Table Of Contents

Service Module Setup Wizards

Which Wizard Should I Use?

Firewall-Inside Scenario

Firewall-Outside Scenario

Firewall-Inside and CSM Scenario

Firewall-Outside and CSM Scenario

VPN-Outside Scenario

VPN-Firewall Scenario

MSFC-CSM Scenario

Wireless-Firewall Scenario

Custom Scenario

Using the Firewall-Inside Setup Wizard

Selecting a Service Module

Configuring the Core Network Connection

Configuring the MSFC-Firewall VLAN

Configuring the Inside Network Connection

Summary

Delivering the Configuration to the Switch/Module

Using the Firewall-Outside Setup Wizard

Selecting a Service Module

Configuring the Internet Connection

Configuring the Firewall-MSFC VLAN

Configuring the Inside Network Connection

Configuring the Core Network Connection

Summary

Delivering the Configuration to the Switch/Module

Using the Firewall-Inside and CSM Setup Wizard

Selecting a Service Module

Configuring the Core Network Connection

Configuring the MSFC-Firewall VLAN

Configuring the Firewall-CSM VLAN

Configuring the Server Farm Connection

Summary

Delivering the Configuration to the Switch/Module

Using the Firewall-Outside and CSM Setup Wizard

Selecting a Service Module

Configuring the Internet Connection

Configuring the Firewall-MSFC VLAN

Configuring the Firewall-CSM VLAN

Configuring the Server Farm Connection

Configuring the Core Network Connection

Summary

Delivering the Configuration to the Switch/Module

Using the VPN-Outside Setup Wizard

Selecting a Service Module

Configuring the Remote Site Connection

Configuring the VPN-MSFC VLAN

Configuring the MSFC-Firewall VLAN

Configuring the Inside Network Connection

Summary

Delivering the Configuration to the Switch/Module

Using the VPN-Firewall Setup Wizard

Selecting a Service Module

Configuring the Remote Site Connection

Configuring the VPN-MSFC VLAN

Configuring the Internet Connection

Configuring the Firewall-MSFC VLAN

Configuring the Core Network Connection

Summary

Delivering the Configuration to the Switch/Module

Using the MSFC-CSM Setup Wizard

Selecting a Service Module

Configuring the Core Network Connection

Configuring the MSFC-CSM VLAN

Configuring the Server Farm Connection

Summary

Delivering the Configuration to the Switch/Module

Using the Wireless-Firewall Setup Wizard

Selecting a Service Module

Configuring the Wireless Network Connection

Configuring the Wireless Network

Configuring the VRF-Firewall VLAN

Configuring the Firewall-MSFC VLAN

Configuring the Core Network Connection

Summary

Delivering the Configuration to the Switch/Module

Service Module Setup Wizards

---

CVDM-C6500 provides seven wizards that simplify the process of service module setup. Each wizard is tailored for one of the various scenarios that network administrators face when setting up service modules.

This section contains the following topics:

•Which Wizard Should I Use?

•Using the Firewall-Inside Setup Wizard

•Using the Firewall-Outside Setup Wizard

•Using the Firewall-Inside and CSM Setup Wizard

•Using the Firewall-Outside and CSM Setup Wizard

•Using the VPN-Outside Setup Wizard

•Using the VPN-Firewall Setup Wizard

•Using the MSFC-CSM Setup Wizard

•Using the Wireless-Firewall Setup Wizard

If none of these scenarios is applicable, CVDM-C6500 also provides a custom setup page from which you can establish VLAN connectivity between modules. See Custom Scenario for more information.

Which Wizard Should I Use?

After reading the following descriptions, determine which wizard best suits your application and refer to the information for that wizard.

Firewall-Inside Scenario

This scenario is typically used in the intranet data center. Placing the MSFC outside the Cisco Catalyst 6500 Series Firewall Services Module (FWSM) makes it possible for the MSFC to perform routing toward the core. The FWSM provides routing to the border routers and the demilitarized zone (DMZ).

Before you launch the Firewall-Inside setup wizard, you must first enter the credentials for the firewall module. To do so, select Edit > Credentials and then enter the appropriate information.

To access this wizard, click Services at the top of the window, click Setup from the left-most pane, select Firewall-Inside from the list of setup templates, and click Launch Setup Wizard. See Using the Firewall-Inside Setup Wizard for more information.

Firewall-Outside Scenario

This scenario is typically used in the Internet data center. Placing the Catalyst 6500 Series Firewall Services Module (FWSM) outside the MSFC allows the MSFC to face the core.

Before you launch the Firewall-Outside setup wizard, you must first enter the credentials for the firewall module. To do so, select Edit > Credentials and then enter the appropriate information.

To access this wizard, click Services at the top of the window, click Setup from the left-most pane, select Firewall-Outside from the list of setup templates, and click Launch Setup Wizard. See Using the Firewall-Outside Setup Wizard for more information.

Firewall-Inside and CSM Scenario

This scenario is typically used in the intranet data center. Placing the MSFC outside the Cisco Catalyst 6500 Series Firewall Services Module (FWSM) means that the MSFC faces the core. In this design, the default gateway for the servers is either the FWSM or the Content Switching Module (CSM).

Before you launch the Firewall-Inside and CSM setup wizard, you must first enter the credentials for the firewall module. To do so, select Edit > Credentials and then enter the appropriate information.

To access this wizard, click Services at the top of the window, click Setup from the left-most pane, select Firewall-Inside_CSM from the list of setup templates, and click Launch Setup Wizard. See Using the Firewall-Inside and CSM Setup Wizard for more information.

Firewall-Outside and CSM Scenario

This scenario is typically used in the Internet data center. Placing the Cisco Catalyst 6500 Series Firewall Services Module (FWSM) outside the MSFC means that the MSFC performs routing toward the core. The FWSM performs routing toward the border routers and the demilitarized zone (DMZ).

Before you launch the Firewall-Outside and CSM setup wizard, you must first enter the credentials for the firewall module. To do so, select Edit > Credentials and then enter the appropriate information.

To access this wizard, click Services at the top of the window, click Setup from the left-most pane, select Firewall-Outside_CSM from the list of setup templates, and click Launch Setup Wizard. See Using the Firewall-Outside and CSM Setup Wizard for more information.

VPN-Outside Scenario

This scenario is used when the Cisco 7600/Catalyst 6500 IPSec VPN Services Module (VPNSM) serves as the headend VPN termination platform for either remote access or enterprise customers. The VPN and Firewall Services Modules protect the internal and demilitarized zone (DMZ) networks.

To access the VPN-Outside setup wizard, click Services at the top of the window, click Setup from the left-most pane, select VPN-Outside from the list of setup templates, and click Launch Setup Wizard. See Using the VPN-Outside Setup Wizard for more information.

VPN-Firewall Scenario

This scenario is typically used to terminate secure connections from remote offices and telecommuters while providing the firewall function to external users accessing an Internet server farm. The Cisco Catalyst 6500 Series Firewall Services Module (FWSM) is used to apply firewall policies to untrusted clients while the Cisco 7600/Catalyst 6500 IPSec VPN Services Module provides secure access to the internal network.

Before you launch the VPN-Firewall setup wizard, you must first enter the credentials for the firewall module. To do so, select Edit > Credentials and then enter the appropriate information.

To access this wizard, click Services at the top of the window, click Setup from the left-most pane, select VPN-Firewall from the list of setup templates, and click Launch Setup Wizard. See Using the VPN-Firewall Setup Wizard for more information.

MSFC-CSM Scenario

This scenario configures connectivity between the MSFC and Content Switching Module (CSM). The CSM provides load-balancing services for the server farm.

To access the MSFC-CSM setup wizard, click Services at the top of the window, click Setup from the left-most pane, select MSFC-CSM from the list of setup templates, and click Launch Setup Wizard. See Using the MSFC-CSM Setup Wizard for more information.

Wireless-Firewall Scenario

This scenario secures wireless access to the core network. Placing the tunnel interface for each mobility group within a dedicated Virtual Routing and Forwarding (VRF) instance provides an efficient way to separate the wireless traffic and to force it through a firewall before allowing access to the core network.

To access the Wireless-Firewall setup wizard, click Services at the top of the window, click Setup from the left-most pane, select Wireless-Firewall from the list of setup templates, and click Launch Setup Wizard. See Using the Wireless-Firewall Setup Wizard for more information.

Custom Scenario

If none of the seven setup wizards suits your application, you can establish VLAN connectivity between modules on the Custom setup page (see Figure 8-1).

Figure 8-1 Custom Setup Page

---

Step 1 Click Services at the top of the window, click Setup from the left-most pane, and select Custom from the list of setup templates. The Custom setup page appears.

Step 2 Click to enable the line drawing tool.

Step 3 With the cursor over a module icon, click and drag the cursor over to the icon of the module you want to connect with. The Add VLAN Connection dialog box appears.

Step 4 Configure the appropriate settings in the Add VLAN Connection dialog box and then click OK. See VLAN Connection Parameters for more information.

---

The following table describes the toolbar found on this page.

GUI Element	Action
	Click to zoom in on the current view.
	Click to zoom out of the current view.
	Click to print the current view.
	After configuring a VLAN, click to enter module selection mode. You can now select a module icon and move it anywhere in the view.
	Click to disable the movement of module icons.
	Click to enter VLAN creation mode.

Note the following when using the Custom setup page:

•A VLAN connection between the following modules is invalid:

–SSL Services Module and VPN

–FWSM and SSL Services Module

–CSM and VPN

–FWSM and VPN

•Only a FWSM-to-FWSM connection is supported for sandwich configuration.

•You can right-click a VLAN to either edit or delete it.

Using the Firewall-Inside Setup Wizard

The wizard consists of three steps:

1. (Optional) Configure the connection to the core network.

2. Configure a VLAN to transfer data between the MSFC and firewall.

3. (Optional) Assign switch ports to the VLAN associated with the firewall's inside network.

Step 2 is the only mandatory step in the wizard. However, to enable the pinging of traffic from the core network to the inside network, you must complete all of the steps.

---

Note If a VLAN is already configured between the service modules affected by this wizard, certain wizard fields will be populated with the parameters set for this VLAN.

---

Selecting a Service Module

After you launch the setup wizard, CVDM-C6500 checks for the presence of two or more modules of the same type on your device. If multiple instances of the same module type are found, then the Service Blade Selection page appears. For every module type that has more than one instance installed, select from the list the module that you want the wizard to configure.

Click Next to proceed to the next page of the setup wizard.

Configuring the Core Network Connection

To configure the connection to the core network, enter the information specified in Table 8-1.

---

Note This step is optional. To proceed to the next page of the wizard, click Next.

---

Table 8-1 Core Network Connection Configuration: GUI Reference 

GUI Element	Action
Connection Mode radio button	Select the appropriate port connection mode in this field. By default, Routed mode is selected.
Ports Selector	Select the ports you want to add to the VLAN configured on this page of the wizard. See Port Selector for more information.
Configure VLAN for Selected Ports pane1
VLAN list	Specify the VLAN to which the selected ports belong. Click and then select one of the following: •Select VLAN—Opens the VLAN Selector dialog box. See VLAN Selector for more information. •Create VLAN—Opens the Create VLAN dialog box. See Create VLAN Dialog Box for more information. •Clear VLAN—Clears the VLAN that is specified in this field.
SVI on MSFC pane1
IP Address field	Enter the IP address of the Switched Virtual Interface (SVI).
Mask field	Enter the subnet mask that corresponds to the SVI's IP address. You can either type a value or select a value from the list.

1 Available only in Access and Trunk port connection modes.

Routed Port Details

This dialog box appears anytime you add a port to the Selected Ports column that does not have an IP address and subnet mask specified.

Table 8-2 Routed Port Details: GUI Reference

GUI Element	Action/Description
Port Name field	Name of the selected port.
IP Address field	Enter the IP address of the port you want to add to the Selected Ports column.
Net Mask field	Enter the subnet mask to which the port's IP address belongs. You can either type a value or select a value from the list.

Configuring the MSFC-Firewall VLAN

To configure the VLAN connection between the MSFC and firewall modules, enter the information specified in Table 8-3.

Table 8-3 MSFC-Firewall VLAN Configuration: GUI Reference 

GUI Element	Action/Description
VLAN Connecting MSFC and Firewall list	Specify the VLAN that connects the MSFC and firewall modules. Click and then select one of the following: •Select VLAN—Opens the VLAN Selector dialog box. See VLAN Selector for more information. •Create VLAN—Opens the Create VLAN dialog box. See Create VLAN Dialog Box for more information. •Clear VLAN—Clears the VLAN that is specified in this field.
MSFC: Slot X pane
Interface field	Enter the name for this interface.
IP Address field1	Enter the IP address of the VLAN on this interface.
Mask field	Enter the subnet mask to which the specified IP address belongs. You can either type a value or select a value from the list.
Firewall: Slot X pane
Context list	Enter the context associated with this interface. Click and then select one of the following: •Select Context—Opens the Select Firewall Context dialog box. See Select Firewall Context for more information. •Create Context—Opens the Create Firewall Context dialog box. See Create Firewall Context for more information. Note the following: •This field is displayed only when Multiple Mode is active for the firewall module. •New contexts can be created only after the Admin context has first been created. For more information, see Security Context Overview.
Interface field	Enter a name for this interface, making sure that it is not the name of an interface that is already configured on this device.
IP Address field1	Enter the IP address of the VLAN on this interface. Note This field is not displayed when the firewall module is running in transparent mode.
Mask field	Enter the subnet mask to which the specified IP address belongs. You can either type a value or select a value from the list. Note This field is not displayed when the firewall module is running in transparent mode.
Security Level field	Indicates the security level set for the interface. Higher values indicate higher security levels. •The value 100 indicates that this is an inside interface. •The value 0 indicates that this in an outside interface.
VLAN Group field	Specify the VLAN group associated with the selected VLAN. See Select VLAN Group for more information.
Gateway pane
Use MSFC as Default Gateway radio button	Select to set the MSFC as the default gateway. To specify a module other than the MSFC as the default gateway, select the Gateway radio button.
Gateway radio button	Select and then enter the IP address of the default gateway.

1 Make sure that these IP addresses belong to the same subnet mask.

Select VLAN Group

This dialog box lists the VLAN groups that are configured on the device, as well as the VLANs associated with each group.

Table 8-4 Select VLAN Group: GUI Reference

GUI Element	Description
VLAN Group column	Indicates the numerical identifier assigned to a VLAN group.
VLANs column	Indicates the VLANs that belong to a particular VLAN group.
Assigned column	When checked, indicates that this VLAN group is assigned to the firewall.

Select Firewall Context

This dialog box lists the contexts that are configured on the module. Select a context and then click OK to proceed.

Table 8-5 Select Firewall Context: GUI Reference

GUI Element	Description
Context column	Indicates the name of a context.
Description column	Provides the description of a context.
Config URL column	Indicates the configuration URL for a context.

Create Firewall Context

In this dialog box, you can create a firewall context on a module. Enter the information specified in Table 8-6 and then click OK to proceed.

Table 8-6 Create Firewall Context: GUI Reference 

GUI Element	Action
Name field	Enter the name of the context.
Description field	Enter a description of the context.
Config URL field	Enter the configuration URL for the context. You can download a context from either a server (FTP, TFTP, HTTP, or HTTPS) or the local disk. The URL syntax for each is as follows: •server type://server/path/filename •disk://path/filename where server type is the type of server, server is the IP address of the appropriate server, path is the directory that contains the context file, and filename is the name of the context file. Please note the following: •The URL you specify must be accessible from the Admin context. •The Admin context file must be stored on the local disk. •It is recommended that you append the context filename with the .cfg extension.

Configuring the Inside Network Connection

To configure the connection to the inside network, enter the information specified in Table 8-7.

---

Note This step is optional. To proceed to the next page of the wizard, click Next.

---

Table 8-7 Inside Network Connection Configuration: GUI Reference 

GUI Element	Action/Description
Connection Mode radio button	Select the appropriate port connection mode.
Ports Selector	Select the ports you want to add to the VLAN configured on this page of the wizard. See Port Selector for more information.
Configure VLAN for Selected Ports pane
VLAN list	Specify the VLAN to which the selected ports belong. Click and then select one of the following: •Select VLAN—Opens the VLAN Selector dialog box. See VLAN Selector for more information. •Create VLAN—Opens the Create VLAN dialog box. See Create VLAN Dialog Box for more information. •Clear VLAN—Clears the VLAN that is specified in this field.
Firewall Interface pane
Context field	Name of the selected context.
Interface field	Enter a name for this interface.
IP Address field	Enter the IP address of the VLAN on this interface. Note This field is not displayed when the firewall module is running in transparent mode.
Mask field	Enter the subnet mask to which the specified IP address belongs. You can either type a value or select a value from the list. Note This field is not displayed when the firewall module is running in transparent mode.
Security Level (0-100) field	Indicates the security level set for the interface. Higher values indicate higher security levels. •The value 100 indicates that this is an inside interface. •The value 0 indicates that this in an outside interface.
VLAN Group list	Specify the VLAN group associated with the selected VLAN. See Select VLAN Group for more information.
Permit ping traffic from Core to inside network check box	Check to enable the pinging of traffic from the core network to the inside network.

Summary

From this page, you can view a summary of the settings entered for the service modules configured by this wizard. You have the option of delivering the corresponding CLI commands to the device by clicking Finish. To enable this option:

---

Step 1 Select Edit > Preferences.... The Preferences dialog box appears.

Step 2 Select the Show CLI Preview for Wizards check box.

---

For more information on this option, see Editing Preferences.

Delivering the Configuration to the Switch/Module

From this page, you can view the CLI commands (which reflect the settings entered in this wizard) that will be delivered to the device. There could be some undelivered CLI commands from the last time this wizard was used. In this case, you will be informed that the CLI commands displayed in this window are a combination of commands generated by the wizard and commands generated in another session.

After completing the wizard, the graphical view is updated to display the newly configured VLANs. You can now configure new VLANs directly from this view. See Custom Scenario for a description of the corresponding toolbar.

Table 8-8 Configuration Delivery: GUI Reference

GUI Element	Action
Deliver button	Click to send the CLI commands generated by this wizard immediately.
Deliver Later button	Click to send the CLI commands generated by this wizard at a later time.
Save to File button	Click to save the CLI commands generated by this wizard as a text file.

Using the Firewall-Outside Setup Wizard

The wizard consists of four steps:

1. (Optional) Configure the connection to the Internet.

2. Assign a VLAN to transfer data between the firewall and the MSFC.

3. (Optional) Assign switch ports to the VLAN associated with the firewall's inside network.

4. (Optional) Assign switch ports to the VLAN associated with the core network.

Step 2 is the only mandatory step in the wizard.

---

Note If a VLAN is already configured between the service modules affected by this wizard, certain wizard fields will be populated with the parameters set for this VLAN.

---

Selecting a Service Module

See Selecting a Service Module.

Configuring the Internet Connection

To configure the connection to the Internet, enter the information specified in Table 8-9.

---

Note This step is optional. To proceed to the next page of the wizard, click Next.

---

Table 8-9 Internet Connection Configuration: GUI Reference 

GUI Element	Action/Description
Connection Mode radio button	Select the appropriate port connection mode.
Ports Selector	Select the ports you want to add to the VLAN configured on this page of the wizard. See Port Selector for more information.
Configure VLAN for Selected Ports pane
VLAN list	Specify the VLAN to which the selected ports belong. Click and then select one of the following: •Select VLAN—Opens the VLAN Selector dialog box. See VLAN Selector for more information. •Create VLAN—Opens the Create VLAN dialog box. See Create VLAN Dialog Box for more information. •Clear VLAN—Clears the VLAN that is specified in this field.
Firewall Interface pane
Context list	Enter the context associated with this interface. Click and then select one of the following: •Select Context—Opens the Select Firewall Context dialog box. See Select Firewall Context for more information. •Create Context—Opens the Create Firewall Context dialog box. See Create Firewall Context for more information. Note the following: •This field is displayed only when Multiple Mode is active. •New contexts can be created only after the Admin context has first been created. For more information, see Security Context Overview.
Interface field	Enter a name for this interface.
IP Address field	Enter the IP address of the VLAN on this interface. Note This field is not displayed when the firewall module is running in transparent mode.
Mask field	Enter the subnet mask to which the specified IP address belongs. You can either type a value or select a value from the list. Note This field is not displayed when the firewall module is running in transparent mode.
Security Level field	Indicates the security level set for the interface. Higher values indicate higher security levels. •The value 100 indicates that this is an inside interface. •The value 0 indicates that this in an outside interface.
VLAN Group list	Specify the VLAN group associated with the selected VLAN. See Select VLAN Group for more information.

Configuring the Firewall-MSFC VLAN

To configure the VLAN connection between the firewall and MSFC modules, enter the information specified in Table 8-10.

Table 8-10 Firewall/MSFC VLAN Configuration: GUI Reference 

GUI Element	Action/Description
VLAN Connecting Firewall and MSFC list	Specify the VLAN that connects the firewall and MSFC modules. Click and then select one of the following: •Select VLAN—Opens the VLAN Selector dialog box. See VLAN Selector for more information. •Create VLAN—Opens the Create VLAN dialog box. See Create VLAN Dialog Box for more information. •Clear VLAN—Clears the VLAN that is specified in this field.
Firewall: Slot X pane
Context list	Enter the context associated with this interface. Click and then select one of the following: •Select Context—Opens the Select Firewall Context dialog box. See Select Firewall Context for more information. •Create Context—Opens the Create Firewall Context dialog box. See Create Firewall Context for more information. Note the following: •This field is displayed only when Multiple Mode is active. •New contexts can be created only after the Admin context has first been created. For more information, see Security Context Overview.
Interface field	Enter a name for this interface, making sure that it is not the name of an interface that is already configured on the device.
IP Address field1	Enter the IP address of the VLAN on this interface. Note This field is not displayed when the firewall module is running in transparent mode.
Mask field	Enter the subnet mask to which the specified IP address belongs. You can either type a value or select a value from the list. Note This field is not displayed when the firewall module is running in transparent mode.
Security Level (0-100) field	Indicates the security level set for the interface. Higher values indicate higher security levels. •The value 100 indicates that this is an inside interface. •The value 0 indicates that this is an outside interface.
VLAN Group list	Specify the VLAN group associated with the selected VLAN. See Select VLAN Group for more information.
MSFC: Slot X pane
Interface field	Enter the name for this interface.
IP Address field1	Enter the IP address of the VLAN on this interface.
Mask field	Enter the subnet mask to which the specified IP address belongs. You can either type a value or select a value from the list.

1 Make sure that these IP addresses belong to the same subnet mask.

Configuring the Inside Network Connection

See Configuring the Inside Network Connection.

Configuring the Core Network Connection

To configure the connection to the core network, enter the information specified in Table 8-11.

---

Note This step is optional. To proceed to the next page of the wizard, click Next.

---

Table 8-11 Core Network Connection Configuration: GUI Reference 

GUI Element	Action
Connection Mode radio button	Select the appropriate port connection mode in this field. By default, Routed mode is selected.
Ports Selector	Select the ports you want to add to the VLAN configured on this page of the wizard. See Port Selector for more information.
Configure VLAN for Selected Ports pane1
VLAN list	Specify the VLAN to which the selected ports belong. Click and then select one of the following: •Select VLAN—Opens the VLAN Selector dialog box. See VLAN Selector for more information. •Create VLAN—Opens the Create VLAN dialog box. See Create VLAN Dialog Box for more information. •Clear VLAN—Clears the VLAN that is specified in this field.
SVI on MSFC pane1
IP Address field	Enter the IP address of the Switched Virtual Interface (SVI).
Mask field	Enter the subnet mask that corresponds to the SVI's IP address. You can either type a value or select a value from the list.

1 Available only in Access and Trunk port connection modes.

Summary

See Summary.

Delivering the Configuration to the Switch/Module

See Delivering the Configuration to the Switch/Module.

Using the Firewall-Inside and CSM Setup Wizard

The wizard consists of four steps:

1. (Optional) Configure the connection to the core network.

2. Assign a VLAN to transfer data between the MSFC and the firewall.

3. Assign a VLAN to transfer data between the firewall and the CSM.

4. (Optional) Specify a server VLAN on the CSM and assign ports to that VLAN for server farm access.

---

Note If a VLAN is already configured between the service modules affected by this wizard, certain wizard fields will be populated with the parameters set for this VLAN.

---

Selecting a Service Module

See Selecting a Service Module.

Configuring the Core Network Connection

See Configuring the Core Network Connection.

Configuring the MSFC-Firewall VLAN

See Configuring the MSFC-Firewall VLAN.

Configuring the Firewall-CSM VLAN

To configure the VLAN connection between the firewall and Content Switching Modules, enter the information specified in Table 8-12.

Table 8-12 Firewall-CSM VLAN Configuration: GUI Reference 

GUI Element	Action/Description
VLAN Connecting Firewall and CSM list	Specify the VLAN that connects the firewall and CSM modules. Click and then select one of the following: •Select VLAN—Opens the VLAN Selector dialog box. See VLAN Selector for more information. •Create VLAN—Opens the Create VLAN dialog box. See Create VLAN Dialog Box for more information. •Clear VLAN—Clears the VLAN that is specified in this field.
Firewall: Slot X pane
Context field	Name of the selected context.
Interface field	Enter a name for this interface, making sure that it is not the name of an interface that is already configured on this device.
IP Address field	Enter the IP address of the VLAN on this interface. Note This field is not displayed when the firewall module is running in transparent mode.
Mask field	Enter the subnet mask to which the specified IP address belongs. You can either type a value or select a value from the list. Note This field is not displayed when the firewall module is running in transparent mode.
Security Level (0-100) field	Indicates the security level set for the interface. Higher values indicate higher security levels. •The value 100 indicates that this is an inside interface. •The value 0 indicates that this in an outside interface.
VLAN Group list	Specify the VLAN group associated with the selected VLAN. See Select VLAN Group for more information.
CSM: Slot X pane
VLAN Type field	Indicates what type of VLAN this is. By default, this value is set to client.
IP Address field	Enter the IP address of the VLAN on this interface.
Mask field	Enter the subnet mask to which the specified IP address belongs. You can either type a value or select a value from the list.
Alias IP Address field	Enter the alias IP address of the VLAN on this interface.
Gateway pane
Use Firewall as Default Gateway radio button	Select to set the firewall as the default gateway.
Gateway radio button	Select and then enter the IP address of the appropriate gateway.
Add Virtual Server button	Click to open the Add Virtual Server dialog box. See Adding a Virtual Server for more information.

Adding a Virtual Server

In the Add Virtual Server dialog box, you can configure the settings for a virtual server and server farm. To do so, enter the information specified in Table 8-13.

Table 8-13 Add Virtual Server: GUI Reference 

GUI Element	Action/Description
Virtual Server Details pane
Virtual Server Name field	Enter the name of the virtual server.
VIP Address field	Enter the IP address of the virtual server. Make sure that this address belongs to the same subnet as the VLAN connecting the firewall and content switching modules.
Protocol list	Click the drop-down arrow and then select one of the following protocols for the virtual server: •tcp •udp •any
Port field	Enter the number of the port associated with the virtual server. Note If you plan to use this port for Internet access, enter the value 80 here.
NAT VIP through Firewall pane
External IP field	Enter the external IP address of the virtual server. Make sure that this address belongs to the same subnet as the VLAN connecting the MSFC and firewall modules.
Server Farm pane
Server Farm Name field	Enter the name of the server farm.
Real Servers pane
IP Address column	Indicates the IP address of the real server.
In Service column	Indicates whether the real server should be put into service.
Add button	Click to add a real server to the Real Servers table. When prompted, enter the appropriate IP address and then click OK.
Delete button	Click to remove the selected real server from the Real Servers table.

Configuring the Server Farm Connection

To configure the connection to the server farm, enter the information specified in Table 8-14.

Table 8-14 Server Farm Connection Configuration: GUI Reference 

GUI Element	Action/Description
Connection Mode radio button	Select the appropriate port connection mode in this field.
Ports Selector	Select the ports you want to add to the VLAN specified in the VLAN field. See Port Selector for more information.
Configure VLAN for Selected Ports pane
VLAN list	Specify the VLAN to which the selected ports belong. Click and then select one of the following: •Select VLAN—Opens the VLAN Selector dialog box. See VLAN Selector for more information. •Create VLAN—Opens the Create VLAN dialog box. See Create VLAN Dialog Box for more information. •Clear VLAN—Clears the VLAN that is specified in this field.
Server VLAN Interface on CSM pane
VLAN Type field	Indicates whether the VLAN is a client or server. By default, this value is set to server.
IP Address field	Enter the IP address of the server VLAN on the CSM.
Mask field	Enter the subnet mask to which the specified IP address belongs. You can either type a value or select a value from the list.
Alias IP Address field	Enter the alias IP address of the server VLAN on the CSM.
Gateway field	Enter the gateway associated with the server VLAN.

Summary

See Summary.

Delivering the Configuration to the Switch/Module

See Delivering the Configuration to the Switch/Module.

Using the Firewall-Outside and CSM Setup Wizard

The wizard consists of five steps:

1. (Optional) Configure the connection to the Internet.

2. Assign a VLAN to transfer data between the firewall and the MSFC.

3. Assign a VLAN to transfer data between the firewall and the CSM.

4. (Optional) Specify a server VLAN on the CSM and assign ports to that VLAN for server farm access.

5. (Optional) Assign switch ports to the VLAN associated with the core network.

Steps 2 and 3 are the only mandatory steps in the wizard.

---

Note If a VLAN is already configured between the service modules affected by this wizard, certain wizard fields will be populated with the parameters set for this VLAN.

---

Selecting a Service Module

See Selecting a Service Module.

Configuring the Internet Connection

See Configuring the Internet Connection.

Configuring the Firewall-MSFC VLAN

See Configuring the Firewall-MSFC VLAN.

Configuring the Firewall-CSM VLAN

See Configuring the Firewall-CSM VLAN.

Configuring the Server Farm Connection

See Configuring the Server Farm Connection

Configuring the Core Network Connection

See Configuring the Core Network Connection.

Summary

See Summary.

Delivering the Configuration to the Switch/Module

See Delivering the Configuration to the Switch/Module.

Using the VPN-Outside Setup Wizard

The wizard consists of four steps:

1. Configure the connection to the remote site.

2. Configure a VLAN that connects the VPN module and the MSFC.

3. Assign a VLAN to transfer data between the MSFC and the firewall.

4. (Optional) Assign switch ports to the VLAN associated with the firewall's inside network.

---

Note If a VLAN is already configured between the service modules affected by this wizard, certain wizard fields will be populated with the parameters set for this VLAN.

---

Selecting a Service Module

See Selecting a Service Module.

Configuring the Remote Site Connection

To configure the connection to a remote site, enter the information specified in Table 8-15.

Table 8-15 Remote Site Connection Configuration: GUI Reference 

GUI Element	Action
Connection Mode radio button	Select the appropriate port connection mode.
Ports Selector	Select the ports you want to add to the VLAN configured on this page of the wizard. See Port Selector for more information.
Configure VLAN for Selected Ports pane
VLAN list	Specify the VLAN to which the selected ports belong. Click and then select one of the following: •Select VLAN—Opens the VLAN Selector dialog box. See VLAN Selector for more information. •Create VLAN—Opens the Create VLAN dialog box. See Create VLAN Dialog Box for more information. •Clear VLAN—Clears the VLAN that is specified in this field.

Configuring the VPN-MSFC VLAN

To configure the VLAN connection between the VPN and MSFC modules, enter the information specified in Table 8-16.

Table 8-16 VPN-MSFC VLAN Configuration: GUI Reference 

GUI Element	Action
VLAN Connecting VPN and MSFC list	Specify the VLAN that connects the VPN and MSFC modules. Click and then select one of the following: •Select VLAN—Opens the VLAN Selector dialog box. See VLAN Selector for more information. •Create VLAN—Opens the Create VLAN dialog box. See Create VLAN Dialog Box for more information. •Clear VLAN—Clears the VLAN that is specified in this field.
VPN: Slot X pane
Inside Port field	Enter the inside port associated with the VPN.
Allowed VLAN field	Enter the valid VLAN values for the VPN.
Crypto Map list	Select the crypto map to be associated with the VPN-MSFC VLAN. Click and then select one of the following: •Select Crypto Map—Opens the Select Crypto Map dialog box. Select a crypto map from the list and then click OK. •Clear Selection—Clears the crypto map specified in this field.
MSFC: Slot X pane
IP Address field	Enter the IP address of the VLAN on this interface.
Mask field	Enter the subnet mask to which the specified IP address belongs. You can either type a value or select a value from the list.

Configuring the MSFC-Firewall VLAN

See Configuring the MSFC-Firewall VLAN.

Configuring the Inside Network Connection

See Configuring the Inside Network Connection.

Summary

See Summary.

Delivering the Configuration to the Switch/Module

See Delivering the Configuration to the Switch/Module.

Using the VPN-Firewall Setup Wizard

The wizard consists of five steps:

1. Configure the connection to the remote site.

2. Assign a VLAN to transfer data between the VPN module and the MSFC.

3. (Optional) Configure the connection to the Internet.

4. Assign a VLAN to transfer data between the firewall and the MSFC.

5. (Optional) Assign switch ports to the VLAN associated with the MSFC's inside network.

---

Note If a VLAN is already configured between the service modules affected by this wizard, certain wizard fields will be populated with the parameters set for this VLAN.

---

Selecting a Service Module

See Selecting a Service Module.

Configuring the Remote Site Connection

See Configuring the Remote Site Connection.

Configuring the VPN-MSFC VLAN

See Configuring the VPN-MSFC VLAN.

Configuring the Internet Connection

See Configuring the Internet Connection.

Configuring the Firewall-MSFC VLAN

See Configuring the Firewall-MSFC VLAN.

Configuring the Core Network Connection

See Configuring the Core Network Connection.

Summary

See Summary.

Delivering the Configuration to the Switch/Module

See Delivering the Configuration to the Switch/Module.

Using the MSFC-CSM Setup Wizard

The MSFC-CSM setup wizard consists of three steps:

1. (Optional) Configure the connection to the Internet.

2. Assign a VLAN to transfer data between the MSFC and CSM.

3. (Optional) Specify a server VLAN on the CSM and assign ports to that VLAN for server farm access.

Step 2 is the only mandatory step in the wizard.

---

Note If a VLAN is already configured between the service modules affected by this wizard, certain wizard fields will be populated with the parameters set for this VLAN.

---

Selecting a Service Module

See Selecting a Service Module.

Configuring the Core Network Connection

See Configuring the Core Network Connection.

Configuring the MSFC-CSM VLAN

To configure the VLAN connection between the MSFC and CSM, enter the information specified in Table 8-17.

Table 8-17 MSFC-CSM VLAN Configuration: GUI Reference 

GUI Element	Action/Description
VLAN Connecting MSFC and CSM list	Specify the VLAN that connects the MSFC and CSM. Click and then select one of the following: •Select VLAN—Opens the VLAN Selector dialog box. See VLAN Selector for more information. •Create VLAN—Opens the Create VLAN dialog box. See Create VLAN Dialog Box for more information. •Clear VLAN—Clears the VLAN that is specified in this field.
MSFC: Slot X pane
IP Address field	Enter the IP address of the VLAN on this interface.
Mask field	Enter the subnet mask to which the specified IP address belongs. You can either type a value or select a value from the list.
CSM: Slot X pane
VLAN Type field	Indicates what type of VLAN this is. By default, this value is set to client.
IP Address field	Enter the IP address of the VLAN on this interface.
Mask field	Enter the subnet mask to which the specified IP address belongs. You can either type a value or select a value from the list.
Alias IP Address field	Enter the alias IP address of the VLAN on this interface.
Gateway pane
Use MSFC as Default Gateway radio button	Select to set the MSFC as the default gateway.
Gateway radio button	Select and then enter the IP address of the appropriate gateway.
Add Virtual Server button	Click to open the Add Virtual Server dialog box. See Adding a Virtual Server for more information.

Configuring the Server Farm Connection

See Configuring the Server Farm Connection.

Summary

See Summary.

Delivering the Configuration to the Switch/Module

See Delivering the Configuration to the Switch/Module.

Using the Wireless-Firewall Setup Wizard

The Wireless-Firewall setup wizard consists of five steps:

1. (Optional) Configure the connection to the wireless network.

2. Configure the wireless network.

3. Configure a VLAN that connects the VRF and FWSM.

4. Configure a VLAN that connects the FWSM and the MSFC.

5. (Optional) Configure the connection to the core network.

---

Note If a VLAN is already configured between the service modules affected by this wizard, certain wizard fields will be populated with the parameters set for this VLAN.

---

Selecting a Service Module

See Selecting a Service Module.

Configuring the Wireless Network Connection

To configure the wireless network connection, enter the information specified in Table 8-18.

Table 8-18 Wireless Network Connection Configuration: GUI Reference 

GUI Element	Action
Connection Mode radio button	Select the appropriate port connection mode in this field. By default, Routed mode is selected.
Ports Selector	Select the ports you want to add to the VLAN configured on this page of the wizard. See Port Selector for more information.
Configure VLAN for Selected Ports pane1
VLAN list	Specify the VLAN to which the selected ports belong. Click and then select one of the following: •Select VLAN—Opens the VLAN Selector dialog box. See VLAN Selector for more information. •Create VLAN—Opens the Create VLAN dialog box. See Create VLAN Dialog Box for more information. •Clear VLAN—Clears the VLAN that is specified in this field.
SVI on MSFC pane1
Interface field	Indicates the VLAN selected in the VLAN list. This field cannot be edited.
IP Address field	Enter the IP address of the Switched Virtual Interface (SVI).
Mask list	Enter the subnet mask that corresponds to the SVI's IP address. You can either type a value or select a value from the list.

1 Available only in Access and Trunk port connection modes.

Configuring the Wireless Network

To configure the wireless network, enter the information specified in Table 8-19.

Table 8-19 Wireless Network Configuration: GUI Reference 

GUI Element	Action/Description
Tunnel Details section
Network ID list	Click and then select one of the following options: •Select Network ID—Opens a dialog box that displays a list of available network IDs. Select one from the list and then click OK. •Create Network ID—Enter the appropriate network ID and then click OK. •Clear—Clears the network ID that is specified in this field.
Description field	Enter the description of the new wireless network.
Tunnel ID list	Click and then select one of the following options: •Select Tunnel Interface—Opens a dialog box that displays a list of available tunnel interfaces. Select one from the list and then click OK. •Create Tunnel Interface—Enter the appropriate ID for a tunnel interface and then click OK.
Interface MTU field	Enter the maximum packet size that the new wireless network can handle. Note It is recommended that you do not enter a value higher than 1476. Doing so will result in the fragmentation of GRE packets.
IP Address field	Enter the IP address of the new wireless network.
Mask field	Either select the appropriate mask from the list or enter a value.
Broadcast Capability check box	Select this check box to enable the transmission of broadcast messages over the tunnel interface specified in the Tunnel ID field.
Tunnel Source Details section
Loopback radio button	With the radio button selected, click and then select one of the following options: •Select Loopback Interface—Select a loopback interface from the list and then click OK. •Create Loopback Interface—Launches the Add Loopback Interface dialog box. See Adding a Loopback Interface for more information.
Ports radio button	With the radio button selected, click to launch the Port Selector. See Port Selector for more information.
SVI radio button	With the radio button selected, click and then select one of the following options: •Select SVI Interface—Select a SVI interface from the list and then click OK. •Create SVI Interface—Launches the Add SVI dialog box. See Adding an SVI for more information.
IP Address radio button	With the radio button selected, enter the appropriate IP address in the IP Address field.
DHCP Options section
Mobility Trust check box	Click to specify if this is a trusted network. A trusted network can use DHCP or static IP addresses. An untrusted network supports only DHCP clients.
DHCP Snooping check box	Click this check box to enable DHCP snooping. DHCP snooping so that wireless clients, or mobile nodes, can gain access to an untrusted wireless network.
Local radio button	Select this radio button to specify the WLSM to use a local pool of IP addresses that the access point assigns in response to DHCP requests. Click and then select one of the following: •Select DHCP Pool—Opens a dialog box that displays a list of available DHCP pools. Select a pool and click OK. •Create DHCP Pool—Opens the Add DHCP Pool dialog box, from which you can create a DHCP pool. See Adding DHCP Pools for more information. •Clear—Clears the DHCP pool that is specified in this field.
External radio button	Select this radio button to specify the WLSM to use an external pool of IP addresses that the access point assigns in response to DHCP requests. See Selecting Helper IP Addresses for more information.

Configuring the VRF-Firewall VLAN

To configure the VLAN connection between the Virtual Routing and Forwarding (VRF) instance and firewall module, enter the information specified in Table 8-20.

Table 8-20 VRF-Firewall VLAN Configuration: GUI Reference 

GUI Element	Action
VLAN Connecting VRF and Firewall list	Specify the VLAN that connects the VRF and firewall module. Click and then select one of the following: •Select VLAN—Opens the VLAN Selector dialog box. See VLAN Selector for more information. •Create VLAN—Opens the Create VLAN dialog box. See Create VLAN Dialog Box for more information. •Clear VLAN—Clears the VLAN that is specified in this field.
VRF pane
VRF list	Specify the VRF that will be configured for this VLAN. Click and then select one of the following: •Select VRF—Opens the Select VRFs dialog box. See Selecting a VRF for more information. •Create VRF—Opens the Add VRF dialog box. See Adding VRFs for more information.
Interface field	Indicates the interface associated with the VRF.
IP Address field	Enter the IP address of the VRF.
Mask field	Either select the appropriate mask from the list or enter a value.
Firewall: Slot X pane
Context field	Specify the context that will be configured for this VLAN. Click and then select one of the following: •Select Context...—Opens the Select Firewall Context dialog box. See Select Firewall Context for more information. •Create Context...—Opens the Create Firewall Context dialog box. See Create Firewall Context for more information. Note the following: •This field is displayed only when Multiple Mode is active for the firewall module. •New contexts can be created only after the Admin context has first been created. For more information, see Security Context Overview.
Interface field	Enter a name for this interface, making sure that it is not the name of an interface that is already configured on this device.
IP Address field	Enter the IP address of the firewall module. Note This field is not displayed when the firewall module is running in transparent mode.
Mask field	Either select the appropriate mask from the list or enter a value. Note This field is not displayed when the firewall module is running in transparent mode.
Security Level (0-100) field	Indicates the security level set for the interface. Higher values indicate higher security levels. •The value 100 indicates that this is an inside interface. •The value 0 indicates that this in an outside interface.
VLAN Group list	Specify the VLAN group associated with the selected VLAN. See Select VLAN Group for more information.

Selecting a VRF

From this dialog box, you select the VRF that will be assigned to the VLAN configured in Step 3 of the Wireless-Firewall setup wizard.

---

Step 1 Click and then select the Select VRF option.

Step 2 Select a VRF from the list and then click OK.

---

Configuring the Firewall-MSFC VLAN

See Configuring the Firewall-MSFC VLAN.

Configuring the Core Network Connection

See Configuring the Core Network Connection.

Summary

See Summary.

Delivering the Configuration to the Switch/Module

See Delivering the Configuration to the Switch/Module.