Table Of Contents

Virtual Firewall Commands on Cisco IOS XR Software

default-interface-name

failure-action

firewall

firewall (interface)

interface FirewallManagement

service firewall attach location

show services firewall attachments

show services firewall interfaces

Virtual Firewall Commands on Cisco IOS XR Software

---

The Cisco IOS XR Virtual Firewall (VFW) application runs on the Cisco XR 12000 Multi-Service Blade (MSB). A dual core CPU on the MSB runs the Cisco IOS XR software (standard edge engine code and firewall code) on core 1 and SanOS (Linux) with the Virtual Firewall application code on core 0.

This module describes the Cisco IOS XR software commands used to configure and integrate a VFW. The Cisco IOS XR software configuration sets up the interaction between the firewall and the router. Each VFW (or firewall context) is configured in the VFW application using SanOS on core 0. The VFW application commands are described in subsequent modules.

For detailed information about VFW concepts, configuration tasks, and examples, see Cisco IOS XR Virtual Firewall Configuration Guide. For information regarding the Cisco IOS XR software, see Cisco IOS XR Getting Started Guide.

default-interface-name

To configure the default interface that represents any unprotected interface in the router, use the default-interface-name command in firewall configuration mode. To remove the default interface configuration, use the no form of this command.

default-interface-name vfw-interface-name

no default-interface-name

Syntax Description

vfw-interface-name

Name of the default interface that represents any unprotected interface in the router.

Defaults

No default behavior or values

Command Modes

Firewall configuration

Command History

Release	Modification
Release 3.5.0	This command was introduced on the Multi-Service Blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0	No modification.
Release 3.7.0	No modification.
Release 3.8.0	No modification.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

To remove the service location from a configuration, you must first remove the default interface name.

The vfw-interface-name argument must match the interface name that is configured on the VFW application. Refer to Cisco Virtual Firewall Configuration Guide for additional information.

Task ID

Task ID	Operations
firewall	read, write

Examples

The following example shows how to create a firewall named "fw1" in Cisco IOS XR software and specify a default interface named "outside."

RP/0/0/CPU0:router# configure

RP/0/0/CPU0:router(config)# firewall fw1

RP/0/0/CPU0:router(config-firewall)# service-location preferred-active 0/0/CPU0 
preferred-standby 0/1/CPU0 auto-revert

RP/0/0/CPU0:router(config-firewall)# default-interface-name outside

Related Commands

Command	Description
failure-action	Configures the action to take if a failure or misconfiguration occurs.
firewall	Configures a virtual firewall in Cisco IOS XR software.
firewall (interface)	Configures the firewall attachment.
service-location	Configures a physical interface on the Multi-Service Blade (MSB) to be associated with a virtual firewall or virtual VASI interface.

failure-action

To configure the action to take if a failure or misconfiguration occurs, use the failure-action command in firewall configuration mode. To revert to the default failure action, use the no form of this command.

failure-action {drop | pass | shutdown}

no failure-action

Syntax Description

drop	Drops all packets destined for the firewall.
pass	Bypasses the firewall.
shutdown	Shuts down the attached interface.

Defaults

The default is drop.

Command Modes

Firewall configuration

Command History

Release	Modification
Release 3.5.0	This command was introduced on the Multi-Service Blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0	No modification.
Release 3.7.0	No modification.
Release 3.8.0	No modification.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

Use the failure-action command to override the default failure policy. If there is a problem with the firewall attachment, the default (drop) behavior automatically drops all packets that should be diverted. All IPv4 unicast and broadcast packets are dropped, but multicast or packets that are not IPv4 packets are processed normally.

•Use the bypass keyword to specify that if a firewall attachment has a problem, all packets are to pass through without firewall protection.

•Use the shutdown keyword to specify that if a firewall attachment has a problem, the interface is shut down. All the hello or keepalive packets are dropped, and the interface is not used (if possible).

Task ID

Task ID	Operations
firewall	read, write

Examples

The following example shows how to create a firewall named "fw1" in Cisco IOS XR software and configure the failure action to be "shutdown."

RP/0/0/CPU0:router# configure

RP/0/0/CPU0:router(config)# firewall fw1

RP/0/0/CPU0:router(config-firewall)# service-location preferred-active 0/0/CPU0 
preferred-standby 0/1/CPU0 auto-revert

RP/0/0/CPU0:router(config-firewall)# failure-action shutdown

Related Commands

Command	Description
default-interface-name	Configures the default interface that represents any unprotected interface in the router.
firewall	Configures a virtual firewall in Cisco IOS XR software.
firewall (interface)	Configures the firewall attachment.
service-location	Configures a physical interface on the Multi-Service Blade (MSB) to be associated with a virtual firewall or virtual VASI interface.

firewall

To configure a virtual firewall in Cisco IOS XR software, use the firewall command in global configuration mode. To remove the virtual firewall configuration, use the no form of this command.

firewall context-name

no firewall context-name

Syntax Description

context-name

Name of the virtual firewall.

Defaults

No default behavior or values

Command Modes

Global configuration

Command History

Release	Modification
Release 3.5.0	This command was introduced on the Multi-Service Blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0	No modification.
Release 3.7.0	No modification.
Release 3.8.0	No modification.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

A virtual firewall is tied to a physical location on the MSB using the service-location command. To remove the service location from a configuration, you must first remove the default interface name. Removing the service location also removes the firewall configuration.

The context-name argument must match the firewall context name that is configured on the VFW application. Refer to the Cisco IOS XR Virtual Firewall Configuration Guide for additional information.

Task ID

Task ID	Operations
firewall	read, write

Examples

The following example shows how to create a firewall named "fw1" in Cisco IOS XR software:

RP/0/0/CPU0:router# configure

RP/0/0/CPU0:router(config)# firewall fw1

RP/0/0/CPU0:router(config-firewall)# service-location preferred-active 0/0/CPU0 
preferred-standby 0/1/CPU0 auto-revert

RP/0/0/CPU0:router(config-firewall)# default-interface-name outside

RP/0/0/CPU0:router(config-firewall)# failure-action shutdown

Related Commands

Command	Description
default-interface-name	Configures the default interface that represents any unprotected interface in the router.
failure-action	Configures the action to take if a failure or misconfiguration occurs.
firewall (interface)	Configures the firewall attachment.
service-location	Configures a physical interface on the Multi-Service Blade (MSB) to be associated with a virtual firewall or virtual VASI interface.

firewall (interface)

To attach a virtual firewall to one of the router interfaces, use the firewall command in interface configuration mode.

firewall context-name firewall-interface vfw-interface-name

Syntax Description

context-name	Specifies the name of the firewall.
firewall-interface vfw-interface-name	Specifies the name of the firewall interface on the VFW application.

Defaults

No default behavior or values

Command Modes

Interface configuration

Command History

Release	Modification
Release 3.5.0	This command was introduced on the Multi-Service Blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0	No modification.
Release 3.7.0	No modification.
Release 3.8.0	No modification.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

The interface firewall configuration is rejected if the interface type does not support firewall attachments, and the following error is returned:

!!% Firewall Attachments not supported on this interface type

The supported interface types are:

•Ethernet main interfaces and subinterfaces

•Packet over SONET/SDH (POS) and channelized POS main interfaces and subinterfaces

•ATM main interfaces and subinterfaces

•VRF-Aware Service Infrastructure (VASI) interfaces

The context-name argument and the vfw-interface-name argument (attachment ID) pair must be unique on each interface where the attachment configuration is applied. If two or more interfaces have an attachment configuration applied with the same context-name and vfw-interface-name pair, the configuration is accepted but both attachments are forced down and the following error message occurs:

LC/0/2/CPU0:Feb 22 17:34:29.251 : rspp_ma[234]: %RSPP_MA-4-DUP_CREATE : Attachment of 
service ctx1 of type Firewall to interface POS0/2/0/0 with attachment ID inside1 invalid 
due to duplicate attachment to interface POS0/2/0/3.  Both attachments will be 
invalidated.

The context-name argument and the vfw-interface-name argument must both match the firewall context and interface names that are configured in the VFW application. Refer to Cisco IOS XR Virtual Firewall Configuration Guide for additional information.

Task ID

Task ID	Operations
interface	read, write

Examples

The following sample configuration associates interface "inside1" of firewall context "ctx1" with the router physical interface on POS0/2/0/0:

RP/0/0/CPU0:router# configure

RP/0/0/CPU0:router(config)# interface POS0/2/0/0

RP/0/0/CPU0:router(config-if)# firewall ctx1 firewall-interface inside1

Related Commands

Command	Description
firewall	Configures a virtual firewall in Cisco IOS XR software.
interface FirewallManagement	Configures the FMI.
service firewall attach location	Attaches to the VFW application.
show services firewall attachments	Displays any firewall attachments that have been created and provides any failure status information.
show services firewall interfaces	Displays information about individual firewall instances.

interface FirewallManagement

To provide remote access to manage the virtual firewall contexts, use the interface FirewallManagement command in global configuration mode. To remove the firewall management interface (FMI), use the no form of this command.

interface FirewallManagement number firewall context-name follow-active

no interface FirewallManagement number

Syntax Description

number	Number of the FMI. Range is 1 to 65535.
context-name	Particular firewall instance on the MSB core.
follow-active	Attaches the interface to the active instance of the firewall.

Defaults

No default behavior or values

Command Modes

Global configuration

Command History

Release	Modification
Release 3.5.0	This command was introduced on the MSB for the Cisco XR 12000 Series Router.
Release 3.6.0	No modification.
Release 3.7.0	No modification.
Release 3.8.0	No modification.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

The interface FirewallManagement command provides a remote management tool for the virtual firewall contexts. The firewall keyword associates the FMI with a particular firewall context on the VFW application. Any additional interface configuration items must follow, such as defining the VRF or the IP address for the interface. The IP connectivity does not work unless the FMI on the VFW application is configured with an IP address on the same network.

The context-name argument must match the firewall context name that is configured in the VFW application. Refer to the Configuring Virtual Firewalls on the Multi-Service Blade module in Cisco IOS XR Virtual Firewall Configuration Guide for additional information.

Task ID

Task ID	Operations
interface	read, write

Examples

The following example shows how to configure FirewallManagement1 as an active virtual firewall interface, including its IP address, and to associate it with the active instance of the firewall on the VFW application:

RP/0/0/CPU0:router# configure

RP/0/0/CPU0:router(config)# interface FirewallManagement1

RP/0/0/CPU0:router(config-if)# ipv4 address 10.1.1.3 255.255.255.0

RP/0/0/CPU0:router(config-if)# firewall fw1 follow-active

Related Commands

Command	Description
firewall	Configures a virtual firewall in Cisco IOS XR software.
firewall (interface)	Configures the firewall attachment.
service firewall attach location	Attaches to the VFW application.
show services firewall attachments	Displays any firewall attachments that have been created and provides any failure status information.
show services firewall interfaces	Displays information about individual firewall instances.

service firewall attach location

To attach to the VFW application, use the service firewall attach location command in EXEC mode.

service firewall attach location node-id

Syntax Description

node-id

Specifies the location where you want to attach. The node-id argument is entered in the rack/slot/module notation.

Defaults

No default behavior or values

Command Modes

EXEC

Command History

Release	Modification
Release 3.5.0	This command was introduced on the Multi-Service Blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0	No modification.
Release 3.7.0	No modification.
Release 3.8.0	No modification.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

You must be attached to the VFW application to configure a firewall context.

The service firewall attach location attaches from the MSB to the VFW application. After you use the command, use admin as the username/password combination to get a prompt in the VFW application. Refer to the Configuring Virtual Firewalls on the Multi-Service Blade module in Cisco IOS XR Virtual Firewall Configuration Guide to see an example of configuring a firewall in the VFW application.

Task ID

Task ID	Operations
firewall	execute

Examples

The following example shows how to attach to the VFW application:

RP/0/0/CPU0:router# service firewall attach location 0/3/CPU0

firewall login: admin

Password: 

Cisco Application Control Software (ACSW)

TAC support: http://www.cisco.com/tac

Copyright (c) 2002-2006, Cisco Systems, Inc. All rights reserved.

The copyrights to certain works contained herein are owned by

other third parties and are used and distributed under license.

Some parts of this software are covered under the GNU Public

License. A copy of the license is available at

http://www.gnu.org/licenses/gpl.html.

firewall/Admin# 

Related Commands

Command	Description
firewall	Configures a virtual firewall in Cisco IOS XR software.
firewall (interface)	Configures the firewall attachment.
interface FirewallManagement	Configures the FMI.
show services firewall attachments	Displays any firewall attachments that have been created and provides any failure status information.
show services firewall interfaces	Displays information about individual firewall instances.
show services role	Displays the service role of the MSB.

show services firewall attachments

To display any firewall attachments that have been made, including attachments that are in the failed state (and the reason for the failure), use the show services firewall attachments command in EXEC mode.

show services firewall attachments [interface interface-name | summary]

Syntax Description

interface	(Optional) Displays the firewall attachments for a specific interface.
interface-name	(Optional) Name of the interface.
summary	(Optional) Provides information about the firewall attachments.

Defaults

No default behavior or values

Command Modes

EXEC

Command History

Release	Modification
Release 3.5.0	This command was introduced on the Multi-Service Blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0	No modification.
Release 3.7.0	No modification.
Release 3.8.0	No modification.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

Use the command keywords to modify or limit the information that is displayed for firewall instances. Refer to the notes in the examples within this section.

Task ID

Task ID	Operations
firewall	read

Examples

The following example displays sample output from the show services firewall attachments command:

RP/0/0/CPU0:router# show services firewall attachments

3 firewall attachment(s) configured

! POS0/2/0/0

!     Firewall Name:      ctx1

!     Firewall Interface: inside1

!     State:              Pass Through

!     Info:               Duplicate attachment exists

! POS0/2/0/1

!     Firewall Name:      ctx1

!     Firewall Interface: inside1

!     State:              Pass Through

!     Info:               Duplicate attachment exists

  FirewallManagement1

      Firewall Name:      ctx1

      Firewall Interface: Follow-active

      State:              Diverting to 0/3/CPU0

---

Note The output is sorted by the interface handle. The Firewall Name and FW Interface Name fields are truncated to 24 characters.

---

Related Commands

Command	Description
firewall (interface)	Configures the firewall attachment.
interface FirewallManagement	Configures the FMI.
show services firewall interfaces	Displays information about individual firewall instances.

show services firewall interfaces

To verify if a firewall context exists between the Cisco IOS XR configuration and the VFW application, use the show services firewall interfaces command in EXEC mode.

show services firewall interfaces [context-name] [summary | detail | unoperational] [location node_id]

Syntax Description

context-name	(Optional) Name of the firewall context.
summary	(Optional) Provides a summary of all the firewall instances.
detail	(Optional) Provides detailed information about each firewall instance.
unoperational	(Optional) Provides information about any unoperational firewall instances.
location node-id	(Optional) Specifies the location of the firewall. The node-id argument is entered in the rack/slot/module notation.

Defaults

No default behavior or values

Command Modes

EXEC

Command History

Release	Modification
Release 3.5.0	This command was introduced on the Multi-Service Blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0	No modification.
Release 3.7.0	No modification.
Release 3.8.0	No modification.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

Use the command keywords to modify or limit the information that is displayed for firewall instances. Refer to the notes in the examples within this section.

Task ID

Task ID	Operations
firewall	read
interface	read
sbc	read

Examples

The following example displays sample output from the show services firewall interfaces command when the summary option is used:

RP/0/0/CPU0:router# show services firewall interfaces summary

Status codes: >  Firewall operating correctly

              !  Interface not configured in MSB core

              -  No attachment configured

              d  Default interface

              D  Default interface (overriding attachment configuration)

              m  Management interface

Firewall name                  Location (State)

  St Interface name                 Attached to

  -- -----------------------------  -------------------------

bar                            0/0/CPU0 (Active)

   > dmz                            GigabitEthernet 0/1/0/0

   ! inside                         POS 0/2/0/3

  d> outside                        <default>

  m> <Management: follow-active>    FirewallManagement 3

  m> <Management: follow-standby>   FirewallManagement 4

bar                            0/3/CPU0 (Standby)

   > dmz                            GigabitEthernet 0/1/0/0

   ! inside                         POS 0/2/0/3

  d> outside                        <default>

  m> <Management: follow-active>    FirewallManagement 3

  m> <Management: follow-standby>   FirewallManagement 4

fw1                            0/0/CPU0 (Dormant)

  [No interfaces]

fw1                            0/3/CPU0 (Dormant)

  [No interfaces]

firewall_A                     0/3/CPU0 (Active)

   ! dmz                            POS 0/2/0/1

   - firewall_interface_A

  m> <Management: follow-active>    FirewallManagement 23

firewall_B                     0/0/CPU0 (Active)

  D> outside                        <default>

   > customer                       GigabitEthernet 0/1/0/1

  m- <Management: follow-active>

---

Note The output is sorted by the firewall name (in MIB-lexicographic order), and then by node ID. The firewall name can be specified to limit the output to a particular firewall, or the location can be given to filter the output by node—or both options can be given to restrict the output to a particular firewall instance.

---

The following example displays sample output from the show services firewall interfaces command without the summary option:

RP/0/0/CPU0:router# show services firewall interfaces

Firewall name                    Location    State    FW ID   Mgmet I/F   I/Fs

------------------------------   --------    -----    -----   ---------   ----

bar                              0/0/CPU0    Active     3     FwMgmt3       5

                                 0/3/CPU0    Standby    6     FwMgmt4       5

fw1                              0/0/CPU0    Dormant    4     ---           0

                                 0/3/CPU0    Dormant    2     ---           0

firewall_A                       0/3/CPU0    Active     3     FwMgmt23      3

firewall_B                       0/0/CPU0    Active     5     ---           3

---

Note•The management interfaces are indicated by special strings rather than by their actual names on the VFW application.

•The firewall name or location can be specified to limit the output, and the firewalls are sorted by name in MIB-lexicographic order, then by node ID. The interfaces are also sorted by name in MIB-lexicographic order within each firewall.

•If the unoperational keyword is used, only the interfaces that do not have an operational attachment or that have a configured attachment and are also configured as the "other" interface (such as the ones marked with "D" or not marked with ">") are displayed. Firewalls without unoperational interfaces are not displayed. The output can be restricted further by identifying additional firewall names or locations.

---

The following example displays sample output from the show services firewall interfaces command with the detail option:

RP/0/0/CPU0:router# show services firewall interfaces detail

Firewall: bar, location 0/0/CPU0 (Active):

    Firewall ID: 3

    Interface: dmz

        Interface ID: 3

        Attached to: GigabitEthernet 0/1/0/0

        Attachment is operational

    Interface: inside

        Interface ID: none (not configured in MSB core)

        Attached to: POS 0/2/0/3

        Attachment is not operational

    Interface: outside

        Interface ID: 5

        Default interface

    Interface: <Management: follow-active>

        Interface ID: 1

        Attached to: FirewallManagement 3

        Attachment is operational

        Management Interface Hardware Identifiers received

    Interface: <Management: follow-standby>

        Interface ID: 1

        Attached to: FirewallManagement 4

        Attachment is operational

        Management Interface Hardware Identifiers received

Firewall: bar, location 0/3/CPU0 (Standby):

    Firewall ID: 6

    Interface: dmz

        Interface ID: 3

        Attached to: GigabitEthernet 0/1/0/0

        Attachment is operational

    Interface: inside

        Interface ID: none (not configured in MSB core)

        Attached to: POS 0/2/0/3

        Attachment is not operational

    Interface: outside

        Interface ID: 5

        Default interface

    Interface: <Management: follow-active>

        Interface ID: 1

        Attached to: FirewallManagement 3

        Attachment is operational

        Management Interface Hardware Identifiers received

    Interface: <Management: follow-standby>

        Interface ID: 1

        Attached to: FirewallManagement 4

        Attachment is operational

        Management Interface Hardware Identifiers received

Firewall: fw1, location 0/0/CPU0 (Dormant)

    Firewall ID: 4

    [No interfaces]

Firewall: fw1, location 0/3/CPU0 (Dormant)

    Firewall ID: 2

    [No interfaces]

Firewall: firewall_name1, location 0/3/CPU0 (Active):

    Firewall ID: 3

    Interface: dmz

        Interface ID: none (not configured in MSB core)

        Attached to: POS0/2/0/1

        Attachment is not operational

    Interface: an_interface_with_a_long_name

        Interface ID: 6

        Not attached

    Interface: <Management: follow-active>

        Interface ID: 2

        Attached to: FirewallManagement23

        Attachment is operational

        Management Interface Hardware Identifiers received

Firewall: firewall_name2, location 0/0/CPU0 (Active)

    Firewall ID: 5

    Interface: outside

        Interface ID: 7

        Default interface

        (Attachment to GigabitEthernet0/1/0/3 is not operational)

    Interface: customer

        Interface ID: 8

        Attached to: GigabitEthernet0/1/0/1

        Attachment is operational

    Interface: <Management: follow-active>

        Interface ID: 9

        Not attached

        Management Interface Hardware Identifiers received

---

Note The output is sorted by firewall name, node ID, and interface name in MIB-lexicographic order. The output can be restricted further by specifying additional firewall names or locations.

---

Related Commands

Command	Description
firewall	Configures a virtual firewall in Cisco IOS XR software.
firewall (interface)	Configures the firewall attachment.
hw-module service firewall location	Configures the firewall service as a role on the MSB.
interface FirewallManagement	Configures the FMI.
service firewall attach location	Attaches to the VFW application.
show services role	Displays the service role of the MSB.
show services firewall attachments	Displays any firewall attachments that have been created and provides any failure status information.