Table Of Contents
Catalyst 6500 Series Firewall Services Module Installation and Configuration Note
Understanding How the Firewall Services Module Works
Multiple Firewall Services Module Configuration
Specifications and System Limitations
Installing the Firewall Services Module
Memory and Storage Requirements
Installing and Removing the Module
Configuring the Switch Interface
Catalyst Operating System Software
Firewall Services Module and PDM Restrictions
Platform and Browser Requirements
Installing or Upgrading the PDM
Setting up a Single-Chassis Configuration
Setting Up a Dual-Chassis Configuration
Receiving Requests and Sending Syslog Traps
Compiling Cisco Syslog MIB Files
Using the Firewall and Memory Pool MIBs
Configuring OSPF Routing Support
Configuring OSPF Interface Parameters
Configuring OSPF Area Parameters
Configuring Route Summarization Between OSPF Areas
Configuring Route Summarization when Redistributing Routes into OSPF
Changing the OSPF Administrative Distances
Configuring Route Calculation Timers
Logging Neighbors Going Up or Down
Displaying OSPF Update Packet Pacing
Area Border Router Type 3 LSA Filtering
Monitoring and Maintaining OSPF
Configuring IPSec for Management
Administering the Firewall Services Module
Administering the Software Images
Logging into the Application Software
Logging into the Maintenance Software
Changing and Recovering Passwords
Changing the Application Partition Passwords
Changing the Maintenance Partition Passwords
Recovering the Application Partition Passwords
Recovering the Maintenance Partition Passwords
Resetting the Firewall Services Module
Resetting the Module with Cisco IOS Software
Resetting the Module with Catalyst Operating System Software
Troubleshooting the Firewall Services Module
Firewall Services Module and PIX Commands
System Message Log Differences
Memory and Resource Allocation
Standards Compliance Specifications
Cisco IOS Software Documentation Set
Obtaining Technical Assistance
Obtaining Additional Publications and Information
Catalyst 6500 Series Firewall Services Module Installation and Configuration Note
WS-SVC-FWM-1-K9
This publication describes how to install and configure the Firewall Services Module (FWSM) in the Catalyst 6500 series switches and Cisco 7600 Optical Services Router (OSR). See the "Related Documentation" section for more information about software configuration for the switch.
Throughout this publication, the Firewall Services Module (FWSM) is referred to as "the module"
Note
For translations of the warnings in this publication, see the "Safety Overview" section and refer to the Regulatory Compliance and Safety Information for the Catalyst 6500 series switches.
Contents
This publication consists of these sections:
•
•
•
•
•
•
Overview
This section describes the Catalyst 6500 Series Firewall Services Module, how it operates, how to manage it. This chapter contains these sections:
•
•
Before You Begin
To help you get started using the Firewall Services Module, refer to this roadmap:
Note
Refer to Table 10 for information on these commands.
Table 11 lists the Cisco IOS commands for the module.
Table 12 lists the new commands specific to the module. These commands are described in Command Reference
Table 13 lists the PIX commands that were changed for the module.
Table 14 lists the PIX commands that are not used by the module.
Table 15 lists the PIX commands used by the module and their PIX version.Understanding How the Firewall Services Module Works
Firewalls protect an internal (inside) network, such as a data center, from unauthorized access by users on an external (outside) network, such as the public Internet.
Note
You also can protect one or more networks, also known as demilitarized zones (DMZs). DMZs are those portions of the network that contain resources which you may want to allow access to for specified users. Access to a DMZ is usually more restricted than access to the outside network, but less restricted than access to the inside network.
A DMZ allows you to protect your network resources that need to be accessed by users on the public Internet, for example, mail servers or web servers. By placing them in a DMZ, you obtain some protection without jeopardizing the resources on your internal network.
Connections between the inside and outside and DMZ networks are controlled by the module through the firewall using a network-modeled protection scheme based upon a configuration and security policy. By implementing a security policy, you can ensure that all traffic from the protected networks only passes through the firewall to the unprotected network. You also can control who accesses the networks and with which services. Features on the module allow you to control how your security policy is used.
The security policy determines the security level, which allows you to isolate networks that are assigned the same security level from each other. To route traffic between different networks, you assign each network a different security level. A lower security level provides less protection for the interface than a higher security level. The security levels to your networks can range from 0 to 100.
All interfaces connecting the inside, outside, and DMZ networks through the module are virtual and logical Layer 3 interfaces consisting of a VLAN, an IP address, and a security level. The module supports 100 firewall interfaces. All traffic between these VLANs is protected and controlled. Because the module supports multiple interfaces, you can create one or more DMZ networks.
The Firewall Services Module is a fabric-enabled module that connects to both the Catalyst 6500 bus and the switch fabric module if one is present. The Firewall Services Module does not require a Switch Fabric Module to function.
The module has a 6 Gbps dot1q EtherChannel connection to the backplane where the hosts of the various security zones are connected to ports on the Catalyst 6500 chassis.
The module can be configured in a multiple, failover, or redundant configuration.
Figure 1 shows a firewall configuration. The Multilayer Switch Feature Card (MSFC) is used as a router on the network inside the firewall. The MSFC is connected to only one of the controlled firewall interfaces. All other router interfaces configured on the MSFC are considered to be the same security level as the interface to which the MSFC is connected. For example, traffic between VLAN 201 and VLAN 202 is routed directly.
Figure 1 Firewall Services Module Configuration
Multiple Firewall Services Module Configuration
Figure 2 shows multiple modules that are located in the same switch, and how they can operate independently. There is no restriction to the number of modules installed in the same switch. The network requirements and topology determine the configuration.
Figure 2 Multiple Firewall Services Module Configuration
In a multiple-module configuration, the following conditions apply:
•
•
•
Redundancy Failover
The failover configuration has these features:
•
•
•
•
The module can be configured to use stateful failover as shown in Figure 3. Stateful failover allows you to maintain the operating state for the connection during the failover from the primary module to the standby module.
Figure 3 Stateful Failover Configuration
When a failover occurs, each module changes its state. The new active module begins accepting traffic. The new standby module assumes the failover IP and MAC addresses of the module that was previously the active module. Because network devices do not detect a change in these addresses, there are no ARP entries changed nor is there a time out anywhere on the network.
Be sure that both modules have the same software version, VLAN configuration, Flash memory, and RAM or the configuration copied to the standby module will not work. After you configure the primary module and provide the failover link, the primary module automatically copies the configuration over to the standby module.
Note
Figure 4 shows two modules located in separate chassis: one module is designated as the active module and the other module is designated as the standby module.
Figure 4 Firewall Services Module Multiple Configuration in a Network
In this multiple-module configuration, the following conditions apply:
•
•
•
•
Feature Set
The Firewall Services Module (FWSM) is a high performance firewall used on the Catalyst 6500 series switch and Cisco 7600 series router. The FWSM can occupy a single slot in the Catalyst 6500 series and Cisco 7600 series chassis or two slots in a redundant configuration. Two modules can also reside in separate chassis in a failover configuration.
The Firewall Services Module provides the following features:
•
•
•
•
•
•
•
•
•
•
Note
•
•
The stateful, connection-oriented ASA creates session flows based on source and destination addresses, TCP sequence numbers (which are non-predictable), port numbers, and additional TCP flags. You can control all inbound and outbound traffic by applying security policies to each connection table entry.
•
•
•
•
–
–
When the Firewall Services Module software is the platform, PDM will display modified screens for features not supported by the module. To use the PDM to configure the module, refer to the Cisco PIX Device Manager Installation Guide, Version 2.1.
The following PIX firewall features are not supported by the module:
•
•
•
•
•
Specifications and System Limitations
Table 1 lists the specifications and system limitations of the FWSM.
Table 1 FWSM Specifications and System Limitations
Modules per switch
Maximum of four modules per switch.
If you are using failover, you can still only have four modules per switch even if two of them are in standby mode.
Memory
•
•
Bandwidth
CEF256 line card with a 6-Gbps path to the Switch Fabric Module (if present) or the 32-Gbps shared bus.
Filtering servers
16 Websense Enterprise filtering servers.
IPSec management connections, concurrent
5 connections.
TCP1 or UDP2 connections between any two hosts, including connections between one host and multiple other hosts, concurrent and rate
999,900 connections.
100K connections per second.
Fixup connections, rate
10,000 per second.
PC based fixup connections, rate
10K per second.
Host connections, concurrent
256K
SSH3 management connections, concurrent
5 connections.
System messages, rate
20K per second.
Telnet management connections, concurrent
5 connections.
NAT translations, concurrent
256K.
NAT statements
1K statements.
High-performance firewall
5 GBps (aggregated).
Concurrent connections.
1 million
Packets-per-second.
3 million pps
New connections per second for HTTP, DNS, and enhanced Simple Mail Transfer Protocol (SMTP).
7K
VLAN interfaces (no physical interfaces on the module).
100
Static NAT statements
1K statements.
Global statements
1K statements.
Shun statements
2K statements. The FWSM supports at most 2000 shuns - that number is contigent upon finite hardware resources and cannot be increased.
Alias statements
1K statements.
User authentication sessions, concurrent
5K sessions.
User authorization sessions, concurrent
150K sessions.
Maximum 15 sessions per user.
ARP4 table entries, concurrent
64K entries.
Route table entries, concurrent
32K entries.
Packet reassembly, concurrent
30,000 fragments.
Filter Rules, Fixup and Filter statements combined.
3K rules and statements.
Established CLI Rules
1K rules.
Established data
1K implicit rules used by TCP and UDP fixups to allow back channels.
3K statements.
AAA Rules
3K rules. 1K rules for authentication, 1K rules for authorization, and 1K rules for accounting.
1K rules.
ACEs
72K ACEs (best case).
1 Transmission Control Protocol
2 User Datagram Protocol
3 Secure Shell
4 Address Resolution Protocol
5 Internet Control Message Protocol
6 HyperText Transfer Protocol
Front Panel Description
The front panel includes a STATUS LED and SHUTDOWN button. (See Figure 5)
Figure 5 Firewall Services Module Front Panel
STATUS LED
The STATUS LED indicates the operating states of the module. Table 2 describes the LED operation.
SHUTDOWN Button
Caution
To avoid corrupting the compact Flash memory, you must correctly shut down the module before you remove it from the chassis or disconnect the power. This shutdown procedure is initiated normally by commands entered at the supervisor engine CLI prompt or the module CLI prompt.
If the module fails to respond to these commands properly, you must use the SHUTDOWN button on the front panel to initiate the shutdown procedure. Use a small pointed object (such as a paper clip) to push the button.
The shutdown procedure may require several minutes. The STATUS LED turns orange when the module shuts down.
Module Specifications
Table 3 describes the specifications for the module.
Safety Overview
Safety warnings appear throughout this publication in procedures that, if performed incorrectly, may harm you. A warning symbol precedes each warning statement.
Warning
Warning
Warning
Warning
Warning
Warning
Warning
Warning
Warning
Warning
Installing the Firewall Services Module
This section describes how to install the Firewall Services Module including the software and hardware requirements.
This chapter contains these sections:
•
System Requirements
This section describes the software and hardware requirements for the module.
Memory and Storage Requirements
There are no additional memory or storage requirements for this module. The module contains the following memory:
•
•
Software Requirements
Table 4 lists the Firewall Services Module software versions supported by Catalyst operating system and Cisco IOS software.
Hardware Requirements
Before you can use the Catalyst 6500 series and Cisco 7600 series Firewall Services Module, you must have a Supervisor Engine 1a (Catalyst operating system only) and an MSFC 2, or a Supervisor Engine 2 (Catalyst operating system and Cisco IOS) and an MSFC 2, and any module with ports to connect server and client networks.
Note
Required Tools
These tools are required to install the module in the Catalyst 6500 series switches:
•
•
•
•
Whenever you handle the module, always use a wrist strap or other grounding device to prevent electrostatic discharge (ESD).
Installing and Removing the Module
Warning
All Catalyst 6500 series switches support hot swapping, which allows you to install, remove, replace, and rearrange modules without turning off the system power. For more information on removing the module from a switch, see the "Removing a Module" section.
When the system detects that a module has been installed or removed, the system automatically runs diagnostic and discovery routines, acknowledges the presence or absence of the module, and resumes system operation.
This section describes how to install and verify the operation of the Firewall Services Module in the Catalyst 6500 series switches and contains the following sections:
Slot Assignments
The Catalyst 6006 and 6506 switch chassis have six slots, the Catalyst 6009 and 6509 switch chassis have nine slots, and the Catalyst 6513 switch chassis has thirteen slots.
Note
Each slot is used as follows:
•
•
•
•
Removing a Module
This section describes how to remove an existing module from a chassis slot.
Warning
Warning
Warning
To remove a supervisor engine or module from the chassis, perform these steps:
Step 1
Step 2
This step ensures that the space created by the removed module is maintained.
Note
Step 3
Step 4
Horizontal slots
a.
b.
Vertical slots
a.
b.
Step 5
Step 6
Warning
Installing a Module
This section describes how to install modules in the Catalyst 6500 series switches.
Caution
Warning
Warning
Warning
To install a supervisor engine or module in the chassis, perform these steps:
Step 1
Step 2
Step 3
This action ensures that the EMI gaskets on all modules are fully compressed in order to maximize the opening space for the new module or the replacement module.
Note
Step 4
Step 5
Figure 6 Positioning the Module in a Horizontal Slot Chassis
Step 6
Horizontal slots
a.
b.
Figure 7 Clearing the EMI Gasket in a Horizontal Slot Chassis
c.
Caution
d.
Figure 8 Ejector Lever Closure in a Horizontal Slot Chassis
Note
e.
Note
Vertical slots
a.
Figure 9 Positioning the Module in a Vertical Slot Chassis
b.
c.
Figure 10 Clearing the EMI Gasket in a Vertical Slot Chassis
Caution
d.
Figure 11 Ejector Lever Closure in a Vertical Slot Chassis
e.
Note
Verifying the Installation
This section describes how to verify the module installation.
To verify that the system acknowledges the new module and has brought it online, enter the show module [mod-num | all] command.
This example shows the output of the show module command:
Router# show moduleMod Slot Ports Module-Type Model Sub Status--- ---- ----- ------------------------- ------------------- --- --------1 1 2 1000BaseX Supervisor WS-X6K-S2U-MSFC2 yes ok15 1 1 Multilayer Switch Feature WS-F6K-MSFC2 no ok2 2 6 Firewall Service Module WS-SVC-FWM-1 no okRouter#When the module initially boots, by default it runs a partial memory test. To perform a full memory test, enter the hw-module module module_number reset device:partition mem-test-full command. This command is specific to Cisco IOS software and is not available in Catalyst operating system software.
A full memory test takes more time to complete than a partial memory test depending on the memory size.
Table 5 lists the memory test time and approximate boot time for a long memory test.
This example shows how to do a full memory test for module 5:
Router(config)# hw-module module 5 reset mem-test-fullUsing the CLI
The software interface for the module is the Cisco IOS command-line interface accessed through a Telnet connection to the switch or through the switch console interface. Refer to the Catalyst 6500 Series IOS Software Configuration Guide and the Catalyst 6500 Series Software Configuration Guide for details.
To understand the Cisco IOS command-line interface and Cisco IOS command modes, refer to Chapter 2, "Command-Line Interfaces," in the Catalyst 6500 Series IOS Software Configuration Guide.
Unless your switch is located in a fully trusted environment, we recommend that you configure the module through a Telnet connection using Secure Shell (SSH) encryption.
You can session into the module from the switch console and configure the firewall. Session is a Telnet interface through the Ethernet out-of-band channel (EOBC) of the switch backplane.
You can also make a Telnet connection into the module from a specified host and on a specific interface. Telnet support for this host should be configured or enabled from the module console.
Console output is redirected to all active Telnet sessions. When no Telnet session is available, the output is saved to a buffer. The buffer output can be subsequently examined when you make a Telnet connection into the module.
The module application software is similar to the Cisco PIX firewall software. This publication describes only the commands unique to the Firewall Services Module. For information about the PIX commands, refer to the PIX documentation at the following URLs:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/index.htm
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/index.htm
Getting Started
This section describes how to begin configuring the Firewall Services Module from the CLI and contains these sections:
Configuration Overview
This section describes the Firewall Services Module configuration and contains these sections:
•
The Firewall Services Module can be used in a variety of topologies depending on the needs of your network. For example, in a data center you may want to provide access control or segregate your security domains. The security domain can be a collection of servers with the same security level. Within that domain, multiple subnets or server farms can exist.
When you configure the Firewall Services Module to function on the perimeter of the network, the module can provide access control to the inside network as a whole, or segregate multiple security zones through VLAN interfaces of different security levels. The security zones can be either in the same network or can define the boundaries of multiple customer networks.
The Firewall Services Module configuration has the following characteristics:
•
•
•
•
•
You can configure the module in various situations by selecting the firewall features that meet the requirements of a particular network. Figure 12 shows a typical firewall configuration.
Figure 12 Firewall Configuration
Configuring the Switch Interface
This section describes the basic configuration steps performed on the switch and the Firewall Services Module.
Cisco IOS Software
To set up the configuration on the switch using the Cisco IOS CLI, follow these general tasks:
:
Note
switchport trunk allowed vlan {add | except | none | remove} vlan1, [, vlan [, vlan [,...]]]}This example shows how to configure the switch interface:
Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# vlan 55Router(config-vlan)# vlan 56Router(config-vlan)# vlan 57Router(config-vlan)# exitRouter(config)# firewall vlan-group 50 55-57Router(config)# firewall vlan-group 51 70-85Router(config)# firewall module 8 vlan-group 50-51Router(config)# int vlan 55Router(config-if)# ip address 55.1.1.1 255.255.255.0Router(config-if)# no shutRouter(config-if)# endRouter# show firewall vlan-groupGroup vlans----- ------50 55-5751 70-85Router# show firewall moduleModule Vlan-groups8 50,51,Router# show int vlan 55Vlan55 is up, line protocol is upHardware is EtherSVI, address is 0008.20de.45ca (bia 0008.20de.45ca)Internet address is 55.1.1.1/24MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,reliability 255/255, txload 1/255, rxload 1/255Encapsulation ARPA, loopback not setARP type:ARPA, ARP Timeout 04:00:00Last input never, output 00:00:08, output hang neverLast clearing of "show interface" counters neverInput queue:0/75/0/0 (size/max/drops/flushes); Total output drops:0Queueing strategy:fifoOutput queue :0/40 (size/max)5 minute input rate 0 bits/sec, 0 packets/sec5 minute output rate 0 bits/sec, 0 packets/secL2 Switched:ucast:196 pkt, 13328 bytes - mcast:4 pkt, 256 bytesL3 in Switched:ucast:0 pkt, 0 bytes - mcast:0 pkt, 0 bytes mcastL3 out Switched:ucast:0 pkt, 0 bytes0 packets input, 0 bytes, 0 no bufferReceived 0 broadcasts, 0 runts, 0 giants, 0 throttles0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored4 packets output, 256 bytes, 0 underruns0 output errors, 0 interface resets0 output buffer failures, 0 output buffers swapped outRouter#Catalyst Operating System Software
To set up the configuration on the switch for the Firewall Services Module using the Catalyst operating system CLI, you must be in the proper Virtual Terminal Protocol (VTP) mode to create VLANs (server, transparent, or off modes all work) and then follow these general tasks:
:
This example shows how to configure the switch interface:
Console>(enable) enableConsole>(enable) set vlan 7, 11-15, 19-20 firewall-vlan 8Console> show vlan firewall-vlan 8Console> show vlan fire 8Secured vlans by firewall module 8:7 11-15,19-20Console>(enable) set vlan 8Sessioning into the Module
You can log into the module's maintenance partition or application partition.
Sessioning into the Maintenance Partition
To log into the module's maintenance partition, perform these steps:
Step 1
Step 2
Cisco IOS:
Router# session slot number processor 1The default escape character is Ctrl-^, then x. You can also type 'exit' at the remote prompt to end the session Trying 127.0.0.81 ... OpenCisco Maintenance image
Note
Catalyst Operating System:
Console> session moduleThe default escape character is Ctrl-^, then x. You can also type 'exit' at the remote prompt to end the session Trying 127.0.0.81 ... OpenCisco Maintenance imageStep 3
Step 4
Password: cisco
Note
Step 5
Cisco IOS:
Router# hw-module module slot_number reset cf:1Catalyst Operating System:
Console(enable)> reset module-number [boot device:partition]Router# rebootSessioning into the Application Partition
To log into the module's application partition, perform these steps:
Step 1
Step 2
Cisco IOS:
Router# session slot 8 processor 1The default escape character is Ctrl-^, then x. You can also type 'exit'at the remoteprompt to end the session Trying 127.0.0.81 ... OpenFWSM passwd:Welcome to the FWSM firewallType help or '?' for a list of available commands.FWSM>
Note
Catalyst Operating System:
Console (enable)# session moduleStep 3
Cisco IOS:
Router# hw-module module slot_number reset cf:4Router# session slot module processor processorCatalyst Operating System:
Console (enable)# session moduleStep 4
Step 5
Password: password
Note
Configuring the Module
To set up the configuration on the module, follow these tasks:
Step 1
Defines the host name in the command line prompt.
Step 2
Specifies the interface name.
Step 3
Defines a local address for each interface.
Step 4
FWSM(config)#access-list acl_ID [deny | permit] protocol {source_addr | local_addr} {source_mask | local_mask} operator port {destination_addr | remote_addr} {destination_mask | remote_mask} operator portDefines an access list. Refer to "Command Reference" section and theaccess-list and theaccess-list (ospf).
Step 5
Defines access groups.
Step 6
Displays the configured interfaces.
Step 7
Displays the configured IP addresses.
Step 8
Displays the configured access lists.
Note
This example shows how to configure the module:
FWSM(config)# hostname FWSMFWSM(config)# nameif 55 inside 100FWSM(config)# nameif 56 outside 0FWSM(config)# ip address inside 10.1.1.1 255.255.255.0FWSM(config)# ip address outside 55.1.1.2 255.255.255.0FWSM(config)# access-list 1 permit ip any anyFWSM(config)# access-group 1 in interface insideFWSM(config)# show nameifnameif vlan55 inside security100nameif vlan56 outside security0FWSM(config)# show ipSystem IP Addresses:ip address inside 10.1.1.1 255.255.255.0ip address outside 55.1.1.2 255.255.255.0ip address eobc 127.0.0.61 255.255.255.0Current IP Addresses:ip address inside 10.1.1.1 255.255.255.0ip address outside 55.1.1.2 255.255.255.0ip address eobc 127.0.0.61 255.255.255.0FWSM(config)# show access-listaccess-list 1; 1 elementsaccess-list 1 permit ip any any (hitcnt=0)FWSM(config)# show access-groupaccess-group 1 in interface insideFWSM(config)#Saving the Configuration
To save your configuration, use one of the following methods:
•
•
•
•
Using PDM
Cisco PIX Device Manager (PDM) is a single-device graphical user interface (GUI) application that you can use to manage your Firewall Services Module. For detailed information about PDM, refer to the Cisco PIX Device Manager Installation Guide, Version 2.1.
Note
Note
PDM Overview
PDM is a signed Java applet that uses certificates and HTTP over SSL (HTTPS) to securely transmit all information between PDM and the Firewall Services Module. PDM performs the following functions:
•
•
•
Firewall Services Module and PDM Restrictions
The module and PDM have the following operation restrictions:
•
–
–
Refer to the PDM 2.1 release notes for the complete list of unsupported commands. The release notes are located at the following URL:
http://cio.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pdm/v_21/pdmrn21/pdmrn21.htm
Note
Platform and Browser Requirements
PDM is supported in the following platforms and browsers:
•
•
•
For details about PDM and its operation refer to the Cisco PIX Device Manager Installation Guide Version 2.1.
The installation guide is located at the following URL:
http://cio.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pdm/v_21/pdmig/index.htm
Setting Up the Module for PDM
Before you do this procedure, make sure you have installed the Firewall Services Module into the switch and you have completed the basic configuration described earlier in this chapter. Refer to the "Configuration Overview" section.
To set up the module to use the PDM application, follow these steps:
Step 1
Step 2
Step 3
Cisco IOS:
Router# firewall vlan-group VLAN-group vlan-interfacesCatalyst Operating System
Console>(enable) set vlan vlan-range firewall-vlan module-numberStep 4
Cisco IOS only:
Router# firewall module module-number vlan-group VLAN-groupStep 5
Step 6
Router># enablePassword:Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# firewall vlan-group 5 10,20,50-51Router(config)# firewall module 3 vlan-group 5Router(config)# exitRouter# telnet 192.168.1.1Trying 192.168.1.1 ... OpenFWSM passwd:Welcome to the FWSM firewallType help or '?' for a list of available commands.FWSM# enablePassword:FWSM# configure terminalFWSM(config)# setupPre-configure FWSM Firewall now through interactive prompts [yes]?To complete this setup, follow the instructions that appear on the terminal.
Installing or Upgrading the PDM
To install or upgrade PDM on the module, enter this command:
copy tftp://location/pathname flash:pdmThis example shows how to install or upgrade PDM on the module:
FWSM# copy tftp://10.1.1.1/pdm-211.bin flash:pdm10.1.1.1 is the location of the TFTP server and the PDM image.
Verify that PDM was downloaded to the module.
Starting PDM
To start PDM, in your browser be sure you use the HTTP secure (https) command and type the following address:
https://IP address of FWSMThis example shows how to start PDM:
https://192.168.1.1192.168.1.1 is the IP address of one of the VLAN interfaces on the module.
You can now use the PDM 2.1 application to configure your Firewall Services Module. Access the PDM online help to use the application.
Configuring Firewall Services
This chapter describes how to configure firewall services and contains these sections:
•
•
•
Configuring Firewall Failover
Failover uses two modules that must have identical configurations. You can configure the modules in the following ways:
•
•
Setting up a Single-Chassis Configuration
To set up failover on a single chassis, install two firewall modules on the same chassis and assign the same firewall VLAN group to both modules.
Figure 13 Failover Single Chassis Configuration
To configure failover in a single chassis, perform this task:
This example shows how to configure failover in a single chassis:
Router(config)# firewall vlan-group 10 10,20,30,40,50Router(config)# firewall module 4 vlan-group 10Router(config)# firewall module 6 vlan-group 10Setting Up a Dual-Chassis Configuration
To set up failover across two chassis, install a firewall module in each chassis and assign the same firewall VLAN group to both modules.
To set up a dual-chassis configuration, follow these tasks:
Figure 14 shows a dual-chassis configuration.
Figure 14 Failover Dual-Chassis Configuration
This example shows how to configure failover in two chassis:
Router1(config)# firewall vlan-group 10 10,20,30,40Router1(config)# firewall module 4 vlan-group 10Router2(config)# firewall vlan-group 20 10,20,30,40Router2(config)# firewall module 5 vlan-group 20Configuring Firewall Failover
For a failover configuration, both firewall modules need to have the same RAM and Flash memory size and be running the same software version.
To configure failover, follow these steps:
Step 1
Note
Step 2
Step 3
Step 4
Step 5
This is the IP address used by the primary module on failover interface
Step 6
Step 7
This is the IP address used by the secondary module on failover interface.
Step 8
This command specifies the IP address used by the standby module on other firewall interfaces. The client hosts are not expected to use this IP address to communicate to the module.
Step 9
Step 10
Note
Step 11
Step 12
Step 13
The primary and the secondary module should have the identical failover configuration, except for the failover LAN module configuration.
Note
Note
Step 14
Enter the icmp permit 0 0 if_name command to configure the failover interface to allow the ping to go through the firewall.
Step 15
The secondary module should detect the primary module and then switch to standby. The firewall configuration is synchronized from the active module to the standby module.
Warning
Step 16
Step 17
Note
These example shows how to configure failover on a pair of FWSMs.
The modules are located in two different switches. A dedicated VLAN (vlan 4000) is created for the failover protocol. The following conditions apply:
•
•
•
•
•
•
This example shows how to configure the primary module:
FWSM(config)# show vlan30, 40, 4000FWSM(config)#FWSM(config)# fail lan unit priFWSM(config)# nameif 4000 fover 50FWSM(config)# nameif 30 outside 0FWSM(config)# nameif 40 inside 100FWSM(config)# ip address fover 10.40.40.1 255.255.255.0FWSM(config)# ip address inside 10.2.1.1 255.255.255.0FWSM(config)# ip address outside 10.11.1.2 255.255.255.0FWSM(config)# fail ip address fover 10.40.40.2 255.255.255.0FWSM(config)# fail ip address inside 10.2.1.2 255.255.255.0FWSM(config)# fail ip address outside 10.11.1.3 255.255.255.0FWSM(config)# fail lan int foverFWSM(config)# logg onFWSM(config)# logg monitor 7FWSM(config)# logg con 7111008: User 'enable_15' executed the 'logging con 7' command.FWSM(config)# no logg mess 111008FWSM(config)# no logg mess 111009FWSM(config)# fail105002: (Primary) Enabling failover.FWSM(config)#No Response from Mate. Switching to ActiveYou may begin configuring the standby module at this time.
Sync Process StartSync Process End709004: (Primary) End Configuration Replication (ACT)105003: (Primary) Monitoring on interface 2 waiting105003: (Primary) Monitoring on interface 1 waiting105004: (Primary) Monitoring on interface 2 normal105004: (Primary) Monitoring on interface 1 normal302010: 0 in use, 0 most used302010: 0 in use, 0 most usedThis example shows how to configure the standby or secondary module:
FWSM(config)# fail lan unit secFWSM(config)# nameif 4000 fover 50FWSM(config)# ip address fover 10.40.40.1 255.255.255.0FWSM(config)# fail ip address fover 10.40.40.2 255.255.255.0FWSM(config)# fail lan int foverFWSM(config)# failFWSM(config)# logg onFWSM(config)# logg mon 7FWSM(config)# logg con 7FWSM(config)# 111008: User 'enable_15' executed the 'logging con 7' command.Detected an Active mate. Switching to StandbySwitching to Standby.FWSM(config)#Beginning configuration replication from mate.This unit is in syncing state. 'failover' command will not be effective at this timeEnd configuration replication from mate.709006: (Secondary) End Configuration Replication (STB)Access Rules Download Complete: Memory Utilization < 1%105003: (Secondary) Monitoring on interface 2 waiting105003: (Secondary) Monitoring on interface 1 waiting105004: (Secondary) Monitoring on interface 2 normal105004: (Secondary) Monitoring on interface 1 normalThis example shows how to monitor the failover status on the primary and secondary modules:
Primary module:
FWSM(config)# show failFailover OnFailover unit PrimaryFailover LAN Interface foverReconnect timeout 0:00:00Poll frequency 15 secondsThis host: Primary - ActiveActive time: 29925 (sec)Interface outside (10.11.1.2): NormalInterface inside (10.2.1.1): NormalOther host: Secondary - StandbyActive time: 285 (sec)Interface outside (10.11.1.3): NormalInterface inside (10.2.1.2): NormalStateful Failover Logical Update StatisticsLink : Unconfigured.Secondary module:
FWSM(config)# show failFailover OnFailover unit SecondaryFailover LAN Interface foverReconnect timeout 0:00:00Poll frequency 15 secondsThis host: Secondary - StandbyActive time: 285 (sec)Interface inside (10.2.1.2): NormalInterface outside (10.11.1.3): NormalOther host: Primary - ActiveActive time: 30750 (sec)Interface inside (10.2.1.1): NormalInterface outside (10.11.1.2): NormalStateful Failover Logical Update StatisticsLink : Unconfigured.FWSM(config)#Using SNMP
You can monitor system events on the Firewall Services Module by using SNMP. You can read SNMP events, but information on the module cannot be changed with SNMP.
Use CiscoWorks for Windows or any other SNMP V1, MIB-II compliant browser to receive SNMP traps and browse a MIB. SNMP traps occur at UDP port 162.
Note
You can browse the System and Interface groups of MIB-II. Browsing an MIB is different from sending traps. Browsing involves doing an snmpget or snmpwalk of the MIB tree from the management station to determine values.
MIB Support
The Firewall Services Module supports the Cisco Firewall MIB and Cisco Memory Pool MIB.
The Firewall Services Module does not support the following in the Cisco Firewall MIB:
•
•
•
•
•
•
SNMP Traps
Traps are unsolicited "comments" from the managed device to the management station for specific events, such as link up, link down, and syslog event generation.
The snmp-server command causes the Firewall Services Module to send SNMP traps so that the module can be monitored remotely. Use snmp-server host command to specify which systems receive the SNMP traps.
An SNMP object ID (OID) for the module displays in SNMP event traps sent from the module. The Firewall Services Module provides system OID in SNMP event traps and SNMP mib-2.system.sysObjectID equal to the.(1.3.6.1.4.1.9.1.227) original PIX Firewall OID.
The module responds to an SNMP request from a management station and the module then sends an event notification trap.
The Firewall Services Module SNMP traps available to an SNMP management station are as follows:
•
–
–
–
•
–
–
–
Receiving Requests and Sending Syslog Traps
To receive requests and send traps from the Firewall Services Module to an SNMP management station, follow these steps:
Step 1
Step 2
If you only want to send the cold start, link up, and link down generic traps, and you only want to receive SNMP requests, no further configuration is required.
Step 3
Step 4
logging history debuggingWe recommend that you use the debugging level during initial setup and during testing. After setup, set the level from debugging to a lower value.
The logging history command sets the severity level for SNMP syslog messages.
Step 5
Step 6
Compiling Cisco Syslog MIB Files
To receive security and failover SNMP traps from the Firewall Services Module, compile the Cisco SMI MIB and the Cisco syslog MIB into your SNMP management application. If you do not compile the Cisco syslog MIB into your application, you receive only traps for link up or down, firewall cold start, and authentication failure.
To obtain the Cisco MIB files go to the following URLs:
•
•
•
•
•
•
•
•
To compile Cisco syslog MIB files into your browser using CiscoWorks for Windows (SNMPc), follow these steps:
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Note
Step 7
Step 8
Step 9
Step 10
Step 11
Step 12
Step 13
Step 14
Step 15
Step 16
Step 17
Step 18
Using the Firewall and Memory Pool MIBs
You can poll failover and system status using the Cisco Firewall and Memory Pool MIBs. With the MIB tables, you can view failover status, memory usage, connection count, and system buffer usage.
Viewing Failover Status
The Cisco Firewall MIBs cfsHardwareStatusTable indicates whether failover is enabled, and which module is active. The Cisco Firewall MIB indicates failover status in two rows in the cfwHardwareStatusTable object. From the Firewall Services Module command line, you can view failover status using the show failover command. You can access the object table from the following path:
.iso.org.dod.internet.private.enterprises.cisco.ciscoMgmt.ciscoFirewallMIB. ciscoFirewallMIBObjects.cfwSystem.cfwStatus.cfwHardwareStatusTableTable 6 lists which objects provide failover information.
Table 6 Failover Status Objects
cfwHardwareType (table index)
Hardware
6 (primary module)1
6 (primary module)
7 (secondary module)
cfwHardwareInformation
SnmpAdminString
blank
blank
blank
cfwHardwareStatusValue
HardwareStatus
0 (not used)
active or 9 (active module) or standby or 10 (standby module)
active or 9 (active module) or standby or 10 (standby module)
cfwHardwareStatusDetail
SnmpAdminString
Failover Off
blank
blank
1 The type of returned values are shown in parentheses.
In the HP OpenView Browse MIB application's MIB values window, if failover is disabled, a sample MIB query displays the following information:
cfwHardwareInformation.6:cfwHardwareInformation.7 :cfwHardwareStatusValue.6 :0cfwHardwareStatusValue.7 :0cfwHardwareStatusDetail.6 :Failover OffcfwHardwareStatusDetail.7 :Failover OffIn this list, the table index, cfwHardwareType, appears as either .6 or .7 appended to the end of each of the subsequent objects. The cfwHardwareInformation field is blank, the cfwHardwareStatusValue is 0, and the cfwHardwareStatusDetail contains Failover Off, which indicates the failover status.
When failover is enabled, a sample MIB query displays the following information:
cfwHardwareInformation.6 :cfwHardwareInformation.7 :cfwHardwareStatusValue.6 : activecfwHardwareStatusValue.7 : standbycfwHardwareStatusDetail.6 :cfwHardwareStatusDetail.7 :In this listing, only the cfwHardwareStatusValue contains, either active or standby values to indicate the status of each module.
Verifying Memory Usage
You can determine how much free memory is available with the Cisco Memory Pool MIB. From the Firewall Services Module command line, use the show memory command to view the memory usage. The following is sample output from the show memory command:
Router(config)# show memory16777216 bytes total, 5595136 bytes freeYou can access the MIB objects from the following path:
.iso.org.dod.internet.private.enterprises.cisco.ciscoMgmt.ciscoMemoryPoolMIB.ciscoMemoryPoolObjects.ciscoMemoryPoolTableTable 7 lists which objects provide memory usage information.
In the HP OpenView Browse MIB application's MIB values window, a sample MIB query displays the following information:
ciscoMemoryPoolName.1 :FWSM system memoryciscoMemoryPoolAlternate.1 :0ciscoMemoryPoolValid.1 :trueciscoMemoryPoolUsed.1 :12312576ciscoMemoryPoolFree.1 :54796288ciscoMemoryPoolLargestFree.1 :0In this list, the table index, ciscoMemoryPoolName, appears as the .1 value at the end of each subsequent object value. The ciscoMemoryPoolUsed object lists the number of bytes currently in use, 12312576, and the ciscoMemoryPoolFree object lists the number of bytes currently free 54796288. The other objects always list the values described in Table 7.
Viewing the Connection Count
You can view the number of connections in use from the cfwConnectionStatTable in the Cisco Firewall MIB. From the Firewall Services Module command line. Enter the show conn command to view the connection count. The following is sample output from the show conn command:
show connection count15 in useThe cfwConnectionStatTable object table can be accessed from the following path:
.iso.org.dod.internet.private.enterprises.cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.cfwStatistics.cfwConnectionStatTableTable 8 lists which objects provide connection count information.
In the HP OpenView Browse MIB application's MIB values window, a sample MIB query displays the following information:
cfwConnectionStatDescription.40.6 :number of connections currently in use by the entire firewallcfwConnectionStatDescription.40.7 :highest number of connections in use at any one time since system startupcfwConnectionStatCount.40.6 :0cfwConnectionStatCount.40.7 :0cfwConnectionStatValue.40.6 :15cfwConnectionStatValue.40.7 :15In this list, the table index, cfwConnectionStatService, appears as the .40 appended to each subsequent object.The table index, cfwConnectionStatType, appears as either .6 to indicate the number of connections in use or .7 to indicate the most used number of connections. The cfwConnectionStatValue object lists the connection count. The cfwConnectionStatCount object always returns 0 (zero).
Viewing System Buffer Usage
You can view the system buffer usage from the Cisco Firewall MIB in multiple rows of the cfwBufferStatsTable. The system buffer usage provides an early warning that the Firewall Services Module is reaching its capacity limit. On the command line, enter the show blocks command to view this information.
The following is sample output from the show blocks command to demonstrate how cfwBufferStatsTable is populated:
show blocksSIZE MAX LOW CNT4 1600 1600 160080 100 97 97256 80 79 791550 780 402 40465536 8 8 8You can view cfwBufferStatsTable at the following path:
.iso.org.dod.internet.private.enterprises.cisco.ciscoMgmt.ciscoFirewallMIB. ciscoFirewallMIBObjects.cfwSystem.cfwStatistics.cfwBufferStatsTableTable 9 lists the objects required to view the system block usage.
Note
In the HP OpenView Browse MIB application's MIB values window a sample MIB query displays the following information:
cfwBufferStatInformation.4.3 :maximum number of allocated 4 byte blockscfwBufferStatInformation.4.5 :fewest 4 byte blocks available since system startupcfwBufferStatInformation.4.8 :current number of available 4 byte blockscfwBufferStatInformation.80.3 :maximum number of allocated 80 byte blockscfwBufferStatInformation.80.5 fewest 80 byte blocks available since system startupcfwBufferStatInformation.80.8 :current number of available 80 byte blockscfwBufferStatInformation.256.3 :maximum number of allocated 256 byte blockscfwBufferStatInformation.256.5 :fewest 256 byte blocks available since system startupcfwBufferStatInformation.256.8 :current number of available 256 byte blockscfwBufferStatInformation.1550.3 :maximum number of allocated 1550 byte blockscfwBufferStatInformation.1550.5 :fewest 1550 byte blocks available since system startupcfwBufferStatInformation.1550.8 :current number of available 1550 byte blockscfwBufferStatValue.4.3: 1600cfwBufferStatValue.4.5: 1600cfwBufferStatValue.4.8: 1600cfwBufferStatValue.80.3: 400cfwBufferStatValue.80.5: 396cfwBufferStatValue.80.8: 400cfwBufferStatValue.256.3: 1000cfwBufferStatValue.256.5: 997cfwBufferStatValue.256.8: 999cfwBufferStatValue.1550.3: 1444cfwBufferStatValue.1550.5: 928cfwBufferStatValue.1550.8: 932In this list, the first table index, cfwBufferStatSize, appears as first number appended to the end of each object, such as .4 or .256. The other table index, cfwBufferStatType, appears as .3, .5,or .8 after the first index. For each block size, the cfwBufferStatInformation object identifies the type of value and the cfwBufferStatValue object identifies the number of bytes for each value.
Using the ipAddrTable
When you use the SNMP ipAddrTable entry, all interfaces must have unique addresses. If interfaces have not been assigned IP addresses, by default, their IP addresses are all set to 127.0.0.1. Duplicate IP addresses cause the SNMP management station to loop indefinitely. If this situation occurs, assign each interface a different address. For example, you can set one address to 127.0.0.1, another to 127.0.0.2, and so on.
SNMP uses a sequence of GetNext operations to traverse the MIB tree. Each GetNext request is based on the result of the previous request. If two consecutive interfaces have the same IP 127.0.0.1 (table index), the GetNext function returns 127.0.0.1, which is correct. However, when SNMP generates the next GetNext request using the same result (127.0.0.1), the request is identical to the previous one, which causes the management station to loop infinitely. For example:
GetNext(ip.ipAddrTable.ipAddrEntry.ipAdEntAddr.127.0.0.1)With SNMP, the MIB table index must be unique for the agent to identify a row from the MIB table. The table index for ip.ipAddrTable is the module interface IP address, which requires that the IP address is unique. The SNMP agent might become confused and may return information of another interface (row), which has the same IP (index).
SNMP Usage Notes
The following notes apply:
•
•
•
•
Configuring OSPF Routing Support
The Firewall Services Module can run two processes of Open Shortest Path First (OSPF) protocol simultaneously. Each of the OSPF processes runs on a different set of interfaces. RIP cannot be enabled on any of the same interfaces as the interfaces that OSPF is enabled on.
Redistribution between the two OSPF processes is supported. Redistribution between RIP and OSPF is not supported in the current release. Static and connected routes configured on OSPF-enabled interfaces on the Firewall Services Module can also be redistributed into the OSPF process. For further information on how to configure OSPF redistribution on the Firewall Services Module, please refer to the section "Configuring IP Routing Protocol-Independent Features" of the Cisco IOS IP and IP Routing Configuration Guide.'
OSPF allows the module to maintain its own routing table. The OSPF protocol provides the following features for the module:
•
•
•
•
•
•
•
Enabling OSPF
As with other routing protocols, to enable OSPF you need to create an OSPF routing process, specify the range of IP addresses to be associated with the routing process, and assign area IDs to be associated with that range of IP addresses. To enable OSPF, follow these tasks, beginning in global configuration mode:
This example shows how to enable OSPF:
FWSM(config)# router ospf 2FWSM(config-router)# network 2.0.0.0 255.0.0.0 area 0Configuring OSPF Interface Parameters
Cisco OSPF implementation allows you to alter some interface-specific OSPF parameters as necessary. You are not required to alter any of these parameters, but some interface parameters must be consistent across all routers in an attached network. You configure the parameters by using the ospf hello-interval, ospf dead-interval, and ospf authentication-key interface configuration commands. Be sure that if you do configure any of these parameters, the configurations for all routers on your network have compatible values.
To specify interface parameters for your network, follow these tasks in interface configuration mode:
This example shows how to configure the OSPF interfaces:
FWSM(config)# router ospf 2FWSM(config-router)# network 2.0.0.0 255.0.0.0 area 0FWSM(config-router)# interface insideFWSM(config-interface)# ospf cost 20FWSM(config-interface)# ospf retransmit-interval 15FWSM(config-interface)# ospf transmit-delay 10FWSM(config-interface)# ospf priority 20FWSM(config-interface)# ospf hello-interval 10FWSM(config-interface)# ospf dead-interval 40FWSM(config-interface)# ospf authentication-key ciscoFWSM(config-interface)# ospf message-digest-key 1 md5 ciscoFWSM(config-interface)# ospf authentication message-digestFWSM(config-interface)# exitFWSM(config)# show ip ospfRouting Process "ospf 2" with ID 20.1.89.2 and Domain ID 0.0.0.2Supports only single TOS(TOS0) routesSupports opaque LSASPF schedule delay 5 secs, Hold time between two SPFs 10 secsMinimum LSA interval 5 secs. Minimum LSA arrival 1 secsNumber of external LSA 5. Checksum Sum 0x 26da6Number of opaque AS LSA 0. Checksum Sum 0x 0Number of DCbitless external and opaque AS LSA 0Number of DoNotAge external and opaque AS LSA 0Number of areas in this router is 1. 1 normal 0 stub 0 nssaExternal flood list length 0Area BACKBONE(0)Number of interfaces in this area is 1Area has no authenticationSPF algorithm executed 2 timesArea ranges areNumber of LSA 5. Checksum Sum 0x 209a3Number of opaque link LSA 0. Checksum Sum 0x 0Number of DCbitless LSA 0Number of indication LSA 0Number of DoNotAge LSA 0Flood list length 0Configuring OSPF Area Parameters
You can configure several area parameters using Cisco OSPF software. These area parameters (shown in the following task table) include authentication, defining stub areas, and assigning specific costs to the default summary route. Authentication provides password-based protection against unauthorized access to an area.
Stub areas are areas into which information on external routes is not sent. Instead, there is a default external route generated by the area border router, into the stub area for destinations outside the autonomous system. To take advantage of the OSPF stub area support, default routing must be used in the stub area. To further reduce the number of LSAs sent into a stub area, you can configure the no-summary keyword of the area stub router configuration command on the area border router to prevent it from sending summary link advertisement (LSAs type 3) into the stub area.
To specify an area parameter for your network, follow these tasks in router configuration mode:
This example shows how to configure the OSPF area parameters:
FWSM(config)# router ospf 2FWSM(config-router)# area 0 authenticationFWSM(config-router)# area 0 authentication message-digestFWSM(config-router)# area 17 stubFWSM(config-router)# area 17 default-cost 20Configuring OSPF NSSA
The OSPF implementation of NSSA is similar to OSPF stub area. NSSA does not flood type 5 external LSAs from the core into the area, but it can import autonomous system external routes in a limited way within the area.
NSSA imports type 7 autonomous system external routes within an NSSA area by redistribution. These type 7 LSAs are translated into type 5 LSAs by NSSA area border routers, which are flooded throughout the whole routing domain. Summarization and filtering are supported during the translation.
You can simplify administration if you are an Internet service provider (ISP) or a network administrator that must connect a central site using OSPF to a remote site that is using a different routing protocol using NSSA.
Before the implementation of NSSA, the connection between the corporate site border router and the remote router could not be run as OSPF stub area because routes for the remote site could not be redistributed into stub area, and two routing protocols needed to be maintained. A simple protocol such as RIP was usually run and handled the redistribution. With NSSA, you can extend OSPF to cover the remote connection by defining the area between the corporate router and the remote router as an NSSA.
To specify area parameters as needed to configure OSPF NSSA, follow this task in router configuration mode:
Defines an NSSA area.
This example shows how to define an NSSA area:
FWSM(config-router)# area 17 nssaTo control summarization and filtering of type 7 LSAs into type 5 LSAs, use the following command in router configuration mode on the area border router:
Controls the summarization and filtering during the translation.
This example shows how to control summarization and filtering:
FWSM(config-router)# summary-address 12.1.0.0 255.255.0.0Before you use this feature, consider these guidelines:
•
•
Configuring Route Summarization Between OSPF Areas
Route summarization is the consolidation of advertised addresses. This feature causes a single summary route to be advertised to other areas by an area boundary router. In OSPF, an area boundary router will advertise networks in one area into another area. If the network numbers in an area are assigned in a way such that they are contiguous, you can configure the area boundary router to advertise a summary route that covers all the individual networks within the area that fall into the specified range.
To specify an address range, follow this task in router configuration mode:
.
Specifies an address range for which a single route will be advertised.
This example shows how to configure route summarization between OSPF areas:
FWSM(config-router)# area 17 range 12.1.0.0 255.255.0.0Configuring Route Summarization when Redistributing Routes into OSPF
When routes from other protocols are redistributed into OSPF, each route is advertised individually in an external LSA. However, you can configure the Cisco IOS software to advertise a single route for all the redistributed routes that are covered by a specified network address and mask. This configuration decreases the size of the OSPF link-state database.
To configure the software advertise one summary route for all redistributed routes covered by a network address and mask, follow this task in router configuration mode:
This example shows how to configure route summarization when redistributing routes into OSPF:
FWSM(config-router)# summary-address 12.1.0.0 255.255.0.0Creating Virtual Links
With OSPF all areas must be connected to a backbone area. If there is a break in backbone continuity, or the backbone is purposefully partitioned, you can establish a virtual link. The two end points of a virtual link are area border routers. The virtual link must be configured in both routers. The configuration information in each router consists of the other virtual end point (the other area border router) and the nonbackbone area that the two routers have in common (called the transit area). Virtual links cannot be configured through stub areas.
To establish a virtual link, follow this task in router configuration mode:
.
This example shows how to create virtual links:
FWSM(config-router)# area 16 virtual-link 1.1.1.1To display information about virtual links, use the show ip ospf virtual-links EXEC command.
To display the router ID of an OSPF router, use the show ip ospf EXEC command
Generating a Default Route
You can force an autonomous system boundary router to generate a default route into an OSPF routing domain. Whenever you specifically configure redistribution of routes into an OSPF routing domain, the router automatically becomes an autonomous system boundary router. However, an autonomous system boundary router does not by default generate a default route into the OSPF routing domain.
To force the autonomous system boundary router to generate a default route, follow this task in router configuration mode:
This example shows how to generate a default route:
FWSM(config-router)# default-information originate alwaysChanging the OSPF Administrative Distances
An administrative distance is a rating of the trustworthiness of a routing information source, such as an individual router or a group of routers. An administrative distance numerically is an integer from 0 to 255. In general, the higher the value, the lower the trust rating. An administrative distance of 255 means the routing information source cannot be trusted and should be ignored.
OSPF uses three different administrative distances: intra-area, interarea, and external. Routes within an area are intra-area; routes to another area are interarea; and routes from another routing domain learned through redistribution are external. The default distance for each type of route is 110.
To change any of the OSPF distance values, follow this task in router configuration mode:
Changes the OSPF distance values.
This example shows how to change the OSPF administrative distance:
FWSM(config-router)# distance intra-ares 90 inter-area 95 external 100Configuring Route Calculation Timers
You can configure the delay time between when OSPF receives a topology change and when it starts a shortest path first (SPF) calculation. You also can configure the hold time between two consecutive SPF calculations.
To configure the route calculation time, follow this task in router configuration mode:
Configures route calculation timers.
This example shows how to configure route calculation timers:
FWSM(config-router)# timers spf 10 120Logging Neighbors Going Up or Down
By default, the system sends a syslog message when an OSPF neighbor goes up or down.
Configure this command if you want to know about OSPF neighbors going up or down without turning on the debug ip ospf adjacency EXEC command. The log-adj-changes router configuration command provides a higher level view of the peer relationship with less output. Configure log-adj-changes detail if you want to see messages for each state change.
Sends syslog message when an OSPF neighbor goes up or down.
If you turned off this feature and want to restore it, follow this task in router configuration mode:
This example shows how to log neighbors:
FWSM(config-router)# log-adj-changes detailChanging the LSA Group Pacing
The OSPF LSA group pacing feature allows the router to group OSPF LSAs and pace the refreshing, check summing, and aging functions. Group pacing results in more efficient use of the router.
The router groups OSPF LSAs and paces these functions so that sudden increases in CPU usage and network resources are avoided. This feature is most beneficial to large OSPF networks.
OSPF LSA group pacing is enabled by default. The default group pacing interval for refreshing, check summing, and aging usually is appropriate, and you need not configure this feature.
Original LSA Behavior
Each OSPF LSA has an age, which indicates whether the LSA is still valid. When the LSA reaches the maximum age (1 hour), it is discarded. During the aging process, the originating router sends a refresh packet every 30 minutes to refresh the LSA. Refresh packets are sent to keep the LSA from expiring, whether there has been a change in the network topology or not. Check summing is performed on all LSAs every 10 minutes. The router keeps track of LSAs it generates and LSAs it receives from other routers. The router refreshes LSAs it generated; it ages the LSAs it received from other routers.
Before the LSA group pacing feature was introduced, the Cisco IOS software would perform refreshing on a single timer, and check summing and aging on another timer. In the case of refreshing, for example, the software would scan the whole database every 30 minutes, refreshing every LSA the router generated, regardless of how old it was.
Figure 15 shows all the LSAs being refreshed at the same time. This process wasted CPU resources because only a small portion of the database needed to be refreshed. A large OSPF database (several thousand LSAs) might have thousands of LSAs with different ages. Refreshing on a single timer resulted in the age of all LSAs becoming synchronized, which resulted in increased CPU processing at once. A large number of LSAs might cause a sudden increase of network traffic, consuming a large amount of network resources in a short period of time.
Figure 15 OSPF LSAs on a Single Timer Without Group Pacing
LSA Group Pacing with Multiple Timers
This problem is solved by configuring each LSA to have its own timer. Each LSA gets refreshed when it is 30 minutes old, independent of other LSAs, so the CPU is used only when necessary. However, LSAs being refreshed at frequent, random intervals would require many packets for the few refreshed LSAs the router must send out, which would be inefficient use of bandwidth.
Therefore, the router delays the LSA refresh function for an interval of time instead of performing it when the individual timers are reached. The accumulated LSAs constitute a group, which is then refreshed and sent out in one packet or more. The refresh packets are paced as are the check summing and aging. The pacing interval is configurable; it defaults to 4 minutes, which is randomized to further avoid synchronization.
Figure 16 shows refresh packets. The first timeline shows individual LSA timers; the second timeline shows individual LSA timers with group pacing.
Figure 16 OSPF LSAs on Individual Timers with Group Pacing
The group pacing interval is inversely proportional to the number of LSAs the router is refreshing, check summing, and aging. For example, if you have approximately 10,000 LSAs, decreasing the pacing interval would benefit you. If you have a very small database (40 to 100 LSAs), increasing the pacing interval to 10 to 20 minutes might benefit you slightly.
The default value of pacing between LSA groups is 240 seconds (4 minutes). The range is from 10 seconds to 1800 seconds (30 minutes). To change the LSA group pacing interval, follow this task in router configuration mode:
Changes the group pacing of LSAs.
The following example changes the OSPF pacing between LSA groups to 280 seconds:
FWSM(config-router)# timers lsa-group-pacing 280FWSM(config-router)# interface insideBlocking OSPF LSA Flooding
By default, OSPF floods new LSAs over all interfaces in the same area, except the interface on which the LSA arrives. Some redundancy is desirable, because it ensures substantial flooding. However, too much redundancy can waste bandwidth and might destabilize the network due to excessive link and CPU usage in certain topologies, such as a fully meshed topology.
You can block OSPF flooding of LSAs two ways, depending on the type of networks:
•
•
On broadcast, nonbroadcast, and point-to-point networks, to prevent flooding of OSPF LSAs, follow this task in interface configuration mode:
FWSM(config-if)# ospf database-filter all outBlocks the flooding of OSPF LSA packets to the interface.
On point-to-multipoint networks, to prevent flooding of OSPF LSAs, follow this task in router configuration mode:
Blocks the flooding of OSPF LSA packets to the specified neighbor.
Ignoring MOSPF LSA Packets
Cisco routers do not support LSA type 6 Multicast OSPF (MOSPF). If the routers receive these packets, they generate syslog messages. If the router is receiving many MOSPF packets, you might want to configure the router to ignore the packets, which prevent a large number of syslog messages. To configure the router to ignore these packets, follow this task in router configuration mode:
Prevents the router from generating syslog messages when it receives MOSPF LSA packets.
The following example shows how to prevent flooding of OSPF LSAs to broadcast, nonbroadcast, or point-to-point networks reachable through Ethernet interface 0:
FWSM(config-router)# router ospf 2FWSM(config-router)# ignore lsa mospfFWSM(config-interface)# ospf database-filter all outFWSM(config-interface)# router ospf 2FWSM(config)# show ip ospf flood-list insideInterface inside, Queue length 0The following example shows how to prevent flooding of OSPF LSAs to point-to-multipoint networks to the neighbor at IP address 1.2.3.4:
FWSM(config-router)# router ospf 109FWSM(config-router)# neighbor 1.2.3.4 database-filter all outDisplaying OSPF Update Packet Pacing
The former OSPF implementation for sending update packets was not efficient. Some update packets were getting lost in situations where the link was slow, a neighbor could not receive the updates quickly enough, or the router was out of buffer space. For example, packets might be dropped if either of the following topologies existed:
•
•
OSPF update packets are now automatically paced so they are not sent less than 33 milliseconds apart. Pacing is also added between resends to increase efficiency and minimize lost retransmissions. You also can display the LSAs waiting to be sent out an interface. The benefit of the pacing is that OSPF update and retransmission packets are sent more efficiently.
There are no configuration tasks for this feature; it occurs automatically. To observe OSPF packet pacing by displaying a list of LSAs waiting to be flooded over a specified interface, follow this task in EXEC mode:
FWSM# show ip ospf flood-list interface-type interface-numberDisplays a list of LSAs waiting to be flooded over an interface.
Area Border Router Type 3 LSA Filtering
The area border router Type 3 LSA filtering feature extends the capability of an area border router that is running the OSPF protocol to filter type 3 LSAs between different OSPF areas. This feature allows only specified prefixes to be sent from one area to another area and restricts all other prefixes. This type of area filtering can be applied out of a specific OSPF area, into a specific OSPF area, or into and out of the same OSPF areas at the same time. This feature is supported by the addition of the area filter-list command.
The OSPF ABR Type 3 LSA filtering feature provides improved control of route distribution between OSPF areas.
Only Type 3 LSAs that originate from an area border router are filtered.
Configuring ABR Type 3 LSA Filtering
To filter interarea routes into a specified area, perform the following tasks beginning in router configuration mode:
To filter interarea routes out of a specified area, use the following commands beginning in router configuration mode:
Monitoring and Maintaining OSPF
You can display specific statistics such as the contents of IP routing tables, caches, and databases. Information provided can be used to determine resource utilization and solve network problems. You can also display information about node reachability and discover the routing path that your device packets are taking through the network.
To display various routing statistics, follow this task in EXEC mode, as needed:
To restart an OSPF process, follow this task in EXEC mode:
Configuring IPSec for Management
Internet Protocol Security (IPSec) provides security for transmission of sensitive information over unprotected networks such as the Internet. IPSec operates at the network layer, protecting and authenticating IP packets between participating IPSec devices (peers), such as Firewall Services Modules.
IPSec provides the following optional network security services. A local security policy determines the use of one or more of these services:
•
•
•
•
Note
IPSec provides controlled tunnels between two peers, such as two Firewall Services Modules. These tunnels are sets of security associations that are established between two remote IPSec peers (modules). You define which packets are considered sensitive and should be sent through these controlled tunnels, and you define the parameters that should be used to protect these sensitive packets by specifying the characteristics of these tunnels. When the IPSec peer sees a sensitive packet, it sets up the appropriate controlled tunnel and sends the packet through the tunnel to the remote peer.
For detailed information about IPSec, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/ipsec/index.htm
The following steps describe a minimal IPSec configuration where the IPSec security associations are established through Internet Key Exchange (IKE).
To configure IPSec with IKE for the module, perform this task:
Step 1
FWSM(config)# access-list access-list-module {deny | permit} ip source source-netmask destination destination-netmaskCreates an access list to define the traffic to protect.
Step 2
FWSM(config)# crypto ipsec transform-set transform-set-module transform1 [transform2, transform3]Configures a transform set that defines how the traffic will be protected. You can configure multiple transform sets, and then specify one or more of these transform sets in a crypto map entry in Step 6.
Step 3
Creates a crypto map entry in IPSec ISAKMP mode.
Step 4
Assigns an access list to a crypto map entry.
Step 5
Specifies the peer to which the IPSec-protected traffic can be forwarded.The security association is set up with the peer having an IP address of 192.168.1.100. Specify multiple peers by repeating this command.
Step 6
Specifies which transform sets are allowed for this crypto map entry. Lists multiple transform sets in order of priority (highest priority first). You can specify up to six transform sets.
Step 7
FWSM(config)# crypto map map-module seq-num set security-association lifetime {seconds seconds | kilobytes kilobytes}(Optional) Specifies a security association lifetime for the crypto map entry, if you want the security associations for this entry to be negotiated using different IPSec security association lifetimes other than the global lifetimes.
Step 8
(Optional) Specifies that IPSec should require perfect forward secrecy (PFS) when requesting new security associations for this crypto map entry, or should require PFS in requests received from the peer.
Step 9
FWSM(config)# crypto dynamic-map dynamic-map-module dynamic-seq-num match address access-list-module(Optional) Assigns an access list to a dynamic crypto map entry, which determines which traffic should be protected and which traffic should not protected.
Step 10
FWSM(config)# crypto dynamic-map dynamic-map-module dynamic-seq-num set peer ip-address(Optional) Specifies the peer to which the IPSec-protected traffic can be forwarded. This is rarely configured in dynamic crypto map entries because dynamic crypto map entries are often used for unknown peers.
Step 11
FWSM(config)# crypto dynamic-map dynamic-map-module dynamic-seq-num set transform-set transform-set-module1, [transform-set-module2, transform-set-module9]Specifies which transform sets are allowed for this dynamic crypto map entry. Lists multiple transform sets in order of priority (highest priority first).
Step 12
FWSM(config)# crypto dynamic-map dynamic-map-module dynamic-seq-num set security-association lifetime {seconds seconds | kilobytes kilobytes}(Optional) Specifies a security association lifetime for the dynamic crypto map entry, if you want the security associations for this entry to be negotiated using different IPSec security association lifetimes other than the global lifetimes:
Step 13
(Optional) Specifies that IPSec should request PFS when requesting new security associations for this dynamic crypto map entry, or should demand PFS in requests received from the peer.
Step 14
Adds the dynamic crypto map set into a static crypto map set. Be sure to set the crypto map entries referencing dynamic maps to be the lowest-priority entries (highest sequence numbers) in a crypto map set.
Step 15
Applies a crypto map set to an interface on which the IPSec traffic will be evaluated.
Step 16
Specifies that IPSec traffic be implicitly trusted (permitted).
In the Firewall Services Module, VPN and IPSec are available only for management purposes. You cannot establish IPSec tunnels across the firewall; any tunnel initiated by a VPN client on another switch should terminate at the Firewall Services Module. The CLI commands you use to configure IPSec for management have not changed from PIX except for those listed inTable 13. Refer to the PIX documentation for details about configuring IPSec.
Administering the Firewall Services Module
This chapter describe how to administer the Firewall Services Module and contains these sections:
•
•
•
•
Administering the Software Images
This section contains the various administrative tasks you can perform using the Cisco IOS software images:
•
•
Quick Software Upgrade
To quickly upgrade the Firewall Services Module software image, follow these steps:
Step 1
msfc(config)# tftp-server bootflash:image nameStep 2
a.
router(config)# interface Vlan30router(config)# description to_fwsm_vlan_30router(config)# ip address 10.20.30.2 255.255.255.0router(config)# no ip redirectsb.
nameif vlan30 inside security100...ip address inside 10.20.30.5 255.255.255.0c.
FWSM# ping 10.20.30.210.20.30.2 response received -- 0ms10.20.30.2 response received -- 0ms10.20.30.2 response received -- 0msStep 3
FWSM# copy tftp flashAddress or name of remote host [127.0.0.1]? 10.20.30.2Source file name [cdisk]? c6svc-fwm-k9.1-1-0-207.bincopying tftp://10.20.30.2/c6svc-fwm-k9.1-1-0-207.bin to flash:image[yes|no|again]?yes!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!The output shows the MSFC as the TFTP server.
Step 4
FWSM# reloadProceed with reload? [confirm]Image Locations
There are 5 partitions on the compact Flash as follows:
•
•
•
•
You can have two application images stored in Flash. One image in partition 4 and one in partition 5. Depending on which partition you want to boot, you can use cf:4 or cf:5 in the boot device module module_number partition_number command. For example:
Router(config)# boot device module 3 cf:5Router(config)# boot device module 4 cf:4The configurations related to that image is stored in the same partition as the image.
If the module's application partition gets corrupted, the maintenance partition can be used to recover the application configuration. The network configuration partition stores the network parameters for the maintenance partition.
When the application image fails, a log is created in the crash dump partition, which contains all failure-related information. You can use this log later for debugging using the show crashdump CLI command from both the maintenance partition and the application partition, if the application partition recovers without a problem on restart.
You can also upgrade the application from the maintenance partition. You can clear the enable password for the module from the maintenance partition CLI.
Logging into the Application Software
The application software has one user level. Use the enable command in the EXEC mode.
Refer to the "Changing and Recovering Passwords" section if you need to change or recover passwords.
To log into the Firewall Services Module, follow these steps:
Step 1
Step 2
Cisco IOS:
Router# session slot 8 processor 1The default escape character is Ctrl-^, then x. You can also type 'exit' at the remote prompt to end the session Trying 127.0.0.81 ... OpenCisco Maintenance imageCatalyst Operating System:
Console> session 8The default escape character is Ctrl-^, then x. You can also type 'exit' at the remote prompt to end the session Trying 127.0.0.81 ... OpenCisco Maintenance imageStep 3
Cisco IOS:
Router# hw-module module slot_number reset cf:4Catalyst Operating System:
Console(enable)> reset module-number [boot device:partition]Console(enable)> rebootLogging into the Maintenance Software
The maintenance software has two user levels with different access privileges:
•
The default password is cisco.
•
The default password is cisco.
Refer to the "Changing and Recovering Passwords" section if you need to change or recover passwords.
To log into the Firewall Services Module maintenance partition, follow these steps:
Step 1
Step 2
Cisco IOS:
Router# session slot 8 processor 1The default escape character is Ctrl-^, then x. You can also type 'exit' at the remote prompt to end the session Trying 127.0.0.81 ... OpenCisco Maintenance imageCatalyst Operating System:
Console> session 8The default escape character is Ctrl-^, then x. You can also type 'exit' at the remote prompt to end the session Trying 127.0.0.81 ... OpenCisco Maintenance imageStep 3
login: rootStep 4
Password:After a successful login, the command line prompt appears as follows:
Maintenance image version: 1.1(0.3)root@localhost#Step 5
Cisco IOS:
Router# hw-module module slot_number reset cf:1Catalyst Operating System:
Console(enable)> reset module-number [boot device:partition]Console(enable)> rebootUpgrading Software Images
You can upgrade both the application software and the maintenance software. To upgrade the application software, see the "Upgrading the Application Software" section. To upgrade the maintenance software, see the "Upgrading the Maintenance Software" section.
The entire application and maintenance partitions are stored on the FTP or TFTP server. The images are downloaded and extracted to the application or maintenance partition depending on which image is being upgraded.
To upgrade the application partition, change the boot sequence to boot the module from the maintenance partition. The maintenance partition downloads and installs the application image. The supervisor engine must be executing the run-time image to provide network access to the maintenance partition.
Set the boot sequence for the module using the supervisor engine CLI commands. As the maintenance partition boots, it determines the application type. If the network parameters are already configured, you can directly download the new image. If network parameters are not set, you need to manually configure them.
When you specify the target device and partition number for upgrading the application partition, software recognition checks are made to ensure that you do not upgrade the maintenance partition.
Before starting the upgrade process, you will need these software images:
•
•
A TFTP and FTP server are required to copy the images. The TFTP server should be connected to the switch and the port connecting to the TFTP server should be included in VLAN 1 on the switch.
Another TFTP server is required in the network. This TFTP server must be reachable from the module when the module image is booted up.
Upgrading the Application Software
To upgrade the application software image you must first copy the firewall software image to a directory accessible to FTP, and then log in to the switch through the console port or through a Telnet session.
To upgrade the application partition software, perform these tasks:
Step 1
Cisco IOS:
Router# hw-module module slot_number reset cf:1Catalyst Operating System:
Console>(enable) reset module-number boot cf:1Reboots the module into the maintenance partition.
Step 2
Cisco IOS:
Router# session slot slot_number processor 1Catalyst Operating System:
Console>(enable) session moduleEstablishes a console session with the module.
Step 3
At the login prompt, logs into the root account of the module.
Step 4
root@localhost# ip address ip _address netmaskroot@localhost# ip gateway ip_addressAssigns an IP address and a default gateway to the maintenance partition.
Because the module maintenance partition can only use VLAN 1 on the switch, use the IP addresses and gateway for VLAN 1. The FTP server is reachable after the IP parameters are specified.
Step 5
Displays the current settings. If the parameters are not correct, use the commands described in Step 4. The module image should be available on the FTP server reachable through VLAN 1.
Step 6
root@localhost# ping ip_addressPings the FTP server to verify if the configuration is correct.
Step 7
root@localhost# upgrade ftp_url cf:xUpgrades the application image from the appropriate directory on the FTP server that is reachable from the module.
The ftp_url values contain the following options:
•
The command prompts for the password. Enter the password for the username you are using to log in to the FTP server.
•
Note
Enter your password when prompted.
•
Step 8
Follow the screen prompts during the upgrade.
The image is copied from the FTP server to the compact Flash. The upgrade command also ensures that the configuration on the corresponding application partition is backed up and restored at the end of the upgrade operation.
Step 9
Logs out of the maintenance software.
Step 10
Cisco IOS:
Router# hw-module module slot_number reset cf:4Catalyst Operating System:
Console>(enable) reset module-number boot cf:4Resets the module into the application partition.
This example shows how to upgrade the Firewall Services Module application software:
Router# hw-module module 9 reset cf:1Device BOOT variable for reset = cf:1Warning:Device list is not verified.Proceed with reload of module? [confirm] y% reset issued for module 9Router#00:16:06:%SNMP-5-MODULETRAP:Module 9 [Down] Trap00:16:06:SP:The PC in slot 9 is shutting down. Please wait ...00:16:21:SP:PC shutdown completed for module 900:16:21:%C6KPWR-SP-4-DISABLED:power to module in slot 9 set off (adminrequest)00:16:24:SP:Resetting module 9 ...00:16:24:%C6KPWR-SP-4-ENABLED:power to module in slot 9 set on00:18:21:%SNMP-5-MODULETRAP:Module 9 [Up] Trap00:18:21:%DIAG-SP-6-BYPASS:Module 9:Online Diagnostics is Bypassed00:18:21:%OIR-SP-6-INSCARD:Card inserted in slot 9, interfaces are now onlineRouter# session slot 9 proc 1The default escape character is Ctrl-^, then x.You can also type 'exit' at the remote prompt to end the sessionTrying 127.0.0.91 ... OpenCisco Maintenance imagelogin:rootPassword:Maintenance image version: 1.1(0.3)root@localhost.cisco.com# upgrade ftp://user:password@address/tftpboot/user/c6svc-fwm-k9.1-1-0-170.bin cf:4Downloading the image. This may take several minutes...ftp://user:password@address/tftpboot/c6svc-fwm-k9.1-1-0-170.bin (5919K)/tmp/upgrade.gz [########################] 5919K | 821.24K/s6061947 bytes transferred in 7.38 sec (821.23k/sec)Upgrade file ftp://ftp://user:password@address/tftpboot/user/c6svc-fwm-k9.1-1-0-170.bin .gz is downloaded.Upgrading will wipe out the contents on the hard disk.Do you want to proceed installing it [y|N]:yProceeding with upgrade. Please do not interrupt.If the upgrade is interrupted or fails, boot intoMaintenance image again and restart upgrade.Proceeding with image upgrade.Backing up FWSM configuration.Restoring FWSM configuration.Application image upgrade complete. You can boot the image now.Partition upgraded successfully.root@hostname.cisco.com# logout[Connection to 127.0.0.91 closed by foreign host]Router# hw-module module 9 resetDevice BOOT variable for reset =Warning:Device list is not verified.Proceed with reload of module? [confirm] y% reset issued for module 9Router#00:24:04:%SNMP-5-MODULETRAP:Module 9 [Down] Trap00:24:04:SP:The PC in slot 9 is shutting down. Please wait ...00:24:18:SP:PC shutdown completed for module 900:24:18:%C6KPWR-SP-4-DISABLED:power to module in slot 9 set off (adminrequest)00:24:21:SP:Resetting module 9 ...00:24:21:%C6KPWR-SP-4-ENABLED:power to module in slot 9 set on00:26:19:%SNMP-5-MODULETRAP:Module 9 [Up] Trap00:26:19:%DIAG-SP-6-BYPASS:Module 9:Online Diagnostics is Bypassed00:26:19:%OIR-SP-6-INSCARD:Card inserted in slot 9, interfaces are now onlineThe module is now upgraded and ready for further firewall configuration. You can do further application partition upgrades from the module console, by entering the command:
copy tftp://tftp_ip/file_name flash:Upgrading the Maintenance Software
To upgrade the maintenance software image, you must first copy the module maintenance software image to a directory accessible to TFTP, and then log into the switch through the console port or through a Telnet session.
Note
To upgrade the maintenance partition software, perform these tasks:
This example shows how to upgrade the module maintenance software:
Router# hw-module module 9 reset cf:4Device BOOT variable for reset = cf:4Warning:Device list is not verified.Proceed with reload of module? [confirm] y% reset issued for module 9Router#00:31:11:%SNMP-5-MODULETRAP:Module 9 [Down] Trap00:31:11:SP:The PC in slot 9 is shutting down. Please wait ...00:31:25:SP:PC shutdown completed for module 900:31:25:%C6KPWR-SP-4-DISABLED:power to module in slot 9 set off (adminrequest)00:31:28:SP:Resetting module 9 ...00:31:28:%C6KPWR-SP-4-ENABLED:power to module in slot 9 set on00:33:26:%SNMP-5-MODULETRAP:Module 9 [Up] Trap00:33:26:%DIAG-SP-6-BYPASS:Module 9:Online Diagnostics is Bypassed00:33:26:%OIR-SP-6-INSCARD:Card inserted in slot 9, interfaces are nowonlineRouter# session slot 9 proc 1The default escape character is Ctrl-^, then x.You can also type 'exit' at the remote prompt to end the sessionTrying 127.0.0.91 ... Openfwsm# upgrade-mpAddress or name of remote host [160.251.101.128]? 192.168.253.79Source file name []? mp-1.0.1-bin.gzcopying upgrade-mp tftp://10.1.1.1/tftpboot/mp.1-1-0-3.bin.gz to flash[yes|no|again]? y!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Received 7700916 bytes.Maintenance partition upgraded.Router# hw-module module 9 reset cf:1Device BOOT variable for reset = cf:1Warning:Device list is not verified.Proceed with reload of module? [confirm] y% reset issued for module 9Router#02:27:19:%SNMP-5-MODULETRAP:Module 9 [Down] Trap02:27:19:SP:The PC in slot 9 is shutting down. Please wait ...02:27:36:SP:PC shutdown completed for module 902:27:36:%C6KPWR-SP-4-DISABLED:power to module in slot 9 set off (adminrequest)02:27:39:SP:Resetting module 9 ...02:27:39:%C6KPWR-SP-4-ENABLED:power to module in slot 9 set on02:29:37:%SNMP-5-MODULETRAP:Module 9 [Up] Trap02:29:37:%DIAG-SP-6-BYPASS:Module 9:Online Diagnostics is Bypassed02:29:37:%OIR-SP-6-INSCARD:Card inserted in slot 9, interfaces are nowonlineRouter#Changing and Recovering Passwords
You can change and recover passwords using a Telnet connection to the module and CLI.
To change the password, use a Telnet connection to the module, and then use the passwd or passwd-guest commands to change the password.
Note
Note
Changing the Application Partition Passwords
To change the application partition password, follow these steps while you are logged in to the account application account. Enter the passwd command with a password, for example:
FWSM# passwd frnxIf you do not enter a password, you receive the following result:
FWSM# passwdNot enough arguments.Usage: passwd <password> encryptedChanging the Maintenance Partition Passwords
To change the password, follow these steps while you are logged in to the root account on the maintenance software partition. The passwd command is available for the maintenance partition's root and guest account.
Step 1
root@localhost# passwdStep 2
Changing password for user rootNew password:Step 3
Retype new password:passwd: all authentication tokens updated successfullyThis example shows how to set the password for the root account:
root@localhost# passwdChanging password for user rootNew password:Retype new password:passwd: all authentication tokens updated successfullyTo change the password for the guest account, enter the password-guest command. This command is available from the maintenance partition root account only.
Step 1
root@localhost# passwd-guestStep 2
Changing password for user guestNew password:Step 3
Retype new password:passwd: all authentication tokens updated successfullyThis example shows how to set the password for the guest account:
root@localhost# passwd-guestChanging password for user guestNew password:Retype new password:passwd: all authentication tokens updated successfullyRecovering the Application Partition Passwords
If you have forgotten or lost the passwords for either the module application or maintenance software, they can be reset to the default values. Clearing the password resets the Telnet password to cisco and clears the enable password. To reset an application image password, follow these steps:
Step 1
root@localhost# clear passwd cf:partition_numberpartition_number refers to the number of the application or maintenance partition where you are resetting the password.
Note
Step 2
Do you wish to erase the passwords? [yn] yThe following lines will be removed from the configuration:enable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptedDo you want to remove the commands listed above from the configuration?[yn] yPasswords and aaa commands have been erased.This example shows how to clear the password for the module application software on partition 4 of the compact flash:
root@localhost# clear passwd cf:4Do you wish to erase the passwords? [yn] yThe following lines will be removed from the configuration:enable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptedDo you want to remove the commands listed above from the configuration?[yn] yPasswords and aaa commands have been erased.Recovering the Maintenance Partition Passwords
If you have forgotten or lost the passwords for either the module application or maintenance software, they can be reset to the default values. Clearing the password resets the Telnet password to cisco and clears the enable password.
Note
To reset a maintenance image password, enter this command:
fwsm# clear mp-passwdThis example shows how to clear the password for the module maintenance software on partition cf:1 of the compact Flash:
root@localhost# clear mp-passwdPasswords for 'root' and 'guest' accounts cleared successfully.Resetting the Firewall Services Module
If you cannot reach the module through the CLI or an external Telnet session, enter the hw-mod module module_number reset command to reset and reboot the module. The reset process requires several minutes.
When the module initially boots, by default it runs a partial memory test. To perform a full memory test, use the mem-test-full keyword in the hw-module module module_number reset device:partition mem-test-full command. This command is specific to Cisco IOS software and is not available in Catalyst operating system software.
A full memory test takes more time to complete than a partial memory test depending on the memory size. Table 5 lists the memory and approximate boot time for a long memory test.
You can also use the hw-module module module_number reset [mem-test-full] command. For example:
Router# hw-module module 5 reset mem-test-fullThis section describes how to reset the module:
Resetting the Module with Cisco IOS Software
Resetting the Module with Catalyst Operating System Software
Resetting the Module with Cisco IOS Software
To reset the module from the CLI, perform this task in privileged mode:
Note
This example shows how to reset the module, installed in slot 9, from the CLI:
Router# hw-mod mod 9 resetProceed with reload of module? [confirm] y% reset issued for module 9Router#00:26:55:%SNMP-5-MODULETRAP:Module 9 [Down] Trap00:26:55:SP:The PC in slot 8 is shutting down. Please wait ...To reboot the module from the application software, perform this task while you are sessioned into the root account on the module in the privileged mode:
This example shows how to reboot the module:
Router# reloadResetting the Module with Catalyst Operating System Software
To reset the module from the CLI, perform this task in privileged mode:
Note
This example shows how to reset the module, installed in slot 9, from the from the application partition:
Router# reset mod 9Proceed with reload of module? [confirm] y% reset issued for module 9Router#00:26:55:%SNMP-5-MODULETRAP:Module 9 [Down] Trap00:26:55:SP:The PC in slot 8 is shutting down. Please wait ...To reboot the module from the application software, perform this task while you are sessioned into the root account on the module in the privileged mode:
This example shows how to reboot the module:
FWSM# rebootTroubleshooting the Firewall Services Module
This section provides troubleshooting information for the Firewall Services Module.
Symptom You cannot connect to the module.
Possible Cause The initial configuration is incorrect or not configured.
Recommended Action Perform a show module command and check that the status is OK.
Symptom When a reset command is entered from the supervisor CLI, the system always boots into the maintenance image.
Possible Cause If the boot device is configured in the supervisor as cf:1, when you enter a reset module command the system always boots to the maintenance image.
Recommended Action Override the configured boot device in the supervisor engine by entering the boot string during reset. In Cisco IOS software, to boot to the application image, enter the hw-module mod 9 reset cf:4 (or cf:5) command.
Symptom You are unable to log into the maintenance image with the same password for the module application image.
Possible Cause The module application image and the maintenance image have different password databases. Any password change performed in the module application image does not change the maintenance image passwords and vice versa.
Recommended Action Use the maintenance image password.
Symptom You lost your password for the maintenance image and want to recover it.
Possible Cause The maintenance image does not support resetting passwords from the switch. Upgrading the maintenance image retains the password for root and guest across the upgrades.
Recommended Action Refer to "Changing and Recovering Passwords" section.
Firewall Services Module and PIX Commands
This section describes additions, changes, and differences between the Firewall Services Module and the PIX application commands.
The tables in this appendix describe the following commands:
•
•
•
These commands are described in Command Reference
•
•
•
For detailed information about the PIX software commands, refer to the PIX documentation listed in the "Related Documentation" section.
The module also supports CLI commands for the supervisor engine, which are described in more detail in the Catalyst 6500 Series Command Reference.
Table 13 PIX Commands Changed for the Firewall Services Module
aaa authentication [supervisor | enable | telnet | ssh | http] console group_tag
[no] aaa authentication [supervisor | enable | telnet | ssh | http] console group_taginterface hardware_id [hardware_speed] [shutdown]
show interfacenameif hardware_id ifname security_level
New syntax is nameif vlan_id if_name security_level. Refer tonameif vlan_number if_name security_level in the "Command Reference" section.
route if_module ip_address netmask gateway_ip [metric]
Table 15 lists the PIX commands used by the module and their PIX version. Commands that were changed from PIX for the module are described in Command Reference For detailed information about the PIX software commands, refer to the PIX documentation located at these URLs:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/
Command Reference
This appendix describes the Firewall Services Module commands that are unique to this module and the commands that have been changed from the PIX command implementation for use with the Firewall Services Module.
For detailed information about the PIX software commands, refer to the PIX documentation located at these URLs:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/
access-list
Use the access-list command to configure access rules. Use the no form of this command to remove access rules from the configuration.
Note
Note
access-list acl_ID deny | permit { protocol | object-group protocol_obj_grp_id }
{host source_addr | local_addr | source_addr | local_addr source_mask | local_mask | object-group network_obj_grp_id } { [ operator port [ port ] | object-group service_obj_grp_id ] } {host destination_addr | remote_addr | destination_addr | remote _addr destination_mask | remote_mask | object-group network_obj_grp_id { [ operator port [ port ] | object-group service_obj_grp_id ] }no access-list acl_ID deny | permit { protocol | object-group protocol_obj_grp_id }
{host source_addr | local_addr | source_addr | local_addr source_mask | local_mask | object-group network_obj_grp_id } { [ operator port [ port ] | object-group service_obj_grp_id ] } {host destination_addr | remote_addr | destination_addr | remote _addr destination_mask | remote_mask | object-group network_obj_grp_id { [ operator port [ port ] | object-group service_obj_grp_id ] }access-list acl_ID deny | permit icmp { host source_addr | local_addr | source_addr | local_addr source_mask | local_mask | object-group network_obj_grp_id }{ host destination_addr |
Guest
