Table Of Contents
Service Module Configuration
(Services > Flows)
Viewing Service Modules and VLAN Connections Using the Services Topology Map
Nonrecommended Service Module Configurations
Service Module Popup Menu
VLAN Connection Popup Menu
Viewing All VLANs and Interfaces Assigned to a Service Module
Adding VLANs/Interfaces
Adding VLAN/Interface Connections Between Service Modules
VLAN Connection Parameters
Viewing and Configuring Virtual Firewalls (Contexts)
Viewing Contexts
Viewing All Contexts and VLANs Assigned to a Service Module
Viewing and Deleting Contexts on Shared VLANs
Adding Interfaces to Virtual Firewalls
Modifying Interfaces on Virtual Firewalls
Service Module Configuration
(Services > Flows)
This chapter contains the following topics:
•
Viewing Service Modules and VLAN Connections Using the Services Topology Map
•Viewing All VLANs and Interfaces Assigned to a Service Module
•Adding VLANs/Interfaces
•Adding VLAN/Interface Connections Between Service Modules
•Viewing and Configuring Virtual Firewalls (Contexts)
Viewing Service Modules and VLAN Connections Using the Services Topology Map
You can view a graphical display of all service modules and the VLANs that span across them by clicking Services at the top of the window and clicking Flows in the left-most pane. The Flows page displays the Services Topology map (see Figure 6-1).
Figure 6-1 Flows Page
Note When CVDM-C6500 detects a firewall module that supports virtual firewalls (contexts) and you have provided the correct credentials, you will see a Module View tab and a Virtual Firewall View tab. The Services Topology map is displayed in the Module View tab. For more information on the Virtual Firewall View tab, see "Viewing and Configuring Virtual Firewalls (Contexts)" section.
From the Services Topology map, you can do the following:
•View a graphical representation of all modules and VLANs that span across them:
–Service modules are labeled and represented by various icons.
–VLANs are labeled and represented by solid lines.
–If there are more than five connecting VLANs, they are represented by one thick, solid line. To view the individual VLAN IDs for an aggregate VLAN, place your mouse over the thick line.
–Service module icons and VLANs can be moved to get a better view of what is on your device.
•Easily identify and fix potential security holes. For example, you might see a VLAN directly connecting an MSFC icon and a CSM icon, thus bypassing a firewall. You can then use one of the service module wizards to fix the security hole. See "Service Module Setup Wizards" for more information on wizards.
•View information and perform tasks using one of the following menus:
–Service Module Popup Menu—Assigns VLAN or starts the service module's device manager.
–VLAN Connection Popup Menu—Edits or deletes the selected VLAN connection.
•View detailed information about ports and VLANs belonging to a selected service module. See the "Viewing All VLANs and Interfaces Assigned to a Service Module" section for more information.
•View all VLAN and interface information about the selected VLAN or service module in a tabular format (below the topology map). See the relevant service module section in "Service Module Setup."
•Zoom in, zoom out, and print the topology map by clicking on the magnifying glass and print icons.
Nonrecommended Service Module Configurations
When CiscoView Device Manager discovers service module configurations on the switch that are not recognized as CVDM-C6500 recommended configurations, the Non-Recommended Configurations dialog box appears.
Step 1 Remove the module configurations that CVDM-C6500 lists in the Non-Recommended Configurations dialog box.
Step 2 Start one of the service module wizards. See "Service Module Setup Wizards" for more information on which wizard you should use.
Service Module Popup Menu
The service module popup menu allows you to quickly assign VLANs or start a service module's device manager.
Step 1 Click Services at the top of the window, then click Flows in the left-most pane.
Step 2 Right-click a service module icon from the Services Topology Map.
Step 3 Select one of the following options:
Service Module
|
Menu Option
|
Description
|
Firewall
|
Launch Initial Setup
|
Starts the Firewall Blade Configuration Wizard to do basic configuration setup. See "Configuring the Firewall Module" section for more information.
|
Assign VLAN(s)...
|
Allows VLAN assignment to the firewall service module by creating VLAN groups. See the "VLAN Groups pane - root node selected" section for more information.
|
Launch PDM...
|
Starts the PIX Device Manager. See the documentation that came with your firewall module for more information.
|
SSL
|
Assign VLAN(s)...
|
Allows VLAN assignment to the SSL service module. Check the Assigned checkbox corresponding to the VLAN that you want to assign to the SSL module.
|
Launch SSL Device Manager...
|
Starts the SSL Device Manager. See the documentation that came with your SSL module for more information.
|
CSM
|
Launch CSM Device Manager...
|
Starts the CSM Device Manager. See the documentation that came with your CSM module for more information.
|
VPN
|
Configure Crypto Connection...
|
Allows configuration of crypto connections. See "Adding VPN Crypto Connections" section for more information.
|
VLAN Connection Popup Menu
The VLAN connection popup menu allows you to quickly modify or delete a VLAN connection.
Step 1 Click Services at the top of the window, click Flows in the left-most pane.
Step 2 Right-click a VLAN connection from the Services Topology Map or from the Virtual Firewall View tab. See "Viewing and Configuring Virtual Firewalls (Contexts)" for more information on the Virtual Firewall View.
Step 3 Select Edit... or Delete.... If deleting a VLAN connecting a firewall context, see the "Delete VLAN Connection Warning Dialog Box" section.
Step 4 Enter the appropriate information. For parameter descriptions, see the "VLAN Connection Parameters" section.
Delete VLAN Connection Warning Dialog Box
This dialog box appears if you are deleting a VLAN connecting a firewall context. Select one of the following:
•Delete VLAN link only for selected context—This option removes only this VLAN for the selected context.
•Delete VLAN links for all firewall contexts—This option deletes the selected VLAN link for all contexts.
Caution Selecting the second option prevents traffic from flowing to all the contexts that share this VLAN.
Viewing All VLANs and Interfaces Assigned to a Service Module
Step 1 Click Services at the top of the window, click Flows in the left-most pane.
Step 2 Double-click a service module icon from the Services Topology Map. A service module topology map appears (see Figure 6-2).
Figure 6-2 Service Module Topology Map Example
Step 3 You can do the following within this topology map:
•Click a ports cloud icon to view all ports associated with a VLAN. The following information is displayed in a table:
Column
|
Description
|
Name
|
Name assigned to a port.
|
Admin Status
|
Administrative state of port.
|
Type
|
Indicates the port type.
|
•Click on the magnifying glass or print icons to zoom in, zoom out, and print the topology map.
•Move service module icons and port cloud icons to get a better view of VLANs on your device.
Adding VLANs/Interfaces
You can add a VLAN/interface on a service module using the Services Topology Map. See also "Service Module Setup," for more information on creating VLANs/interfaces on service modules.
Step 1 Click Services at the top of the window, click Flows in the left-most pane.
Step 2 Select a service module icon from the Services Topology Map. If you select a firewall module that supports contexts, you can select a context from the selector to view associated interface information. A table showing VLAN and interface information about the selected service module appears.
Step 3 Click Add....
Step 4 Enter the appropriate information.
Adding VLAN/Interface Connections Between Service Modules
Note To add a new VLAN connection between service modules, you can draw a line between two service module icons using the Custom Wizard (see "Service Module Setup Wizards"). Alternatively, see the the applicable service module section in "Service Module Setup."
Use this procedure if a VLAN connection between modules exists.
Step 1 Click Services at the top of the window, click Flows in the left-most pane.
Step 2 Select an existing VLAN connection from the Services Topology Map. A table showing VLAN information appears.
Step 3 Click Add....
Step 4 Enter the appropriate information. See "VLAN Connection Parameters" for more information.
VLAN Connection Parameters
The VLAN Connection dialog appears when adding or modifying a VLAN connection between service modules.
Note•To delete a VLAN connection , select the VLAN and click Delete. You will be warned before deleting the connection. Click Yes to continue.
•When modifying or deleting aggregate VLANs, a table of VLANs appear instead. Select the VLAN you want to modify, then click Edit or Delete.
Table 6-1 VLAN Connection Parameters
GUI Element
|
Action
|
Select VLAN
|
Click  and then select one of the following:
•Select VLAN: opens the the VLAN Selector dialog box.
•Create VLAN: opens the Create VLAN dialog box.
Note This option is only available when you are adding a VLAN connection.
|
MSFC: Slot X
|
Interface
|
Enter the name for the interface.
|
IP Address
|
Enter the IP address of the VLAN on the interface.
|
Mask
|
Enter the subnet mask to which the specified IP address belongs. You can either type a value or select one from the list.
|
Firewall: Slot X
|
Context
|
Enter the context associated with this interface. Note that:
•This field is displayed only when Multiple Mode is active.
•New contexts can be created only after the admin context has first been created.
|
Interface
|
Enter a name for the interface.
|
IP Address
|
Enter the IP address of the VLAN on the interface.
|
Mask
|
Enter the subnet mask to which the specified IP address belongs. You can either type a value or or select one from the list.
|
Security Level (0-100)
|
Indicates the security level currently set for the interface. Higher values indicate higher security levels.
|
VLAN Group
|
Indicates the VLAN group associated with the selected VLAN.
Click  to open the Select VLAN Group window.
|
CSM: Slot X
|
VLAN Type
|
Indicates what type of VLAN this is. By default, the value is set to client.
|
IP Address
|
Enter the IP address of the VLAN on the interface.
|
Subnet Mask
|
Enter the subnet mask to which the specified IP address belongs. You can either type a value or or select one from the list.
|
Alias IP Address
|
Enter the alias IP address of the VLAN on the interface.
|
VPN: Slot X
|
Inside Port
|
Enter the inside port associated with the VPN.
|
Allowed VLAN
|
Enter the valid VLAN values for the VPN.
|
Crypto Map
|
Associate a crypto map with a VLAN.
|
SSL: Slot X
|
Admin VLAN
|
Check this option if this is an admin VLAN. The admin VLAN is used for all management traffic. The system adds the default route through the gateway of the admin VLAN.
|
IP Address
|
Enter the IP address of the VLAN on the interface.
|
Subnet Mask
|
Enter the subnet mask to which the specified IP address belongs. You can either type a value or or select one from the list.
|
Gateway
|
Gateway address of the VLAN.
|
Viewing and Configuring Virtual Firewalls (Contexts)
You can partition a single firewall module into multiple virtual firewalls, also known as security contexts. Each context is an independent system, with its own configuration and policies. Multiple contexts are equivalent to having multiple standalone firewalls.
When CVDM-C6500 detects a firewall module that supports contexts and you have entered the correct credentials, a Module View tab and a Virtual Firewall View tab are displayed in the Flows page.
The Module View tab serves the same functionality as the Services Topology Map. The difference is its ability to display contexts when a firewall service module icon is selected. For more information on how to navigate the firewall module context selector, see the "Configuring Firewall Contexts" section.
The Virtual Firewall View tab lists all contexts within a firewall module and allows you to edit and configure context information. See "Viewing Contexts" for more information.
Note You cannot create virtual firewalls using the Virtual Firewall View. To create virtual firewalls, see the "Configuring Firewall Contexts" section.
Viewing Contexts
Click Services at the top of the window, click Flows from the left-most pane, and then select the Virtual Firewall View tab to display the Virtual Firewall View.
From the Virtual Firewall View you can do the following:
•Visually trace VLAN connectivity between contexts and other service modules using the context topology map.
•Edit or delete a selected VLAN connection. See "VLAN Connection Popup Menu" for more information.
•View detailed information about contexts and VLANs belonging to a selected service module. See "Viewing All Contexts and VLANs Assigned to a Service Module" for more information.
•View VLAN and interface information on a selected context, service module, or VLAN connection in a tabular format (below the context topology map).
•Edit or add interfaces by clicking a firewall context from the selector or from the context topology map, selecting an interface from the Interfaces table, and clicking Add... or Edit.... For field descriptions, see "Configuring Firewall Contexts" section.
•Move service module icons and VLANs to get a better view of what is on your device.
•Zoom in, zoom out, or print the topology map by clicking on the magnifying glass and print icons.
Viewing All Contexts and VLANs Assigned to a Service Module
Step 1 Click Services at the top of the window, click Flows from the left-most pane, and then select the Virtual Firewall View tab.
Note The Virtual Firewall View tab appears only if you have provided the correct credentials and the firewall module supports contexts.
Step 2 Click a firewall context from the selector.
Step 3 Double-click a firewall context or service module icon from the context topology map.
Step 4 You can do the following within this context topology map:
•Click an interface cloud icon to view all VLANs associated with a context. The following information is displayed in a table:
Column
|
Description
|
Name
|
Name assigned to the interface.
|
Admin Status
|
Administrative state of the interface.
|
Type
|
Indicates the interface type.
|
•Click the magnifying glass or print icons to zoom in, zoom out, or print the topology map.
•Move service module icons and interface cloud icons to get a better view of VLANs on your device.
Viewing and Deleting Contexts on Shared VLANs
Step 1 Click Services at the top of the window, click Flows from the left-most pane, and then select the Virtual Firewall View tab.
Step 2 Right-click a firewall context icon from the topology map and select View Contexts on Shared VLANs. The List of Contexts on Shared VLAN dialog box appears.
This dialog box displays a table of shared VLANS and a list of contexts belonging to each VLAN.
Step 3 (Optional) To remove a context configuration from a shared VLAN on the firewall interface, select a context and click Delete. To delete multiple contexts, press the Ctrl key as you select each context you want to delete.
Adding Interfaces to Virtual Firewalls
You can add interfaces from either the Virtual View tab or the firewall module interface overview page. For more information on how to add a virtual firewall interface from the firewall module interface page, see "Adding a Firewall Module Interface" section.
Step 1 Click Services at the top of the window, click Flows from the left-most pane, and then select the Virtual Firewall View tab.
Step 2 Do one of the following:
•Click a firewall context icon from the topology map.
•Click a firewall context from the selector.
Step 3 Click Add below the Interface table. The Add Firewall Interface dialog box appears. For information on field descriptions, see "Adding a Firewall Module Interface" section.
Modifying Interfaces on Virtual Firewalls
You can edit interfaces from either the Virtual View tab or the firewall module interface overview page. For more information on how to edit a virtual firewall interface from the firewall module interface page, see "Editing a Firewall Module Interface" section.
Step 1 Click Services at the top of the window, click Flows from the left-most pane, and then select the Virtual Firewall View tab.
Step 2 Do one of the following:
•Click a firewall context icon from the topology map.
•Click a firewall context from the selector.
Step 3 Click Edit below the Interface table. The Edit Firewall Interface dialog box appears. For information on field descriptions, see "Editing a Firewall Module Interface" section.
