic class (class-default). The class-default. class map has an implicit match any statement in it, such that it matches all traffic.

Step 8 

end

Example:

firewall/Admin(config-pmap-mgmt)# end

firewall/Admin#

Exits configuration mode.

Applying a Service Policy

You can apply a service policy to a specific interface, or globally to all interfaces in the same context. Note the following when creating a service policy:

Policy maps, applied globally in a context, are internally applied on all interfaces existing in the context.

A policy activated on an interface overwrites any specified global policies for overlapping classification and actions

The VFW application allows only one policy of a specific feature type to be activated on a given interface.

This task describes how to apply a service policy.

Prerequisites

You must attach from the route processor to the VFW application before you can perform this task. See the "Attaching to the VFW Application" section on page VFC-14.

SUMMARY STEPS

1. configure

2. interface management interface_name

3. ip address ip_address mask

4. service-policy input policy_name

5. exit

6. show service-policy policy_name [detail]

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

firewall/Admin# configure

firewall/Admin(config)#

Enters global configuration mode. You are now within configuration mode of the VFW application.

Step 2 

interface management interface_name

Example: 
firewall/Admin(config)# interface management 
m1

Enters interface configuration mode for a management interface.

Step 3 

ip address ip_address mask

Example: 
firewall/Admin(config-if-mgmt)# ip address 
172.16.1.100 255.255.0.0

Specifies the IP address of the firewall interface.

Step 4 

service-policy input policy_name

Example: 
firewall/Admin(config-if-mgmt)# service-policy 
input REMOTE_MGMT_ALLOW_POLICY

Attaches the traffic policy to the firewall interface.

Note If you use the service-policy command in global configuration mode, the traffic policy is applied to all interfaces in the context.

Step 5 

exit

Example:

firewall/Admin(config-if-mgmt)# exit

firewall/Admin#

Exits interface configuration mode.

Step 6 

show service-policy policy_name [detail]

Example: 
firewall/Admin# show service-policy

Displays service policy statistics for a Layer 3 and Layer 4 remote network traffic management policy map. Use the detail keyword to display a more detailed listing of policy map statistics and status information.

Note The VFW application updates the counters that the show service-policy command displays after the applicable connections are closed.

Troubleshooting Tip

Use the show service-policy command to display service policy statistics for a Layer 3 and Layer 4 remote network traffic management policy map. 

firewall/Admin# show service-policy REMOTE_MGMT_ALLOW_POLICY

Status     : ACTIVE

Description: Allow mgmt protocols

-----------------------------------------

Context Global Policy:

  service-policy: REMOTE_MGMT_ALLOW_POLICY

Configuration Examples for Configuring Firewall Management Interfaces

This section provides the following configuration examples:

MSB Management Interface Configuration: Example

VFW Application Management Interface Configuration: Example

Remote Network Management Traffic Services Configuration: Example

MSB Management Interface Configuration: Example

The following example shows how to configure a virtualized management interface for managing firewall contexts using Cisco IOS XR software: 

RP/0/0/CPU0:router# configure 

RP/0/0/CPU0:router(config)# interface firewallmanagement1 

RP/0/0/CPU0:router(config-if)# ipv4 address 10.1.1.1/30 

RP/0/0/CPU0:router(config-if)# exit 

RP/0/0/CPU0:router(config)# firewall ctx1 follow-active

RP/0/0/CPU0:router(config)# commit

VFW Application Management Interface Configuration: Example

The following example shows how to configure a virtualized management interface for managing firewall contexts in the VFW application (see the "Configuring the Management Interface on the VFW Application" section for summary steps and detailed steps):

firewall/Admin# configure 

firewall/Admin(config)# interface management Mgmnt

firewall/Admin(config-if-mgmt)# ip address 10.1.1.2 255.255.255.252 

firewall/Admin(config-if-mgmt)# no shutdown

Remote Network Management Traffic Services Configuration: Example

The following example illustrates how to specify a traffic management action for the Layer 3 and Layer 4 policy map: 

firewall/Admin(config)# policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY

firewall/Admin(config-pmap-mgmt)# class SSH-ALLOW_CLASS

firewall/Admin(config-pmap-mgmt-c)# permit

firewall/Admin(config-pmap-mgmt-c)# exit

firewall/Admin(config-pmap-mgmt)# class TELNET-ALLOW_CLASS

firewall/Admin(config-pmap-mgmt-c)# permit

firewall/Admin(config-pmap-mgmt-c)# exit

The following example illustrates how to apply a service policy to an interface: 

firewall/Admin(config)# interface interface_name

firewall/Admin(config-if)# ip address 172.16.1.100 255.255.0.0

firewall/Admin(config-if)# service-policy input REMOTE_MGMT_ALLOW_POLICY

The following example illustrates how to apply a service policy to all interfaces in the context: 

firewall/Admin(config)# service-policy input REMOTE_MGMT_ALLOW_POLICY

Additional References

The following sections provide references related to firewall management interfaces.

Related Documents

Related Topic
Document Title

Cisco IOS XR virtual firewall commands

"Virtual Firewall Commands on Cisco IOS XR Software" module in Cisco IOS XR Virtual Firewall Command Reference

Virtual firewall management interface command syntax

"Interface Commands on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Command Reference


Standards

Standards
Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.


MIBs

MIBs
MIBs Link

To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml


RFCs

RFCs
Title

No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.


Technical Assistance

Description
Link

The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/techsupport