Cisco IOS XR Virtual Firewall Configuration Guide, Release 3.8 - Configuring Virtual Firewalls on the Multiservice Blade [Cisco IOS XR Software (End-of-Sale)]

Table Of Contents

Configuring Virtual Firewalls on the Multiservice Blade

Contents

Information About the Virtual Firewall Application

VFW Overview

VFW Description

Firewall Contexts

Deployment Scenarios

Protected and Unprotected Interfaces

VFW Attachment to Interfaces

Prerequisites for Implementing Virtual Firewalls

Restrictions for Implementing Virtual Firewalls

How to Perform an Initial Configuration of a Virtual Firewall and Context

Installing the Firewall PIE

Configuring the Firewall Service Role

Examples

Configuring the VFW in Cisco IOS XR Software

Troubleshooting Tips

Examples

Attaching to the VFW Application

Troubleshooting Tips

Examples

Configuring the VFW Application

Prerequisites

Troubleshooting: Resetting the Administrator's CLI Account Password

Upgrading the Firewall Software

Examples

Configuring Firewall Contexts

Prerequisites

Examples

Attaching a VFW to an Interface

Troubleshooting Tips

Examples

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Configuring Virtual Firewalls on the Multiservice Blade

This module describes how to configure virtual firewalls on the multiservice blade (MSB).

Feature History for Configuring Virtual Firewalls on the MSB

Release

Modification

Release 3.5.0

This feature was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.

Release 3.6.0

No modification.

Release 3.7.0

No modification.

Release 3.8.0

Information About the Virtual Firewall Application was updated with information about object groups, syn-cookie, and ILS/LDAP, SIP and SCCP inspection.

Contents

•Information About the Virtual Firewall Application

•Prerequisites for Implementing Virtual Firewalls

•Restrictions for Implementing Virtual Firewalls

•How to Perform an Initial Configuration of a Virtual Firewall and Context

•Additional References

Information About the Virtual Firewall Application

Virtual firewall (VFW) service for the Cisco XR 12000 Series Router is provided through a multiservice blade (MSB). A VFW provides multiple logical firewalls for multiple networks on a single system. You can provide firewalls that separate and secure individual network users and manage them from one system by establishing security domains that are controlled by the VFWs—with each firewall having its own domain defined.

This section describes the following subjects:

•VFW Overview

•VFW Description

•Firewall Contexts

•Deployment Scenarios

•Protected and Unprotected Interfaces

•VFW Attachment to Interfaces

VFW Overview

The VFW application allows you to apply a firewall policy on traffic traveling in or out of a Cisco XR 12000 Series Router interface. The VFW application runs on the MSB card in the Cisco XR 12000 Series Router.

Note For information about the MSB card, refer to Cisco Multi-Service Blade Installation Guide.

A dual-core CPU on the MSB runs the Cisco IOS XR software (standard edge engine code and firewall code) on core 1 and SanOS (Linux) with the VFW application on core 0. Each VFW (or firewall context) is configured at the VFW application on core 0.

You can set up multiple logical firewalls for multiple networks on a single system. You can manage these separate firewalls and secure individual networks from one system by establishing security domains that are controlled by the VFWs, with each firewall having its own domain defined.

You must use Cisco IOS XR software to configure the association between the Cisco XR 12000 Series Router interfaces and the interfaces in the VFW application. You must also configure the MSB card node (active) that the VFW should run on. If you have an HA configuration, you must also configure an MSB card node for the standby.

Table 2 describes the VFW features.

Table 2 Cisco XR 12000 Virtual Firewall Features

Feature

Description

Performance and Scalability per Cisco XR 12000 MSB

•Up to 250 VFW contexts

•8 gigabits per second throughput

•2 million packets per second

•150,000 Layer 4 connections per second

•15,000 connections per second with Layer 7 HTTP inspection

•2 million concurrent bidirectional connections

•Up to 512,000 translates for dynamic Network Address Translation (NAT)

•Up to 250,000 access control list (ACL) entries and use of object groups

High Availability

• Intrachassis stateful switchover

• Active-standby stateful switchover

• Active-active stateful switchover

Virtualization

Single MSB can be partitioned into multiple logical firewalls with support for up to 250 security contexts.

Each security context has its own set of:

•Policies (ACLs, NAT, fixups)

•Management IP address

•Authentication, authorization, and accounting (AAA), Simple Network Management Protocol (SNMP), syslog server

Resource management controls resource usage per security context with guaranteed rates and memory allocation:

•Throughputs

•New connections per second

•ACL memory

Management

•SNMP v1, v2c, v3

SNMP is virtualized to allow SNMP setting per virtual context

•Extensible Markup Language (XML) interface configuration, provisioning, and monitoring

•Role-Based Access Control (RBAC) with management domains

•Modular policy commands

•AAA: LDAP, TACACS, RADIUS

Jumbo Frame Support

The Cisco XR 12000 VFW supports jumbo frames of up to 9180 bytes without the need for fragmentation.

Inspection Engines

•Advanced HTTP inspection: RFC compliance checking for anomaly detection, HTTP misuse, HTTP command filtering, MIME type validation and filtering, and more

•RTSP inspection

•ICMP inspection and fixup

•DNS inspection and fixup

•SIP inspection

•SCCP inspection

•ILS/LDAP inspection

•FTP

•TCP/IP normalization with Adaptive Security algorithm to monitor TCP handshake

•SYN-Cookie denial-of-service protection

VFW Description

The Cisco IOS XR software uses the interface information, and any additional information about the configuration on the VFW application, to program the MSB card to translate between the Cisco XR 12000 Series Router interfaces and the VFW application.

The VFW application assigns a unique numeric firewall ID to each VFW, and a unique numeric interface ID for each interface in the VFW application. The VFW application receives the packets with these identifiers that indicate the VFW that should be run and the ingress and egress interfaces that should be used. The entire translation is done in the Cisco IOS XR software before the packet is passed to the VFW application for firewall purposes.

A firewall in the VFW application exists in one of the following states:

•Active—The VFW application is enabled and actively processing packets.

•Standby—(Supported for HA) The firewall is enabled and synchronized with the active instance of the firewall.

•Dormant—The firewall is disabled and does not process packets. If a firewall is configured in the VFW application but it does not have a corresponding configuration in the Cisco IOS XR software, the firewall is placed in the dormant state. This occurs immediately after a firewall is first configured in the VFW application before the Cisco IOS XR software can be configured, or if there is a conflict between the configurations on the Cisco IOS XR software and the VFW application.

Firewall Contexts

The VFW can service up to 250 different instances, called contexts. Each of these contexts has its own independent policies and management IP addresses. You can configure each context with its own guaranteed resources (for example, memory, connection rate, and so forth).

Deployment Scenarios

The VFW can be deployed in different topologies for service providers. This includes using VRF Aware Service Infrastructure (VASI) to enable the transparent VFW integration at the public IP peering point or as a shared services-facing router. Scenarios include:

•Internet access—The firewall can be deployed to support Internet offload for VPN customers. It provides the ability to apply individual firewall policies on a customer-by-customer basis (Figure 1).

•Site-to-site firewall access—The solution can be used to provide site-to-site firewall service, allow users to apply policies on a per-site basis, and control access between locally connected sites as well as between the sites and the rest of the VPN network (Figure 2).

•Shared services access—The firewall can be used as an interface between the VPN customers and any shared services offered by the provider that they access (Figure 3).

Figure 1 displays a customer facing deployment of the VFW feature. This deployment allows each customer to specify security policies that can be managed by the service provider. The service provider can create one context per customer and apply that on an interface (or subinterface) basis.

Figure 1 VFW Deployed at the Point-of-Presence

Figure 2 depicts a VRF-Aware Services Infrastructure (VASI) deployment. With VASI, you can route between two (or more) VRFs or between a VRF and global with a VFW in between.

In this scenario, a service provider can offer tiered services for multiple customers and the MSB is placed on the Internet facing router (PE router) to provide firewall services. For example, VRFA and VRFB are connecting to the Internet in Figure 2. Each has its own security policies defined, managed by the service provider on the MSB, and tiered services are offered.

Figure 2 VFW Deployed at the Peering Points

Figure 3 displays another VASI deployment, but in this example, you can have multiple customers accessing one shared service such as a data center. The shared service can be on one interface while the customers are on different interfaces. A firewall can be placed between the customers and the data center.

Figure 3 VFW Deployed at the Shared Services Facing Router

In Figure 3, an enterprise customer could use this deployment model to filter traffic between different departments (VRFs using VASI or interfaces on the Cisco XR 12000 Series Router) or between the different departments and a data center.

Protected and Unprotected Interfaces

To protect an interface on the Cisco XR 12000 Series Router, you must attach a firewall to it by specifying the name of the VFW and the name of the interface in the VFW application within that firewall. This provides a 1-to-1 mapping between protected Cisco XR 12000 Series Router interfaces and the VFW interfaces in the VFW application.

In addition to the protected interfaces that are attached to the VFW interfaces, you can specify and configure another interface as the default interface. This interface represents all unprotected interfaces on the router. Traffic that arrives on unprotected interfaces on the Cisco XR 12000 Series Router is automatically routed through this default interface on the MSB and then sent out through the protected interface.

You can configure any VFW application interfaces that you want to represent the default Cisco XR 12000 Series Router interfaces that are not attached to the specific VFW.

VFW Attachment to Interfaces

The VFW created in the Cisco IOS XR software is attached directly to the router interface causing packets to be diverted to the firewall (Figure 4). All IPv4 Unicast and broadcast traffic is diverted. All other traffic, such as IPv6 and multicast, continue their normal flow.

Figure 4 Firewall Attachment

The VFW attachment to a physical interface, such as Ethernet or Packet over SONET (POS)/SDH, or to a virtual interface, such as VASI or firewall management interface (FMI), must be configured in Cisco IOS XR software (see Attaching a VFW to an Interface) and in the VFW application (see Attaching a Virtual Firewall to a VASI Interface and Configuring the VFW Application).

The traffic is diverted to the VFW during ingress or egress from the MSB:

•Ingress Diversion (Figure 5)—All traffic received by a firewall-attached interface is sent to the MSB. This also includes traffic that is destined for the router.

•Egress Diversion (Figure 6)—All traffic transmitted by the attached interface is sent to the MSB. This also includes traffic that is originated by the router.

Figure 5 Ingress Diversion

Figure 6 Egress Diversion

Prerequisites for Implementing Virtual Firewalls

The following prerequisites are required to implement a VFW:

•You must be in a user group associated with a task group that includes the proper task IDs for security commands. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

•You must install and activate the package installation envelope (PIE) for the security and firewall software (see Installing the Firewall PIE).

For detailed information about optional PIE installation, refer to Cisco IOS XR System Management Configuration Guide.

•The firewall service role must be configured on the MSB (see Configuring the Firewall Service Role).

•You must be able to access the VFW application on core 0 of the dual core CPU on the MSB. See Attaching to the VFW Application.

Restrictions for Implementing Virtual Firewalls

The following restrictions apply when implementing a VFW:

•Firewall contexts are limited to 250 virtual firewall contexts per MSB.

•A firewall context must be correctly defined in the Cisco IOS XR software and in the VFW application. The following order is recommended:

–Install the Cisco IOS XR software, including the firewall PIE (see Installing the Firewall PIE).

–Configure the Cisco IOS XR software to recognize the MSB as a VFW (see Configuring the Firewall Service Role).

–Configure the firewall in the Cisco IOS XR software that corresponds to a firewall context in the VFW application (see Configuring the VFW in Cisco IOS XR Software).

–Create the management interface in the Cisco IOS XR software that corresponds to the MSB (see Configuring the Management Interface on Cisco IOS XR Software).

–Attach to the VFW application on the MSB card (see Attaching to the VFW Application).

–Create a firewall context (see Configuring Firewall Contexts).

–Configure a management interface on the MSB (see Configuring the Management Interface on the VFW Application).

•Firewall attachment restrictions:

–The supported interface types are Ethernet main interface and subinterfaces (VLANs), Packet over SONET/SDH (POS) and channelized POS main interfaces and subinterfaces, ATM main interfaces and subinterfaces, service virtual interfaces (SVIs), and IP security (IPSec) interfaces.

–Attaching a VFW to a route processor (RP) or Director Response Protocol (DRP) interface is not supported.

–Only IPv4 unicast and IPv4 broadcast packets are diverted to the MSB for handling. Layer 2 packets, multicast traffic, and other Layer 3 protocols (like IPv6) are not diverted to the MSB for firewall inspection, but are sent directly to the egress line card.

•VFR-Aware Service Infrastructure (VASI) Interface restrictions:

–Other than service location and firewall attachments, the allowable configuration is only for IPv4 addresses, virtual routing and forwarding (VRF), and shutdown.

–The service location must be configured for at least one interface in the VASI pair before either one can become active.

•IPSec interface restrictions:

–The VFW application executes on clear traffic only.

–When the VFW application is attached to an IPSec virtual interface, clear and encrypted traffic pass through the MSB that hosts the attached VFW application.

–The VFW application can be attached to a service IPSec interface that has the front VRF (or tunnel VRF) different from the internal VRF (side for clear or non-encrypted traffic).

–At any time, the shared tunnel source cannot be used on any two service IPSec interfaces if at least one of them has an attached VFW application.

How to Perform an Initial Configuration of a Virtual Firewall and Context

This section describes the following tasks:

•Installing the Firewall PIE

•Configuring the Firewall Service Role

•Configuring the VFW in Cisco IOS XR Software

•Attaching to the VFW Application

•Configuring the VFW Application

•Upgrading the Firewall Software

•Configuring Firewall Contexts

•Attaching a VFW to an Interface

Installing the Firewall PIE

This task installs and activates the firewall PIE. You must activate the firewall PIE before you can use the VFW software.

Note For details on installing and activating the firewall PIE, see Cisco IOS XR System Management Configuration Guide.

SUMMARY STEPS

1. admin

2. install add tftp://A.B.C.D/c12k-firewall.pie activate

3. exit

4. show install active summary

DETAILED STEPS

Command or Action

Purpose

Step 1

admin
Example:

RP/0/0/CPU0:router# admin

Enters admin mode.

Step 2

install add tftp://A.B.C.D/c12k-firewall.pie activate
Example:

RP/0/0/CPU0:router(admin)# install add tftp://123.1.2.3/c12k-firewall.pie activate

Installs the PIE from the TFTP site and activates it.

Step 3

exit
Example:

RP/0/0/CPU0:router(admin)# exit

Exits the admin mode.

Step 4

show install active summary
Example:

RP/0/0/CPU0:router# show install active summary

Active Packages:
disk0:c12k-firewall-3.5.0.17I
disk0:c12k-mini-3.5.0.17I

Verifies the installation of the firewall PIE.

Configuring the Firewall Service Role

You can configure the MSB to support different services. You must use the hw-module service command to assign the firewall service type to the MSB. The firewall service provides VFW and VRF-Aware Service Infrastructure (VASI) capabilities.

The firewall service is not available unless the firewall PIE is installed. If the firewall PIE is removed, any firewall service configuration owned by the firewall PIE is also removed.

This task configures the firewall role on the card to which you want to attach the firewall.

SUMMARY STEPS

1. configure

2. hw-module service service-id location node-id

3. end
or
commit

4. show service role

DETAILED STEPS
Command or Action

Purpose

Step 1

configure
Example:

RP/0/0/CPU0:router# configure

Enters global configuration mode.

Step 2

hw-module service service-id location node-id
Example:

RP/0/0/CPU0:router(config)# hw-module service firewall location 0/3/CPU0

Configures the firewall service as the role for a specific node.
Step 3

end
or

commit
Example:

RP/0/0/CPU0:router(config)# end
or

RP/0/0/CPU0:router(config)# commit
Saves configuration changes.

•When you issue the end command, the system prompts you to commit changes:
Uncommitted changes found, commit them before 
exiting (yes/no/cancel)? 
[cancel]:
–Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.

–Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.

–Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.

•Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.

The card then automatically reboots to get into the firewall role.
Step 4

show service role
Example:

RP/0/0/CPU0:router# show service role

Verifies that the firewall service is the role on the node specified.
Examples

The following example shows how to configure the firewall role on the card to which you want to attach the firewall (see the "Configuring the Firewall Service Role" section for steps):
RP/0/0/CPU0:router# configure
RP/0/0/CPU0:router(config)# hw-module service firewall location 0/3/CPU0
RP/0/0/CPU0:router(config)# commit
The card reboots into the firewall role. You must wait approximately three minutes to allow the MSB card to reset completely before continuing any configurations.

You can verify that the firewall service roll is configured by using the show service role command:
RP/0/0/CPU0:router# show service role 
Node       Configured Role     Enacted Role        Enabled Services
-------------------------------------------------------------------
0/3/CPU0   Firewall            Firewall            Firewall, VASI
Configuring the VFW in Cisco IOS XR Software

This task configures a virtual firewall in Cisco IOS XR software that corresponds to a firewall context within the VFW application.

SUMMARY STEPS

1. configure

2. firewall context-name

3. service-location preferred-active node-id [preferred-standby node-id] [auto-revert]

4. failure-action [drop | bypass | shutdown]

5. default-interface-name vfw-interface-name

6. end
or
commit

7. show services [redundancy]

DETAILED STEPS
Command or Action

Purpose

Step 1

configure
Example:

RP/0/0/CPU0:router# configure

Enters global configuration mode.

Step 2

firewall context-name
Example:

RP/0/0/CPU0:router(config)# firewall ctx1

Specifies the name of a firewall context. The context-name must match the one on the VFW application.

Step 3

service-location preferred-active node-id [preferred-standby node-id] [auto-revert]
Example:

RP/0/0/CPU0:router(config-firewall)# service-location preferred-active 0/0/0 preferred-standby 0/1/0

Specifies both active and standby locations for the interface.

•Use the preferred-active keyword to specify that the card in this location serves all traffic going through the interface. The node-id argument is expressed in rack/slot/module notation.

•(Optional) Use the preferred-standby keyword to specify that if a card fails, the interface is served by the card in this location. The node-id argument is expressed in rack/slot/module notation.

•(Optional) Use the auto-revert keyword to aggressively revert to the preferred active firewall, when the active node comes back up after a switchover.

Note Do not use the auto-revert keyword if you are planning to bring up a new MSB in place of an active node.

Step 4

failure-action [drop | bypass | shutdown]
Example:

RP/0/0/CPU0:router(config-firewall)# failure-action bypass

(Optional) Specifies the failure action if there is a problem with the firewall attachment. Use the failure-action command to override the default failure policy.

If there is a problem with the firewall attachment, the default (drop) behavior automatically drops all packets that should be diverted. All IPv4 unicast and broadcast packets are dropped, but multicast or packets that are not IPv4 packets are processed normally.

•(Optional) Use the bypass keyword to specify that if a firewall attachment has a problem, all packets are to pass through without firewall protection.

•(Optional) Use the shutdown keyword to specify that if a firewall attachment has a problem, the interface is shut down. All the hello or keepalive packets are dropped, and the interface is not used (if possible).

Step 5

default-interface-name vfw-interface-name
Example:

RP/0/0/CPU0:router(config-firewall)# default-interface-name outside

Specifies the default interface name for the firewall. The vfw-interface-name must match the interface name in the VFW application.
Step 6

end
or

commit
Example:

RP/0/0/CPU0:router(config-firewall)# end
or

RP/0/0/CPU0:router(config-firewall)# commit
Saves configuration changes.

•When you issue the end command, the system prompts you to commit changes:
Uncommitted changes found, commit them before 
exiting (yes/no/cancel)? 
[cancel]:
–Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.

–Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.

–Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.

•Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.
Step 7

show services redundancy
Example:

RP/0/0/CPU0:router# show services redundancy

Inspects the status of the firewall. If the output does not display the status as Active, the firewall is not operational. Refer to the "Troubleshooting Tips" section for additional information.
Troubleshooting Tips

Use the show services redundancy command to verify that the firewall service is either in active or standby state.

If the firewall status is displayed as Active in either the Preferred Active or Preferred Standby columns, then the firewall is operational:
RP/0/0/CPU0:router# show services redundancy
Service type     Name                    Pref. Active        Pref. Standby
--------------------------------------------------------------------------------
Firewall         ctx1                    0/3/CPU0 Active
Examples

The following example shows how to configure a virtual firewall in Cisco IOS XR software that corresponds to a firewall context within the VFW application (see the "Configuring the VFW in Cisco IOS XR Software" section for summary steps and detailed steps):
RP/0/0/CPU0:router# configure
RP/0/0/CPU0:router(config)# firewall ctxt1
RP/0/0/CPU0:router(config-firewall)# service-location preferred-active 0/3/CPU0
RP/0/0/CPU0:router(config-firewall)# default-interface-name outside
RP/0/0/CPU0:router(config-firewall)# commit
Note If there are two MSB cards in the Cisco XR 12000 Series Router, you can also provide high availability (HA) for the firewall by including the preferred-standby command after the preferred-active command.

You can inspect the status of the firewall (or any other service) by using the show services redundancy command:
RP/0/0/CPU0:router# show services redundancy 
Service type     Name                    Pref. Active        Pref. Standby
--------------------------------------------------------------------------------
Firewall         ctx1                    0/3/CPU0 Active
If the output does not display the status as Active, the firewall is not operational. See the "Troubleshooting Tips" section for additional information.

Attaching to the VFW Application

This task provides an attachment from the route processor to the VFW application. The Cisco IOS XR firewall configuration is only for the interaction between the firewall and the router. You must be attached to the VFW application to configure a firewall (context). Firewalls are configured in the VFW application.

SUMMARY STEPS

1. service service-id attach location node-id

DETAILED STEPS

Command or Action

Purpose

Step 1

service service-id attach location node-id
Example:

RP/0/0/CPU0:ios# service firewall attach location 0/3/CPU0

firewall login: admin
Password:
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2006, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
firewall/Admin#

Attaches to the VFW application at the location specified by the node-id argument.

You are then prompted to log in to the VFW application. Use the admin user ID. Initially the admin password is admin.

Troubleshooting Tips

If you cannot attach to the VFW application, use the show service role command to verify if the firewall service roll is configured:
RP/0/0/CPU0:router# show service role
Node       Configured Role     Enacted Role        Enabled Services
-----------------------------------------------------------------------------
0/3/CPU0   Firewall            Firewall            Firewall, VASI 
You also need to ensure that the VFW application is completely loaded and operational. The following messages should be displayed during MSB boot:
LC/0/3/CPU0:May  4 21:17:23.886 : sanos_driver[241]: 
%SECURITY-SANOS-6-BOOT_IMAGE_STATUS : Service CPU reports that the SanOS image is 
fully loaded 
LC/0/3/CPU0:May  4 21:18:11.157 : sanos_driver[241]: 
%SECURITY-SANOS-6-BOOT_IMAGE_STATUS : SanOS image is running
Examples

The following example shows how to attach from the router processor to the VFW application (see Attaching to the VFW Application for summary steps and detailed steps):
RP/0/0/CPU0:router# service firewall attach location 0/3/CPU0
firewall login: admin
Password: 
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2006, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
firewall/Admin# 
Configuring the VFW Application

This section describes how to initially configure basic settings on the VFW application. This is an optional task.

Prerequisites

You must attach from the route processor to the VFW application before you can perform this task. See the "Attaching to the VFW Application" section.

SUMMARY STEPS

1. changeto context-name

2. configure

3. username name [password [0 | 5] {password}]

4. hostname name

5. login timeout minutes

6. banner motd text

7. terminal {length lines | monitor | session-timeout minutes | terminal-type text | width characters}

DETAILED STEPS
Command or Action

Purpose

Step 1

changeto context-name
Example:

firewall/Admin# changeto C1
firewall/C1#

Logs into the correct context. If you are operating in multiple contexts, observe the CLI prompt to verify that you are operating in the desired context.

Note The rest of the examples in this task use the Admin context. For details on creating contexts, see the "Configuring Virtualization on the Virtual Firewall" module.

Step 2

configure
Example:

firewall/Admin# configure
firewall/Admin(config)#

Enters global configuration mode. You are now in configuration mode of the VFW application.

Step 3

username name [password [0 | 5] {password}]
Example:

firewall/Admin(config)# username user1 password 5 mysecret_801

Changes the default username and password.

During the initial login process to the VFW application, you enter the default user name admin and the default password admin in lowercase text. For security reasons, you should change the administrative username and password. Security on your VFW application can be compromised, because the administrative username and password are configured to be the same for each VFW application we ship.

The administrative username and password are stored in flash memory. Each time you reboot the VFW application, it reads the username and password from flash memory. Global administrative status is assigned to the administrative username by default.

Step 4

hostname name
Example:

firewall/Admin(config)# hostname firewall

(Optional) Configures a hostname for the VFW application.

Step 5

login timeout minutes
Example:

firewall/Admin(config)# login timeout 10

(Optional) Configures the length of time a user session can be idle before the VFW application terminates the console, Telnet, or SSH session. Valid entries are 0 to 60 minutes. A value of 0 instructs the VFW application never to time out. The default is 5 minutes.

Step 6

banner motd text
Example:

firewall/Admin(config)# banner motd #Welcome to the VFW - Unathorized Use Not Permitted#

(Optional) Configures a message in configuration mode to display as the message-of -the-day banner when a user connects to the VFW application. After you connect to the VFW application, the message-of-the-day banner appears, followed by the login banner and EXEC mode prompt.

The text string consists of all characters following the first space until the end of the line (carriage return or line feed). The # character functions as the delimiting character for each line.
Step 7
terminal {length lines | monitor | session-timeout minutes | terminal-type text | width characters}
Example:
firewall/Admin# terminal terminal-type vt200
firewall/Admin# terminal length 35
firewall/Admin# terminal width 250
(Optional) Configures the number of lines and the width for displaying information on a terminal during a console session. The keywords, arguments, and options are:

•length lines—Sets the number of lines displayed on the current terminal screen. This command is specific to only the console port. Valid entries are from 0 to 511. The default is 24 lines. A selection of 0 instructs the VFW application to scroll continuously (no pausing).

•monitor—Displays syslog output on the terminal for the current terminal and session. To enable the various levels of syslog messages to the terminal, use the logging monitor command.

•session-timeout minutes—Specifies the inactivity timeout value in minutes to configure the automatic logout time for the current terminal session on the VFW application. When inactivity exceeds the time limit configured by this command, the VFW application closes the session and exits. The range is 0 to 525600. The default is 5 minutes. You can set the terminal session-timeout value to 0 to disable this feature so that the terminal remains active until you choose to exit the VFW application. The VFW application does not save this change in the configuration file.

Note The login timeout command setting overrides the terminal session-timeout setting (see Step 4).

•terminal-type text—Specifies the name and type of the terminal used to access the VFW application. If a Telnet or SSH session specifies an unknown terminal type, the VFW application uses the VT100 terminal by default. Specify a text string from 1 to 80 alphanumeric characters.

•width characters—Sets the number of characters displayed on the current terminal screen. This command is specific to only the console port. Valid entries are 24 to 512. The default is 80 columns.
Troubleshooting: Resetting the Administrator's CLI Account Password

If you accidentally forget the password for the VFW application administrator account and cannot access the VFW application, you can recover the admin password during the initial bootup sequence of the VFW application. You must access the VFW application to reset the password for the Admin user back to the factory default value of admin.

To reset the password that allows the Admin user access to the VFW application:

Step 1 Attach to the MSB card:
run attach location
Step 2 Invoke the UART driver:
devc-serbcm1250 -b9600 0x10060500,0x8007002e 0x10060600,0x8007002f &
Step 3 Attach to the VFW application:
umux_shell 7 4 /dev/ser2
Step 4 During the bootup process, output appears on the console terminal. Press ESC when the "Waiting for 3 seconds to enter setup mode..." message appears on the terminal (see the example below). The setup mode appears. If you miss the time window, wait for the VFW application to properly complete booting, reboot the VFW application from the CLI, and try again to access the setup mode by pressing ESC.
IXP polling timeout interval: 120
map_pci_xram_to_uspace[149] :: mapping 4096 bytes from 0x58800000
map_pci_xram_to_uspace[149] :: mapping 4096 bytes from 0x5a800000
................................................
IXP's are up... <Sec 48 :Status of IXP1 7, IXP2 7>
map_pci_xram_to_uspace[149] :: mapping 102400 bytes from 0x4fd68000
map_pci_xram_to_usenabling intb 57 interrupts
pace[149] :: mapping 102400 bytes from 0x57d68000
Starting lcpfw process...
inserting IPCP klm
Warning: loading /itasca/klm/klm_session.klm will taint the kernel: no license
  See http://www.tux.org/lkml/#export-tainted for information about tainted modules
Module klm_session.klm loaded, with warnings
inserting cpu_util klm
 create dev node as 'mknod /dev/cpu_util c 236 0'
getting cpu_util dev major num
making new cpu_util dev node
 Session Agent waiting for packets .
Waiting for 3 seconds to enter setup mode...
Entering setup sequence...
Reset Admin password [y/n] (default: n): y
Resetting admin password to factory default...
XR Serial driver version 1.0 (2004-11-08) with no serial options enabled
ttyXR major device number: 235
Create a dev file with 'mknod /dev/ttyXR c 235 [0-1]'
cux major device number: 234
Create a dev file with 'mknod /dev/cux c 234 [0-1]'
ttyXR0 at 0x10c00000 (irq = 59) is a 16550A
ttyXR1 at 0x10c00008 (irq = 59) is a 16550A
No licenses installed...
Loading.. Please wait...Done!!!
Step 5 The setup mode prompts if you want to reset the admin password. Enter y. The "Resetting admin password to factory default" message appears. The VFW application deletes the Admin user password configuration from the startup-configuration and resets the password back to the factory default value of admin.

The boot process continues as normal and you are able to enter the admin password at the login prompt.

Upgrading the Firewall Software

After you upgrade the firewall software image to Cisco IOS XR Software Release 3.7.0 and later releases, you must perform the following task to delete any changed commands from the startup configuration.

SUMMARY STEPS

1. write memory all

2. exit

3. show services redundancy

4. hw-module location node-id reload

DETAILED STEPS

Command or Action

Purpose

Step 1

write memory all
Example:

firewall/Admin# write memory all

Saves the running-configuration file to the statup-configuration for all contexts.

Step 2

exit
Example:

firewall/Admin# exit
RP/0/0/CPU0:router#

Exits the VFW application and returns to the MSB prompt.

Step 3

show services redundancy
Example:

RP/0/0/CPU0:router# show services redundancy

Displays the location of the standby MSB in the Cisco XR 12000 Series Router. You need this information for the next step. See Examples for sample output.

Step 4

hw-module location node-id reload
Example:

RP/0/0/CPU0:router# hw-module location 0/4/cpu0 reload

Reloads the standby MSB. Use the node-id value that was displayed in the output of Step 3.

Examples

The following example illustrates sample output from the show services redundancy command:

RP/0/0/CPU0:router# show services redundancy
Service type     Name                    Pref. Active        Pref. Standby
--------------------------------------------------------------------------------
Firewall         ctx1                    0/3/CPU0 Active     0/4/CPU0 Standby
Configuring Firewall Contexts

This task configures a firewall context and its interfaces in the VFW application. You must include this configuration (firewall context and interfaces) to complete the corresponding virtual firewall configuration in Cisco IOS XR software.

Prerequisites

You must attach from the route processor to the VFW application before you can perform this task. See the "Attaching to the VFW Application" section.

SUMMARY STEPS

1. configure

2. context ctx1

3. end

4. changeto ctx1

5. configure

6. access-list acl1 line 10 extended permit ip any any

7. interface inside

8. no shutdown

9. access-group input acl1

10. interface outside

11. no shutdown

12. access-group input acl1

13. end

Note To create additional contexts, return to the admin prompt on the second core using the changeto admin command.

DETAILED STEPS

Command or Action

Purpose

Step 1

configure
Example:

firewall/Admin# configure

Enters global configuration mode. You are now within configuration mode of the VFW application.

Step 2

context ctx1
Example:

firewall/Admin(config)# context ctx1

Creates a context called ctx1. You must use the same context name in the Cisco IOS XR virtual firewall configuration.

Note Use the show interface interface-name command within the EXEC mode in the VFW application to see the interface counters.

Step 3

end
Example:

firewall/Admin(config-context)# end

Exits context configuration mode.

Step 4

changeto ctx1
Example:

firewall/Admin# changeto ctx1

Accesses the ctx1 firewall context.

Step 5

configure
Example:

firewall/ctx1# configure

Enters configuration mode for the ctx1 firewall context.

Step 6

access-list acl1 line 10 extended permit ip any any
Example:

firewall/ctx1(config)# access-list acl1 line 10 extended permit ip any any

Configures an access control list that specifies the following:

•Access-list identifier (acl1)

•Line number at which the ACL entry should be entered (10)

•Access-control for IP traffic through the system (extended)

•Packets to forward (permit)

•Internet Protocol (IP) includes all source addresses (any) and masks (any)

•Refer to the "Configuring Security Access Control Lists on the Virtual Firewall" module for more information regarding creating access lists.

Step 7

interface inside
Example:

firewall/ctx1(config)# interface inside

Creates the inside interface. You must use the same interface name in the Cisco IOS XR VFW configuration.

Step 8

no shutdown
Example:

firewall/ctx1(config-if)# no shut

Specifies that the interface is not to be shut down.

Step 9

access-group input acl1
Example:

firewall/ctx1(config-if)# access-group input acl1

Configures an access-list to be applied to the inside interface, including the inbound access list (input) and the name of the access list (acl1). Refer to the "Configuring Security Access Control Lists on the Virtual Firewall" module for more information on filtering using access lists.

Step 10

interface outside
Example:

firewall/ctx1(config-if)# interface outside

Creates the outside interface. You must use the same interface name in the Cisco IOS XR VFW configuration.

Step 11

no shutdown
Example:

firewall/ctx1(config-if)# no shut

Specifies that the interface is not to be shut down.

Step 12

access-group input acl1
Example:

firewall/ctx1(config-if)# access-group input acl1

Configures an access-list to be applied to the outside interface, including the inbound access list (input) and the name of the access list (acl1).

Step 13

end
Example:

firewall/ctx1(config-if)# end

Exits the configuration mode.

Examples

To access the VFW application, see Attaching to the VFW Application.

The following example shows how to configure firewall contexts and interfaces on the VFW application (see Configuring the VFW Application for summary steps and detailed steps):
firewall/Admin# configure 
firewall/Admin(config)# context ctx1 
firewall/Admin(config-context)# end 
firewall/Admin# changeto ctx1 
firewall/ctx1# configure 
firewall/ctx1(config)# access-list acl1 line 10 extended permit ip any any 
firewall/ctx1(config)# interface inside 
firewall/ctx1(config-if)# no shutdown 
firewall/ctx1(config-if)# access-group input acl1 
firewall/ctx1(config-if)# interface outside 
firewall/ctx1(config-if)# no shutdown 
firewall/ctx1(config-if)# access-group input acl1 
Attaching a VFW to an Interface

This task attaches a virtual firewall to an interface. Attaching a virtual firewall to an interface associates the Cisco IOS XR VFW configuration with the corresponding firewall configuration on the VFW application. To attach a VFW to a VASI interface, see Attaching a Virtual Firewall to a VASI Interface.

Note This task is performed from the Cisco IOS XR software.

SUMMARY STEPS

1. configure

2. interface type instance

3. firewall context-name firewall-interface vfw-interface-name

4. end
or
commit

5. show services firewall attachments

DETAILED STEPS
Command or Action

Purpose

Step 1

configure
Example:

RP/0/0/CPU0:router# configure

Enters global configuration mode.

Step 2

interface type instance
Example:

RP/0/0/CPU0:router(config)# interface pos 0/1/0/0

Specifies the Cisco IOS XR interface type and instance identifier.

Step 3

firewall context-name firewall-interface vfw-interface-name
Example:

RP/0/0/CPU0:router(config-if)# firewall ctx1 firewall-interface inside

Specifies the firewall context name and the interface name on the VFW application.
Step 4

end
or

commit
Example:

RP/0/0/CPU0:router(config-if)# end
or

RP/0/0/CPU0:router(config-if)# commit
Saves configuration changes.

•When you issue the end command, the system prompts you to commit changes:
Uncommitted changes found, commit them before 
exiting (yes/no/cancel)? 
[cancel]:
–Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.

–Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.

–Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.

•Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.
Step 5

show services firewall attachments
Example:

RP/0/0/CPU0:router# show services firewall attachments

Provides the status of the firewall attachment. If the output does not display the status as Diverting, the firewall attachment is not operating properly. Refer to Troubleshooting Tips for additional information.
Troubleshooting Tips

If you use the show services firewall attachments command to determine if a firewall attachment is operating correctly, the output is one of the following:

•Diverting

•Invalid Input

•No Output

•Service Not Running

•Ingress-Only

•Processing Attachment

Diverting

If the status is displayed as Diverting, then the firewall attachment is operational:
RP/0/0/CPU0:router# show services firewall attachments
1 firewall attachment(s) configured
  POS0/1/0/0
      Firewall Name:      ctx1
      Firewall Interface: inside1
      State:              Diverting to 0/3/CPU0
Invalid Input

If an invalid input message is received, then the firewall PIE is probably not installed:
RP/0/0/CPU0:router# show services firewall attachments
                                             ^
% Invalid input detected at '^' marker.
Use the show install active summary command to double-check if the firewall PIE is installed:
RP/0/0/CPU0:router# show install active summary
  Active Packages:
    mem:c12k-firewall-3.3.80
    mem:c12k-mini-3.3.80
You must have the c12k-firewall entry installed to configure virtual firewalls. Any additional problems, such as not being able to ping the TFTP server or having an incompatible PIE, are probably not firewall-specific issues.

No Output

If the firewall attachment is not listed, then the firewall attachment configuration was not accepted:
RP/0/0/CPU0:router# show services firewall attachments
0 firewall attachment(s) configured
You must re-enter your firewall attachment configuration and watch for any error messages.

Service Not Running

If the Info column output indicates that the service is not running, then the firewall is not operational:
RP/0/0/CPU0:router# show services firewall attachments
1 firewall attachment(s) configured
! POS0/1/0/0
!     Firewall Name:      ctx1
!     Firewall Interface: inside1
!     State:              Drop
!     Info:               Service not running
Use the show services redundancy command to determine why the firewall is not operational. (See the "Troubleshooting Tips" section for additional information about this command.)

Ingress-Only

If the State column displays an ingress-only message, then the firewall attachment is operating correctly based on your configuration, but it also warns you that egress-diverted packets will be dropped:
RP/0/0/CPU0:router# show services firewall attachments
1 firewall attachment(s) configured
! POS0/1/0/0
!     Firewall Name:      ctx1
!     Firewall Interface: inside1
!     State:              Diverting to 0/3/CPU0 (ingress-only)
!     Info:               Default interface not configured
Use the default-interface-name command in your firewall configuration to eliminate the ingress-only setup. (See Examples for information on using this command.)

You can also inadvertently establish ingress-only mode if the firewall interface name you specify as the default is unknown by the MSB core, as indicated in the Info column:
RP/0/0/CPU0:router# show services firewall attachments
1 firewall attachment(s) configured
! POS0/1/0/0
!     Firewall Name:      ctx1
!     Firewall Interface: inside1
!     State:              Diverting to 0/3/CPU0 (ingress-only)
!     Info:               Configured default interface not recognized
The State and Info columns in the show services firewall attachments command indicate that ingress diversion is working as expected but the egress diversion is not. To fix the problem, you must correct either the Cisco IOS XR default-interface-name keyword for the firewall (ctx1), or the MSB core firewall policy must have the default-interface-name keyword in the policy for firewall ctx1.

Processing Attachment

If the Info column output displays Processing Attachment, then the attachment is propagating through the system and this is a temporary status:
RP/0/0/CPU0:router# show services firewall attachments
1 firewall attachment(s) configured
! POS0/1/0/0
!     Firewall Name:      ctx1
!     Firewall Interface: inside1
!     State:              Drop
!     Info:               Processing Attachment
If you run the show services firewall attachments command after a few seconds, the Processing Attachment message should be cleared.

Examples

The following example shows how to attach a virtual firewall to an interface to associate the Cisco IOS XR VFW configuration with the corresponding firewall configuration on the VFW application (see Attaching a VFW to an Interface for summary steps and detailed steps):
RP/0/0/CPU0:router# configure 
RP/0/0/CPU0:router(config)# interface POS 0/1/0/0 
RP/0/0/CPU0:router(config-if)# firewall ctx1 firewall-interface inside 
RP/0/0/CPU0:router(config-if)# commit 
You can then see the status of the attachment by using the show services firewall attachments command:
RP/0/0/CPU0:router# show services firewall attachments 
1 firewall attachment(s) configured
  POS0/1/0/0
      Firewall Name:      ctx1
      Firewall Interface: inside
      State:              Diverting to 0/3/CPU0
If the output does not display the status as Diverting, the firewall attachment is not operating properly. Refer to the "Troubleshooting Tips" section for additional information.

Additional References

The following sections provide references related to firewall management interfaces.

Related Documents

Related Topic

Document Title

Cisco IOS XR virtual firewall command syntax

Virtual Firewall Commands on Cisco IOS XR Software module in Cisco IOS XR Virtual Firewall Command Reference

Virtual firewall interface command syntax

Interface Commands on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Command Reference

Virtual firewall context command syntax

Virtualization Commands on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Command Reference

Virtual firewall ACL command syntax

Access Control List Commands on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Command Reference

Standards

Standards

Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

—

MIBs

MIBs

MIBs Link

—

To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

RFCs

RFCs

Title

No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.

—

Technical Assistance

Description

Link

The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/techsupport