Cisco IOS XR Virtual Firewall Configuration Guide, Release 3.8
Configuring VRF-Aware Service Infrastructure for the Virtual Firewall
Download this chapter
Configuring VRF-Aware Service Infrastructure for the Virtual FirewallConfiguring VRF-Aware Service Infrastructure for the Virtual Firewall
Download the complete book
Cisco IOS XR Virtual Firewall Configuration GuideCisco IOS XR Virtual Firewall Configuration Guide (PDF - 6 MB)
 Feedback

Table Of Contents

Configuring VRF-Aware Service Infrastructure

Contents

Information About VASI

How to Configure VASI with the Virtual Firewall

Enabling VASI

Troubleshooting Tips

Defining a Static Route to a VASI Interface

Attaching a Virtual Firewall to a VASI Interface

Configuration Examples for VASI

Enabling VASI: Example

Defining a Static Route to a VASI Interface: Example

Attaching a Virtual Firewall to a VASI Interface: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance


Configuring VRF-Aware Service Infrastructure

This module describes how to configure VRF-Aware Service Infrastructure (VASI) on the multiservice blade (MSB). All configurations described in this module are done on the MSB in Cisco IOS XR software.

Feature History for Configuring VASI

Release
Modification

Release 3.5.0

This feature was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.

Release 3.6.0

No modification.

Release 3.7.0

No modification.

Release 3.8.0

No modification.


Contents

Information About VASI

How to Configure VASI with the Virtual Firewall

Configuration Examples for VASI

Additional References

Information About VASI

VRF-Aware Service Infrastructure (VASI) refers to the capability to use services, such as those that run on an multiservice blade (MSB), within different VPN routing and forwarding instances (VRFs). In particular, this document is concerned with the need to attach a virtual firewall (a particular instance of a service) to filter traffic travelling between two VRFs.

VASI interfaces are virtual interface pairs, where each of the interfaces in the pair is associated with a different VRF. Such a virutal interface is the next hop interface for any packet that needs to be switched between these two VRFs (see Figure 16). The service, in this case the virtual firewall, can then be attached to these virtual interfaces. In this way, VASI interfaces provide the framework necessary to configure a VFW between VPN routing and forwarding (VRF) instances .

Figure 16 VASI Pair Interface

How to Configure VASI with the Virtual Firewall

This section contains the following tasks:

Enabling VASI

Defining a Static Route to a VASI Interface

Attaching a Virtual Firewall to a VASI Interface

Enabling VASI

This task provides the infrastructure to attach a virtual firewall to filter traffic that travels between two VRFs. You must enable VASI for each interface of the VASI pair (VASILeft and VASIRight).

Note This task is performed from the Cisco IOS XR software.

SUMMARY STEPS

1. configure

2. interface {vasileft number | vasiright number}

3. vrf vrf-name

4. ipv4 address ip_address mask

5. service-location preferred-active node-id [preferred-standby node-id ] [auto-revert]

6. end
or
commit

7. show interfaces {vasileft number | vasiright number}

8. show services vasi status

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

RP/0/0/CPU0:router# configure

Enters global configuration mode.

Step 2 

interface {vasileft number | vasiright number}

Example:

RP/0/0/CPU0:router(config)# interface vasileft 1

Specifies the VASI interface to configure.

Step 3 

vrf vrf-name

Example:

RP/0/0/CPU0:router(config-if)# vrf red

Sets the VRF where the interface operates.

Step 4 

ipv4 address ip_address mask

Example:

RP/0/0/CPU0:router(config-if)# ipv4 address 10.1.2.171 255.255.255.0

Specifies the IPv4 address and mask of the interface in two, four-part dotted-decimal notations, separated with a space.

Step 5 

service-location preferred-active node-id [preferred-standby node-id [auto-revert]]

Example:

RP/0/0/CPU0:router(config-if)# service-location preferred-active 0/0/CPU0 preferred-standby 0/1/CPU0 auto-revert

Specifies both active and standby locations for the interface and provides a failure policy.

Use the preferred-active keyword to specify that the card in this location serves all traffic going through the interface. The node-id argument is expressed in rack/slot/module notation.

(Optional) Use the preferred-standby keyword to specify that if a card fails, the interface is served by the card in this location. The node-id argument is expressed in rack/slot/module notation.

(Optional). Use the auto-revert keyword to automatically revert to the preferred active location when possible.

Step 6 

end

or

commit

Example:

RP/0/0/CPU0:router(config-if)# end

or

RP/0/0/CPU0:router(config-if)# commit

Saves configuration changes.

When you issue the end command, the system prompts you to commit changes: 

Uncommitted changes found, commit them before 
exiting (yes/no/cancel)? 
[cancel]:

Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.

Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.

Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.

Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.

Step 7 

show interfaces {vasileft number | vasiright number}

Example:

RP/0/0/CPU0:router# show interfaces vasileft 1

Provides the status of the VASI interface. If the output does not display the status as up, the VASI interface is not operating properly. Refer to Troubleshooting Tips for additional information.

Step 8 

show services vasi status

Example:

RP/0/0/CPU0:router# show services vasi status

Provides the status of the VASI interface pair. The output should provide a reason why the interface is not reported as up. Refer to Troubleshooting Tips for additional information.

Troubleshooting Tips

Use the show interfaces command to verify the status of the interface: 

RP/0/0/CPU0:router# show interfaces vasileft 1

VASILeft1 is up, line protocol is up 

  Interface state transitions: 2

  Hardware is VASI Left interface(s)

  Internet address is 35.35.35.35/24

  MTU 9216 bytes, BW 10000000 Kbit

     reliability 255/255, txload 0/255, rxload 0/255

  Encapsulation vasi,  loopback not set,

RP/0/0/CPU0:router# show interfaces vasiright 1

VASIRight1 is up, line protocol is up 

  Interface state transitions: 2

  Hardware is VASI Right interface(s)

  Internet address is 36.36.36.36/24

  MTU 9216 bytes, BW 10000000 Kbit

     reliability 255/255, txload 0/255, rxload 0/255

  Encapsulation vasi,  loopback not set,

If you use the show services vasi status command to determine why the VASI interface is not up, the "pair state" column can display the following conditions: 

RP/0/0/CPU0:router# show services vasi status

Pair name  Active     Standby  LHS state    RHS state    Pair state          

---------- ---------- -------- ------------ ------------ ---------------

VASIPair1  0/1/CPU0   -        Up           Up           Up      

VASIPair2  -          -        Configured   Unconfigured Need VASIRight2     

VASIPair3  -          -        Configured   Configured   Need location 

VASIPair4  0/3/CPU0   -        Up           Admin Down   VASIRight4 Down 

VASIPair5  -          -        Configured   Configured   Card(s) not up

If the "Pair state" column indicates:

Up
The VASIPair1 interface is operational.

Need VASIRight2
The VASILeft interface is configured, but the VASIRight interface or location is not configured.

Need location
VASIPair3 has VASILeft and VASIRight interfaces configured, but not a location. Reapply the location configuration and watch for errors.

VASIRight4 Down
VASIPair4 has both the VASILeft and VASIRight configured, and a location configured, but VASIRight has been forced down. Check the configuration and use the no shut command in the VASIRight interface submode.

Card(s) not up
VASIPair5 is fully configured, but the MSB where the service should be running is not in the "IOS XR RUN" state. Check the output of the show platform command and wait until the MSB is reported to be in the "IOS XR RUN" state.

Defining a Static Route to a VASI Interface

This task defines a static route to a a VASI interface. You must use the router static vrf command for each VASI interface (vasileft and vasiright). For information regarding the commands in this task, refer to the Static Routing Commands on Cisco IOS XR Software module in Cisco IOS XR Routing Command Reference.

Note This task is performed from the Cisco IOS XR software.

SUMMARY STEPS

1. configure

2. router static

3. vrf vrf-name

4. address-family ipv4 unicast

5. ip_address mask {vasileft number | vasiright number}

6. end
or
commit

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

RP/0/0/CPU0:router# configure

Enters global configuration mode.

Step 2 

router static

Example:

RP/0/0/CPU0:router(config)# router static

Specifies the static route configuration subcommands.

Step 3 

vrf vrf-name

Example:

RP/0/0/CPU0:router(config-static)# vrf red

Specifies the VRF static route configuration subcommands.

Step 4 

address-family ipv4 unicast

Example:

RP/0/0/CPU0:router(config-static-vrf)# address-family ipv4 unicast

Specifies the VRF static route address family configuration subcommands (including an IPv4 and Unicast subcommands).

Step 5 

node-id {vasileft number | vasiright number}

Example:

RP/0/0/CPU0:router(config-static-vrf-afi)# 20.1.0.0/16 VASILeft 1

Specifies the destination prefix in four-part dotted-decimal notation with length and includes the VASI interface (VASILeft or VASIRight).

Step 6 

end

or

commit

Example:

RP/0/0/CPU0:router(config-if)# end

or

RP/0/0/CPU0:router(config-if)# commit

Saves configuration changes.

When you issue the end command, the system prompts you to commit changes: 

Uncommitted changes found, commit them before 
exiting (yes/no/cancel)? 
[cancel]:

Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.

Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.

Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.

Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.

Attaching a Virtual Firewall to a VASI Interface

This task attaches a virtual firewall to a VASI interface. Attaching a VFW to a VASI interface associates the VFW configuration with the corresponding VASI configuration.

Note This task is performed from the Cisco IOS XR software.

SUMMARY STEPS

1. configure

2. interface {vasileft number | vasiright number}

3. firewall context-name firewall-interface vfw-interface-name

4. end
or
commit

5. show services firewall attachments

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

RP/0/0/CPU0:router# configure

Enters global configuration mode.

Step 2 

interface {vasileft number | vasiright number}

Example:

RP/0/0/CPU0:router(config)# interface POS 0/1/0/0

Specifies the VASI left or right interface type.

Step 3 

firewall context-name firewall-interface vfw-interface-name

Example:

RP/0/0/CPU0:router(config-if)# firewall ctx1 firewall-interface inside

Specifies the firewall context name and the interface name on the VFW application. The firewall context and interface are configured in the VFW application.

Step 4 

end

or

commit

Example:

RP/0/0/CPU0:router(config-if)# end

or

RP/0/0/CPU0:router(config-if)# commit

Saves configuration changes.

When you issue the end command, the system prompts you to commit changes: 

Uncommitted changes found, commit them before 
exiting (yes/no/cancel)? 
[cancel]:

Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.

Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.

Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.

Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.

Step 5 

show services firewall attachments

Example:

RP/0/0/CPU0:router# show services firewall attachments

Provides the status of the firewall attachment. If the output does not display the status as Diverting, the firewall attachment is not operating properly. Refer to the "Troubleshooting Tips" section for additional information.

Configuration Examples for VASI

This section provides the following configuration examples:

Enabling VASI: Example

Defining a Static Route to a VASI Interface: Example

Attaching a Virtual Firewall to a VASI Interface: Example

Enabling VASI: Example

The following example shows how to enable VASI. VASI must be enabled for each interface of the VASI pair (VASILeft and VASIRight). See the "Enabling VASI" section for configuration information. 

RP/0/0/CPU0:router(config)# interface VASILeft1 

RP/0/0/CPU0:router(config-if)# vrf red 

RP/0/0/CPU0:router(config-if)# ipv4 address 10.1.2.171 255.255.255.0 

RP/0/0/CPU0:router(config-if)# service-location preferred-active 0/3/CPU0 

RP/0/0/CPU0:router(config-if)# exit 

RP/0/0/CPU0:router(config)# interface VASIRight1 

RP/0/0/CPU0:router(config-if)# vrf green 

RP/0/0/CPU0:router(config-if)# ipv4 address 20.1.2.171 255.255.255.0 

RP/0/0/CPU0:router(config-if)# exit

Defining a Static Route to a VASI Interface: Example

The following example shows how to define a static route to a VASI interface. The routing process for each VASI interface (VASILeft and VASIRight) must be enabled. See the "Defining a Static Route to a VASI Interface" section for configuration information. 

RP/0/0/CPU0:router(config)# router static 

RP/0/0/CPU0:router(config-static)# vrf red 

RP/0/0/CPU0:router(config-static)# address-family ipv4 unicast 

RP/0/0/CPU0:router(config-static)# 20.1.0.0/16 VASILeft1 

RP/0/0/CPU0:router(config-static)# exit 

RP/0/0/CPU0:router(config)# vrf green 

RP/0/0/CPU0:router(config-static)# address-family ipv4 unicast 

RP/0/0/CPU0:router(config-static)# 10.1.0.0/16 VASIRight1

Attaching a Virtual Firewall to a VASI Interface: Example

The following example shows how to attach a virtual firewall to a VASI interface. See the "Attaching a Virtual Firewall to a VASI Interface" section for configuration information. 

RP/0/0/CPU0:router(config)# interface VASILeft 1 

RP/0/0/CPU0:router(config-if)# vrf red 

RP/0/0/CPU0:router(config-if)# ipv4 address 10.1.2.171 255.255.255.0 

RP/0/0/CPU0:router(config-if)# service-location preferred-active 0/3/CPU0 

RP/0/0/CPU0:router(config-if)# firewall ctx1 firewall-interface inside1 

RP/0/0/CPU0:router(config-if)# exit 

RP/0/0/CPU0:router(config)# interface VASIRight 1 

RP/0/0/CPU0:router(config-if)# vrf green 

RP/0/0/CPU0:router(config-if)# ipv4 address 20.1.2.171 255.255.255.0 

RP/0/0/CPU0:router(config-if)# exit

Additional References

The following sections provide references related to VASI interfaces.

Related Documents

Related Topic
Document Title

Cisco IOS XR virtual firewall command syntax

Virtual Firewall Commands on Cisco IOS XR Software module in Cisco IOS XR Virtual Firewall Command Reference

VRF-aware service infrastructure command syntax

VASI Commands on Cisco IOS XR Software module in Cisco IOS XR MPLS Command Reference

Static routing command syntax

Static Routing Commands on Cisco IOS XR Software module in Cisco IOS XR Routing Command Reference


Standards

Standards
Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.


MIBs

MIBs
MIBs Link

To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml


RFCs

RFCs
Title

No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.


Technical Assistance

Description
Link

The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/techsupport