Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, 2.3 - Index [Cisco Services Modules]

Table Of Contents

Symbols - A - B - C - D - E - F - G - H - I - L - M - N - O - P - Q - R - S - T - U - V - W - X -

Index

Symbols

/bits subnet masks     D-3

A

AAA

accounting     12-27

authentication

CLI     12-8

enable     12-8

network access     12-20

authorization

command     12-10

downloadable ACLs     12-25

network access     12-23

clearing settings     17-9

local database support     12-4

maximum rules     A-5

overview     12-1

performance     12-2

server

adding     12-6

types     12-4

abbreviating commands     C-2

abbreviations     E-1

access control entries

See ACEs

access control lists

See ACLs

accounting     12-27

ACEs

expanded     10-7

logging     10-26

maximum     10-7

order     10-6

ACL memory partitions     5-17

ACLs

comments     10-25

commitment     10-6

compilation     10-6

downloadable     12-25

EtherType     10-16

expanded     10-7

guidelines     10-6

inbound     10-10

inserting lines     10-25

IP address guidelines     10-7

logging     10-26

manual commit     10-24

maximum rules     10-7

memory     10-7

NAT addresses     10-7

network access     10-13

object groups     10-18 to 10-24

order of ACEs     10-6

OSPF, route map     10-17

outbound     10-10

policy NAT     10-4

pools     A-5

remarks     10-25

standard     10-17

acronyms     E-1

activation key     5-10

Active Directory     13-11

active state, failover     15-2

adaptive security algorithm     1-5

address range, subnets     D-4

admin context

changing     5-22

overview     5-1

alternate address, ICMP message     D-9

Apple QuickTime     13-15

application inspection

See inspection engines

application partition passwords, clearing     17-9

ARP inspection

enabling     7-4

overview     7-3

static entry     7-4

ARP spoofing     7-3

ARP test, failover     15-14

ASA     1-5

attacks, protection from     1-6

audience profile     xvii

authentication

CLI     12-8

enable     12-8

FTP     12-21

HTTP     12-21

HTTPS     12-22

network access     12-20

overview     12-2

Telnet     12-21

timeout     12-2

web clients     12-22

authorization

CLI     12-10

command     12-10

network access     12-23

overview     12-2

B

backing up configuration     16-5

bandwidth

limiting     5-12

maximum     A-1

banners     6-5

BGP     10-3

bits subnet masks     D-3

booting

from the module     17-8

from the switch     2-13

boot partitions     2-13

BPDUs

ACL, EtherType     10-17

forwarding on the switch     2-12

bridge entry timeout     7-2

bridge table

See MAC address table

Broadcast Ping test     15-14

buffering URL replies     14-3

bypassing the firewall     2-7

C

caching URLs     14-4

capturing packets     17-10

Catalyst 6500

See switch

Catalyst OS versions     1-2

CEF     A-1

changing between contexts     5-22

Cisco 7600

See switch

Cisco CallManager     13-18

Cisco Firewall MC     1-4

Cisco IOS versions     1-2

Cisco IP/TV     13-15

Cisco IP Phones

inspection engine     13-18

with DHCP     8-20

Cisco PDM     1-4

Cisco VPN Client     11-7

Class A, B, and C addresses     D-1

classes

See resource management

classifier     5-2

CLI

abbreviating commands     C-2

adding comments     C-4

authentication     12-8

authorization     12-10

command line editing     C-3

command output paging     C-4

displaying     C-4

help     C-6

paging     C-4

privilege levels     12-11

syntax formatting     C-2

command authorization

local user database     12-10

TACACS+     12-13

command-line interface

See CLI

command privilege levels     12-11

command prompts     C-1

comments

ACLs     10-25

configuration     C-4

Compact Flash     2-13

configuration

backing up     16-5

clearing     3-4

comments     C-4

context files     5-2

downloading     16-5

examples     B-1

failover     15-10

minimum     xxiii

saving     3-3

switch     2-1

text file     3-4

URL for a context     5-20

viewing     3-3

configuration mode

accessing     3-2

prompt     C-2

connection limits     6-10

console

authentication     12-8

port     3-1

contexts

See security contexts

control plane path     1-5

conventions     xix

conversion error, ICMP message     D-9

crash dump     17-11

D

data flow

routed firewall     4-3

transparent firewall     4-12

debug messages     17-10

default class     5-13

default route     8-2

denial of service attacks, protection     1-6

deny flows, logging     10-28

DHCP

relay     8-21

server

Cisco IP Phones     8-20

configuring     8-19

overview     8-19

transparent firewall     10-3

DMZ, definition     1-1

DNS

inspection engine     13-6

NAT effect on     9-13

protection from attacks     1-6

DNS Guard     1-6

domain name     6-5

dotted decimal subnet masks     D-3

downloadable ACLs     12-25

dynamic NAT

See NAT

E

echo reply, ICMP message     D-9

editing command lines     C-3

EIGRP     10-3

embryonic limit

routed firewall     9-24

transparent firewall     6-11

enable

accessing     3-2

authentication     12-8

password

changing     6-2

default     6-2

established command

maximum rules     A-5

security level requirements     6-7

EtherChannel

backplane

load-balancing     2-11

overview     2-11

failover     2-12, 15-5

EtherType

ACL     10-16

assigned numbers     10-17

examples     B-1

extended ACL     10-13

F

failover

actions     15-12

active state     15-2

bandwidth     2-12, 15-5

configuration file

Flash memory     15-11

replication     15-10

running memory     15-11

terminal messages     15-11

configuring     15-15

contexts     15-2

debugging     15-24

disabling     15-23

disabling configuration synchronization     15-12

display     15-19

EtherChannel     2-12, 15-5

examples     15-27

FAQs     15-24

forcing     15-23

gratuitous ARPs     15-2

inter-chassis     15-4

interface monitoring     15-14

interface policy     15-16

interface tests     15-14

intra-chassis     15-4

IP addresses     15-2

link communications     15-3

MAC addresses     15-10

module health     15-13

monitoring     15-13

network tests     15-14

primary unit     15-10

secondary unit     15-10

standby state     15-2

stateful failover

overview     15-2

state information     15-3

state link     15-3

statistics     15-21

switch configuration     2-11

system messages     15-24

testing     15-22

threshold     15-16

transparent firewall     15-9

triggers     15-12

trunk     2-12, 15-4

verifying     15-19

VLANs     15-3

fast path     1-5

features     1-3

filtering

adding a server     14-2

buffering replies     14-3

caching URLs     14-4

FTP     14-6

HTTP     14-5

HTTPS     14-6

long URL maximum     14-4

maximum rules     A-5

overview     14-1

security level requirements     6-6

servers supported     14-1

show command output     C-3

statistics     14-6

Firewall MC     1-4

firewall mode, setting     4-16

fixups

See inspection engines.

Flash memory

overview     2-13

partitions     2-13

size     A-1

Flood Defender     1-7

Flood Guard     1-6

Frag Guard     1-6

fragment size     1-6

FTP

authentication     12-21

filtering     14-6

inspection engine     13-6

G

global addresses

recommendations     9-12

specifying     9-25

gratuitous ARPs, failover     15-2

guest user, maintenance partition     6-2

H

H.225, connection status     13-8

H.323

inspection engine     13-7

Skinny     13-18

version     13-7

help, command line     C-6

host name     6-4

hosts, subnet masks for     D-3

HSRP     4-9

HTTP

authentication     12-8

concurrent connections     11-4

filtering     14-5

inspection engine     13-10

long URL maximum     14-4

maximum rules     A-5

HTTPS

filtering     14-6

management connection     11-4

maximum connections     A-3

RSA key     11-4

I

ICMP

ACL     10-15

denied access     1-6

error inspection engine     13-11

inspection engine     13-10

management access     11-10

maximum rules     A-5

object group     10-21

testing connectivity     17-4

type numbers     D-9

IKE     11-5

ILS inspection engine     13-11

inbound ACLs     10-10

information reply, ICMP message     D-9

information request, ICMP message     D-9

inside, definition     1-1

inspection engines

configuring     13-4

DNS     13-6

FTP     13-6

H.323     13-7

HTTP     13-10

ICMP     13-10

ICMP error     13-11

ILS     13-11

LDAP     13-11

limitations     13-2

MGCP     13-12

NAT and PAT support     13-2

NetBIOS     13-14

OraServ     13-14

overview     13-1

RealAudio     13-14

RSH     13-15

RTSP     13-15

SCCP     13-18

security level requirements     6-6

SIP     13-16

Skinny     13-18

SMTP     13-19

SQL*Net     13-20

standards     13-2

static PAT     9-6

Sun RPC     13-21

TFTP     13-21

XDMCP     13-22

installation

module verification     2-2

software to any partition     16-3

software to current partition     16-2

interfaces

enabled status     6-7

failover monitoring     15-14

failover policy     15-16

global addresses     9-25

maximum     A-2

naming     6-8

overview     1-8

security level

overview     6-6

setting     6-8

shared     5-5

standby address     15-17

turning off and on     6-10

IOS versions     1-2

IP addresses

classes     D-1

configuring     8-2

management, transparent firewall     8-2

overlapping between contexts     5-3

private     D-2

standby     15-17

subnet mask     D-4

VPN client     11-8

IPSec

basic settings     11-5

client     11-7

management access     11-5

transforms     11-6

IP spoofing, protection from     1-7

IPX     2-7

ISAKMP     11-5

L

Layer 2 firewall

See transparent firewall

Layer 2 forwarding table

See MAC address table

LDAP inspection engine     13-11

level

See security level

link up/down test     15-14

load-balancing, backplane EtherChannel     2-11

local user database

adding a user     12-6

command authorization     12-10

logging in     12-9

support     12-4

lockout, recovering     12-19

logging

ACLs     10-26

system messages     17-1

login

FTP     12-21

local user     12-9

session     3-2

SSH     3-2

Telnet     3-2

viewing the user     12-18

login banners     6-5

login command     12-9

login password

changing     6-2

default     6-2

M

MAC addresses, failover     15-10

MAC address table

entry timeout     7-2

MAC learning, disabling     7-2

overview     4-12

resource management     5-15

static entry     7-2

MAC learning, disabling     7-2

Mail Guard     1-6, 13-19

maintenance partition

guest user     6-2

installing application software     16-3

password

changing     6-2

clearing     17-10

default     6-2

root user     6-2

software installation     16-5

management access authentication     12-8

management IP address, transparent firewall     8-2

management support     1-4

man-in-the-middle attack     7-3

manual commit     10-24

mapped interface name     5-20

mask reply, ICMP message     D-9

mask request, ICMP message     D-9

maximum connections     9-24

memory

ACLs     10-7

Flash     A-1

RAM     A-1

rules     10-7

message-of-the-day banner     6-5

MGCP inspection engine     13-12

MIBs     17-2

Microsoft Exchange     13-19

minimum configuration     xxiii

mobile redirection, ICMP message     D-9

mode

context     5-11

firewall     4-16

monitoring

failover     15-13

OSPF     8-16

resource management     5-26

security contexts     5-24

SNMP     17-2

More prompt     C-4

MPLS

LDP     10-16

router-id     10-16

TDP     10-16

MSFC

definition     1-2

overview     1-10

SVIs     2-7

multicast traffic     4-9

Multilayer Switch Feature Card

See MSFC

multiple mode, enabling     5-11

multiple SVIs     2-6

N

N2H2 Sentian filtering server     14-1

naming an interface     6-8

NAT

bypassing NAT

configuration     9-29

overview     9-7

DNS     9-13

dynamic NAT

configuring     9-23

implementation     9-17

overview     9-3

embryonic limit     9-24

examples     9-32

exemption from NAT

configuration     9-31

overview     9-7

identity NAT

configuration     9-29

overview     9-7

inspection engine support     13-2

maximum connections     9-24

NAT ID     9-17

order of statements     9-12

outside NAT     9-10

overlapping addresses     9-33

overview     9-1, 9-2

PAT

configuring     9-23

implementation     9-17

overview     9-4

policy NAT

maximum rules     A-5

overview     9-8

port redirection     9-34

same security level     9-11

security level requirements     6-6

static NAT

configuring     9-26

overview     9-5

static PAT

configuring     9-27

overview     9-5

transparent firewall     4-11

types     9-3

NetBIOS inspection engine     13-14

NetMeeting     13-11

Network Activity test     15-14

Network Address Translation

See NAT

network processors     1-5

NPs     1-5

O

object groups

adding

ICMP     10-21

network     10-20

protocol     10-19

service     10-20

displaying     10-24

expanded     10-7

nesting     10-22

overview     10-18

removing     10-24

operating system     1-9

OraServ inspection engine     13-14

OSPF

ACL for route map     10-17

area authentication     8-11

area MD5 authentication     8-11

area parameters     8-11

authentication key     8-9

cost     8-9

dead interval     8-9

default route     8-14

displaying update packet pacing     8-16

enabling     8-5

hello interval     8-9

interface parameters     8-9

link-state advertisement     8-5

logging neighbor states     8-15

MD5 authentication     8-10

monitoring     8-16

NSSA     8-12

overview     8-4

packet pacing     8-16

processes     8-5

redistributing routes     8-6

route calculation timers     8-15

route map     8-6

route summarization     8-13

stub area     8-12

summary route cost     8-12

outbound ACLs     10-10

outside, definition     1-1

outside NAT     9-10

oversubscribing resources     5-12

P

packet capture     17-10

packet classifier     5-2

packet flow

routed firewall     4-3

transparent firewall     4-12

paging screen displays     C-4

parameter problem, ICMP message     D-9

partitions

application     2-13

boot     2-13

crash dump     2-13

Flash memory     2-13

maintenance     2-13

network configuration     2-13

passwords

clearing

application     17-9

maintenance     17-10

enable

changing     6-2

default     6-2

login

changing     6-2

default     6-2

maintenance partition

changing     6-2

default     6-2

troubleshooting     17-9

PAT

See NAT

PDM

allowing connections     11-4

installation     16-2

maximum connections     A-3

version     1-4

ping

See ICMP

PIX

implicit permit     1-8

operating system     1-9

security levels     6-7

policy NAT

ACLs     10-4

dynamic, configuring     9-23

inspection engines     9-6

maximum rules     A-5

overview     9-8

static, configuring     9-26

static PAT, configuring     9-28

pools

address

DHCP     8-19

global NAT     9-25

addresses

VPN     11-8

context rules     A-5

port redirection, NAT     9-34

primary module, failover

setting     15-16

primary unit, failover

overview     15-10

private networks     D-2

privileged mode

accessing     3-2

authentication     12-8

prompt     C-2

privilege levels, for commands     12-11

prompts

command     C-1

more     C-4

protocol numbers and literal values     D-5

Q

quick start     xxiii

R

RADIUS

adding a server     12-6

CLI authentication     12-8

downloadable ACLs     12-25

enable command authentication     12-9

network access authentication     12-21

network access authorization     12-25

support     12-4

RealAudio

inspection engine     13-14

RTSP     13-15

RealNetworks     13-15

RealPlayer     13-15

rebooting

from the module     17-8

from the switch     2-13

redirect, ICMP message     D-9

redundancy

See failover

reloading

context     5-24

module     17-8

remarks     10-25

requirements     1-2

resetting

from the module     17-8

from the switch     2-13

resource management

assigning a context     5-21

configuring     5-14

default class     5-13

monitoring     5-26

oversubscribing     5-12

overview     5-12

resource types     5-15

unlimited     5-13

reverse route lookup

See Unicast RPF

RIP

default route updates     8-18

enabling     8-18

overview     8-18

passive     8-18

root user, maintenance partition     6-2

routed firewall mode, setting     4-16

route map ACL     10-17

router advertisement, ICMP message     D-9

router solicitation, ICMP message     D-9

routing

default route     8-2

OSPF     8-4 to 8-17

other protocols     10-3

RIP     8-18 to 8-19

static     8-3

RSA key     11-3, 11-4

RSH, inspection engine     13-15

RTSP, inspection engine     13-15

RTSP restrictions     13-15

rules

manually committing     10-24

maximum     10-7

pools for contexts     A-5

S

same security level communication

embryonic connections     6-10

enabling     6-8

maximum connections     6-10

NAT     9-11

SCCP

fragmented packets     13-19

H.323     13-18

inspection engine     13-18

secondary unit, failover     15-10

security contexts

adding     5-19

admin context

changing     5-22

overview     5-1

assigning to a resource class     5-21

changing between     5-22

classifier     5-2

configuration

files     5-2

URL, changing     5-23

URL, setting     5-20

IP address overlap     5-3

logging in     5-9

mapped interface name     5-20

monitoring     5-24

multiple mode, enabling     5-11

name guidelines     5-19

nesting or cascading     5-9

overview     5-1

prompt     C-1

reloading     5-24

removing     5-22

resource management     5-12

VLAN allocation     5-20

security level

allowing communication between the same level     6-8

overview     6-6

PIX comparison     6-7

same security     6-8

setting     6-8

security policy     1-8

Sentian filtering server     14-1

serial number     5-10

server

AAA     12-6

filtering     14-2

sessioning from the switch     3-1

session management path     1-5

shared VLANs     5-5

show command, filtering output     C-3

shutting down an interface     6-10

Simple Network Management Protocol

See SNMP

single mode

backing up configuration     5-10

configuration     5-11

enabling     5-11

restoring     5-11

SIP inspection engine     13-16

SiteServer     13-11

site-to-site tunnel     11-9

Skinny

fragmented packets     13-19

H.323     13-18

inspection engine     13-18

SMTP

inspection engine     13-19

protection from attacks     1-6

SNMP

MIBs     17-2

overview     17-2

traps     17-2

software installation

any partition     16-3

current partition     16-2

maintenance     16-5

source quench, ICMP message     D-9

SPAN session     2-1

specifications     A-1

SQL*Net inspection engine     13-20

SSH

authentication     12-8

concurrent connections     11-2

login     11-4

management access     11-2

maximum rules     A-5

RSA key     11-3

username     11-4

version     11-2

standard ACL     10-17

standby state, failover     15-2

startup configuration     5-2

stateful failover

See failover

stateful inspection     1-5

state information     15-3

state link     15-3

static ARP entry     7-4

static bridge entry     7-2

static NAT

See NAT

static PAT

See NAT

static routes     8-3

stealth firewall

See transparent firewall

subcommand mode prompt     C-2

subnet masks

/bits     D-3

address range     D-4

dotted decimal     D-3

number of hosts     D-3

overview     D-2

Sun RPC, inspection engine     13-21

supervisor engine versions     1-2

supervisor IOS     1-2

SVIs

configuring     2-8

multiple     2-6

overview     2-6

switch

adding VLANs     2-3

assigning VLANs to module     2-2

assigning VLANs to ports     2-3

BPDU forwarding     2-12

configuration     2-1

failover compatibility with transparent firewall     2-12

failover configuration     2-11

maximum modules     A-1

resetting the module     2-13

sessioning to the module     3-1

system requirements     1-2

trunk for failover     2-12

verifying module installation     2-2

switched virtual interfaces

See SVIs

Switch Fabric Module     A-1

SYN cookies     1-7, 5-29

SYN packet attack protection     1-7

syntax formatting     C-2

system configuration

network settings     5-2

overview     5-1

system requirements     1-2

T

TACACS+

adding a server     12-6

command authorization     12-13

network access authorization     12-24

support     12-4

TCP intercept     5-29

overview     1-7

security level requirements     6-6

TCP ports and literal values     D-5

TCP sequence number randomization

disabling

routed mode     9-23

same security level     6-11

transparent firewall     6-11

security level requirements     6-7

Telnet

authentication     12-8

concurrent connections     11-1

management access     11-1

maximum rules     A-5

test     15-14

testing configuration     17-4

TFTP inspection engine     13-21

time exceeded, ICMP message     D-9

timestamp reply, ICMP message     D-9

timestamp request, ICMP message     D-9

traffic flow

routed firewall     4-3

transparent firewall     4-12

transparent firewall

ARP inspection

enabling     7-4

overview     7-3

static entry     7-4

data flow     4-12

DHCP packets, allowing     10-3

embryonic limit     6-11

EtherType ACL     10-16

examples     B-15

failover     15-9

guidelines     4-11

HSRP     4-9

MAC address timeout     7-2

MAC learning, disabling     7-2

management IP address     8-2

maximum connections     6-11

mode, setting     4-16

multicast traffic     4-9

NAT     4-11

overview     4-9

packet handling     10-3

static bridge entry     7-2

TCP sequence number randomization, disabling     6-11

VLANs     4-9

VRRP     4-9

traps, SNMP     17-2

trunk, failover     2-12, 15-4

U

UDP

connection state information     1-5

ports and literal values     D-5

Unicast Reverse Path Forwarding     1-7

Unicast RPF     1-7

unprivileged mode

accessing     3-2

password     6-2

prompt     C-1

unreachable, ICMP message     D-9

URL

context configuration, changing     5-23

context configuration, setting     5-20

filtering     14-1

user, logged in     12-18

V

virtual firewalls

See security contexts

Virtual Re-assembly     1-6

VLANs

adding to switch     2-3

allocating to a context     5-20

assigning to FWSM     2-2

assigning to switch ports     2-3

failover interface     15-3

interfaces     2-2

mapped interface name     5-20

maximum     A-2

overview     1-8

shared     5-5

VoIP

gateways and gatekeepers     13-7

H.323     13-7

MGCP     13-12

SCCP     13-18

Skinny     13-18

VPN

basic settings     11-5

client tunnel     11-7

management access     11-5

site-to-site tunnel     11-9

transforms     11-6

VRRP     4-9

W

WAN ports     1-2

Websense Enterprise filtering server     14-1

X

XDMCP, inspection engine     13-22

	Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, 2.3
	Index
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, 2.3 About This Guide Quick Start Steps Introduction to the Firewall Services Module Configuring the Switch for the Firewall Services Module Connecting to the Firewall Services Module and Managing the Configuration Configuring the Firewall Mode Managing Security Contexts Configuring Basic Settings Configuring Bridging Parameters and ARP Inspection Configuring IP Addresses, Routing, and DHCP Configuring Network Address Translation Controlling Network Access with Access Control Lists Allowing Remote Management Configuring AAA Configuring Application and Protocol Inspection Filtering HTTP, HTTPS, or FTP Requests Using an External Server Using Failover Managing Software and Configuration Files Monitoring and Troubleshooting the Firewall Services Module Specifications Sample Configurations Understanding the Command-Line Interface Addresses, Protocols, and Ports Reference Acronyms and Abbreviations Index	Download this chapter Index Download the complete book Book-level PDF: Firewall Services Module Configuration Guide, 2.3 (PDF - 4 MB) Table Of Contents Symbols - A - B - C - D - E - F - G - H - I - L - M - N - O - P - Q - R - S - T - U - V - W - X - Index Symbols /bits subnet masks D-3 A AAA accounting 12-27 authentication CLI 12-8 enable 12-8 network access 12-20 authorization command 12-10 downloadable ACLs 12-25 network access 12-23 clearing settings 17-9 local database support 12-4 maximum rules A-5 overview 12-1 performance 12-2 server adding 12-6 types 12-4 abbreviating commands C-2 abbreviations E-1 access control entries See ACEs access control lists See ACLs accounting 12-27 ACEs expanded 10-7 logging 10-26 maximum 10-7 order 10-6 ACL memory partitions 5-17 ACLs comments 10-25 commitment 10-6 compilation 10-6 downloadable 12-25 EtherType 10-16 expanded 10-7 guidelines 10-6 inbound 10-10 inserting lines 10-25 IP address guidelines 10-7 logging 10-26 manual commit 10-24 maximum rules 10-7 memory 10-7 NAT addresses 10-7 network access 10-13 object groups 10-18 to 10-24 order of ACEs 10-6 OSPF, route map 10-17 outbound 10-10 policy NAT 10-4 pools A-5 remarks 10-25 standard 10-17 acronyms E-1 activation key 5-10 Active Directory 13-11 active state, failover 15-2 adaptive security algorithm 1-5 address range, subnets D-4 admin context changing 5-22 overview 5-1 alternate address, ICMP message D-9 Apple QuickTime 13-15 application inspection See inspection engines application partition passwords, clearing 17-9 ARP inspection enabling 7-4 overview 7-3 static entry 7-4 ARP spoofing 7-3 ARP test, failover 15-14 ASA 1-5 attacks, protection from 1-6 audience profile xvii authentication CLI 12-8 enable 12-8 FTP 12-21 HTTP 12-21 HTTPS 12-22 network access 12-20 overview 12-2 Telnet 12-21 timeout 12-2 web clients 12-22 authorization CLI 12-10 command 12-10 network access 12-23 overview 12-2 B backing up configuration 16-5 bandwidth limiting 5-12 maximum A-1 banners 6-5 BGP 10-3 bits subnet masks D-3 booting from the module 17-8 from the switch 2-13 boot partitions 2-13 BPDUs ACL, EtherType 10-17 forwarding on the switch 2-12 bridge entry timeout 7-2 bridge table See MAC address table Broadcast Ping test 15-14 buffering URL replies 14-3 bypassing the firewall 2-7 C caching URLs 14-4 capturing packets 17-10 Catalyst 6500 See switch Catalyst OS versions 1-2 CEF A-1 changing between contexts 5-22 Cisco 7600 See switch Cisco CallManager 13-18 Cisco Firewall MC 1-4 Cisco IOS versions 1-2 Cisco IP/TV 13-15 Cisco IP Phones inspection engine 13-18 with DHCP 8-20 Cisco PDM 1-4 Cisco VPN Client 11-7 Class A, B, and C addresses D-1 classes See resource management classifier 5-2 CLI abbreviating commands C-2 adding comments C-4 authentication 12-8 authorization 12-10 command line editing C-3 command output paging C-4 displaying C-4 help C-6 paging C-4 privilege levels 12-11 syntax formatting C-2 command authorization local user database 12-10 TACACS+ 12-13 command-line interface See CLI command privilege levels 12-11 command prompts C-1 comments ACLs 10-25 configuration C-4 Compact Flash 2-13 configuration backing up 16-5 clearing 3-4 comments C-4 context files 5-2 downloading 16-5 examples B-1 failover 15-10 minimum xxiii saving 3-3 switch 2-1 text file 3-4 URL for a context 5-20 viewing 3-3 configuration mode accessing 3-2 prompt C-2 connection limits 6-10 console authentication 12-8 port 3-1 contexts See security contexts control plane path 1-5 conventions xix conversion error, ICMP message D-9 crash dump 17-11 D data flow routed firewall 4-3 transparent firewall 4-12 debug messages 17-10 default class 5-13 default route 8-2 denial of service attacks, protection 1-6 deny flows, logging 10-28 DHCP relay 8-21 server Cisco IP Phones 8-20 configuring 8-19 overview 8-19 transparent firewall 10-3 DMZ, definition 1-1 DNS inspection engine 13-6 NAT effect on 9-13 protection from attacks 1-6 DNS Guard 1-6 domain name 6-5 dotted decimal subnet masks D-3 downloadable ACLs 12-25 dynamic NAT See NAT E echo reply, ICMP message D-9 editing command lines C-3 EIGRP 10-3 embryonic limit routed firewall 9-24 transparent firewall 6-11 enable accessing 3-2 authentication 12-8 password changing 6-2 default 6-2 established command maximum rules A-5 security level requirements 6-7 EtherChannel backplane load-balancing 2-11 overview 2-11 failover 2-12, 15-5 EtherType ACL 10-16 assigned numbers 10-17 examples B-1 extended ACL 10-13 F failover actions 15-12 active state 15-2 bandwidth 2-12, 15-5 configuration file Flash memory 15-11 replication 15-10 running memory 15-11 terminal messages 15-11 configuring 15-15 contexts 15-2 debugging 15-24 disabling 15-23 disabling configuration synchronization 15-12 display 15-19 EtherChannel 2-12, 15-5 examples 15-27 FAQs 15-24 forcing 15-23 gratuitous ARPs 15-2 inter-chassis 15-4 interface monitoring 15-14 interface policy 15-16 interface tests 15-14 intra-chassis 15-4 IP addresses 15-2 link communications 15-3 MAC addresses 15-10 module health 15-13 monitoring 15-13 network tests 15-14 primary unit 15-10 secondary unit 15-10 standby state 15-2 stateful failover overview 15-2 state information 15-3 state link 15-3 statistics 15-21 switch configuration 2-11 system messages 15-24 testing 15-22 threshold 15-16 transparent firewall 15-9 triggers 15-12 trunk 2-12, 15-4 verifying 15-19 VLANs 15-3 fast path 1-5 features 1-3 filtering adding a server 14-2 buffering replies 14-3 caching URLs 14-4 FTP 14-6 HTTP 14-5 HTTPS 14-6 long URL maximum 14-4 maximum rules A-5 overview 14-1 security level requirements 6-6 servers supported 14-1 show command output C-3 statistics 14-6 Firewall MC 1-4 firewall mode, setting 4-16 fixups See inspection engines. Flash memory overview 2-13 partitions 2-13 size A-1 Flood Defender 1-7 Flood Guard 1-6 Frag Guard 1-6 fragment size 1-6 FTP authentication 12-21 filtering 14-6 inspection engine 13-6 G global addresses recommendations 9-12 specifying 9-25 gratuitous ARPs, failover 15-2 guest user, maintenance partition 6-2 H H.225, connection status 13-8 H.323 inspection engine 13-7 Skinny 13-18 version 13-7 help, command line C-6 host name 6-4 hosts, subnet masks for D-3 HSRP 4-9 HTTP authentication 12-8 concurrent connections 11-4 filtering 14-5 inspection engine 13-10 long URL maximum 14-4 maximum rules A-5 HTTPS filtering 14-6 management connection 11-4 maximum connections A-3 RSA key 11-4 I ICMP ACL 10-15 denied access 1-6 error inspection engine 13-11 inspection engine 13-10 management access 11-10 maximum rules A-5 object group 10-21 testing connectivity 17-4 type numbers D-9 IKE 11-5 ILS inspection engine 13-11 inbound ACLs 10-10 information reply, ICMP message D-9 information request, ICMP message D-9 inside, definition 1-1 inspection engines configuring 13-4 DNS 13-6 FTP 13-6 H.323 13-7 HTTP 13-10 ICMP 13-10 ICMP error 13-11 ILS 13-11 LDAP 13-11 limitations 13-2 MGCP 13-12 NAT and PAT support 13-2 NetBIOS 13-14 OraServ 13-14 overview 13-1 RealAudio 13-14 RSH 13-15 RTSP 13-15 SCCP 13-18 security level requirements 6-6 SIP 13-16 Skinny 13-18 SMTP 13-19 SQLNet 13-20 standards 13-2 static PAT 9-6 Sun RPC 13-21 TFTP 13-21 XDMCP 13-22 installation module verification 2-2 software to any partition 16-3 software to current partition 16-2 interfaces enabled status 6-7 failover monitoring 15-14 failover policy 15-16 global addresses 9-25 maximum A-2 naming 6-8 overview 1-8 security level overview 6-6 setting 6-8 shared 5-5 standby address 15-17 turning off and on 6-10 IOS versions 1-2 IP addresses classes D-1 configuring 8-2 management, transparent firewall 8-2 overlapping between contexts 5-3 private D-2 standby 15-17 subnet mask D-4 VPN client 11-8 IPSec basic settings 11-5 client 11-7 management access 11-5 transforms 11-6 IP spoofing, protection from 1-7 IPX 2-7 ISAKMP 11-5 L Layer 2 firewall See transparent firewall Layer 2 forwarding table See MAC address table LDAP inspection engine 13-11 level See security level link up/down test 15-14 load-balancing, backplane EtherChannel 2-11 local user database adding a user 12-6 command authorization 12-10 logging in 12-9 support 12-4 lockout, recovering 12-19 logging ACLs 10-26 system messages 17-1 login FTP 12-21 local user 12-9 session 3-2 SSH 3-2 Telnet 3-2 viewing the user 12-18 login banners 6-5 login command 12-9 login password changing 6-2 default 6-2 M MAC addresses, failover 15-10 MAC address table entry timeout 7-2 MAC learning, disabling 7-2 overview 4-12 resource management 5-15 static entry 7-2 MAC learning, disabling 7-2 Mail Guard 1-6, 13-19 maintenance partition guest user 6-2 installing application software 16-3 password changing 6-2 clearing 17-10 default 6-2 root user 6-2 software installation 16-5 management access authentication 12-8 management IP address, transparent firewall 8-2 management support 1-4 man-in-the-middle attack 7-3 manual commit 10-24 mapped interface name 5-20 mask reply, ICMP message D-9 mask request, ICMP message D-9 maximum connections 9-24 memory ACLs 10-7 Flash A-1 RAM A-1 rules 10-7 message-of-the-day banner 6-5 MGCP inspection engine 13-12 MIBs 17-2 Microsoft Exchange 13-19 minimum configuration xxiii mobile redirection, ICMP message D-9 mode context 5-11 firewall 4-16 monitoring failover 15-13 OSPF 8-16 resource management 5-26 security contexts 5-24 SNMP 17-2 More prompt C-4 MPLS LDP 10-16 router-id 10-16 TDP 10-16 MSFC definition 1-2 overview 1-10 SVIs 2-7 multicast traffic 4-9 Multilayer Switch Feature Card See MSFC multiple mode, enabling 5-11 multiple SVIs 2-6 N N2H2 Sentian filtering server 14-1 naming an interface 6-8 NAT bypassing NAT configuration 9-29 overview 9-7 DNS 9-13 dynamic NAT configuring 9-23 implementation 9-17 overview 9-3 embryonic limit 9-24 examples 9-32 exemption from NAT configuration 9-31 overview 9-7 identity NAT configuration 9-29 overview 9-7 inspection engine support 13-2 maximum connections 9-24 NAT ID 9-17 order of statements 9-12 outside NAT 9-10 overlapping addresses 9-33 overview 9-1, 9-2 PAT configuring 9-23 implementation 9-17 overview 9-4 policy NAT maximum rules A-5 overview 9-8 port redirection 9-34 same security level 9-11 security level requirements 6-6 static NAT configuring 9-26 overview 9-5 static PAT configuring 9-27 overview 9-5 transparent firewall 4-11 types 9-3 NetBIOS inspection engine 13-14 NetMeeting 13-11 Network Activity test 15-14 Network Address Translation See NAT network processors 1-5 NPs 1-5 O object groups adding ICMP 10-21 network 10-20 protocol 10-19 service 10-20 displaying 10-24 expanded 10-7 nesting 10-22 overview 10-18 removing 10-24 operating system 1-9 OraServ inspection engine 13-14 OSPF ACL for route map 10-17 area authentication 8-11 area MD5 authentication 8-11 area parameters 8-11 authentication key 8-9 cost 8-9 dead interval 8-9 default route 8-14 displaying update packet pacing 8-16 enabling 8-5 hello interval 8-9 interface parameters 8-9 link-state advertisement 8-5 logging neighbor states 8-15 MD5 authentication 8-10 monitoring 8-16 NSSA 8-12 overview 8-4 packet pacing 8-16 processes 8-5 redistributing routes 8-6 route calculation timers 8-15 route map 8-6 route summarization 8-13 stub area 8-12 summary route cost 8-12 outbound ACLs 10-10 outside, definition 1-1 outside NAT 9-10 oversubscribing resources 5-12 P packet capture 17-10 packet classifier 5-2 packet flow routed firewall 4-3 transparent firewall 4-12 paging screen displays C-4 parameter problem, ICMP message D-9 partitions application 2-13 boot 2-13 crash dump 2-13 Flash memory 2-13 maintenance 2-13 network configuration 2-13 passwords clearing application 17-9 maintenance 17-10 enable changing 6-2 default 6-2 login changing 6-2 default 6-2 maintenance partition changing 6-2 default 6-2 troubleshooting 17-9 PAT See NAT PDM allowing connections 11-4 installation 16-2 maximum connections A-3 version 1-4 ping See ICMP PIX implicit permit 1-8 operating system 1-9 security levels 6-7 policy NAT ACLs 10-4 dynamic, configuring 9-23 inspection engines 9-6 maximum rules A-5 overview 9-8 static, configuring 9-26 static PAT, configuring 9-28 pools address DHCP 8-19 global NAT 9-25 addresses VPN 11-8 context rules A-5 port redirection, NAT 9-34 primary module, failover setting 15-16 primary unit, failover overview 15-10 private networks D-2 privileged mode accessing 3-2 authentication 12-8 prompt C-2 privilege levels, for commands 12-11 prompts command C-1 more C-4 protocol numbers and literal values D-5 Q quick start xxiii R RADIUS adding a server 12-6 CLI authentication 12-8 downloadable ACLs 12-25 enable command authentication 12-9 network access authentication 12-21 network access authorization 12-25 support 12-4 RealAudio inspection engine 13-14 RTSP 13-15 RealNetworks 13-15 RealPlayer 13-15 rebooting from the module 17-8 from the switch 2-13 redirect, ICMP message D-9 redundancy See failover reloading context 5-24 module 17-8 remarks 10-25 requirements 1-2 resetting from the module 17-8 from the switch 2-13 resource management assigning a context 5-21 configuring 5-14 default class 5-13 monitoring 5-26 oversubscribing 5-12 overview 5-12 resource types 5-15 unlimited 5-13 reverse route lookup See Unicast RPF RIP default route updates 8-18 enabling 8-18 overview 8-18 passive 8-18 root user, maintenance partition 6-2 routed firewall mode, setting 4-16 route map ACL 10-17 router advertisement, ICMP message D-9 router solicitation, ICMP message D-9 routing default route 8-2 OSPF 8-4 to 8-17 other protocols 10-3 RIP 8-18 to 8-19 static 8-3 RSA key 11-3, 11-4 RSH, inspection engine 13-15 RTSP, inspection engine 13-15 RTSP restrictions 13-15 rules manually committing 10-24 maximum 10-7 pools for contexts A-5 S same security level communication embryonic connections 6-10 enabling 6-8 maximum connections 6-10 NAT 9-11 SCCP fragmented packets 13-19 H.323 13-18 inspection engine 13-18 secondary unit, failover 15-10 security contexts adding 5-19 admin context changing 5-22 overview 5-1 assigning to a resource class 5-21 changing between 5-22 classifier 5-2 configuration files 5-2 URL, changing 5-23 URL, setting 5-20 IP address overlap 5-3 logging in 5-9 mapped interface name 5-20 monitoring 5-24 multiple mode, enabling 5-11 name guidelines 5-19 nesting or cascading 5-9 overview 5-1 prompt C-1 reloading 5-24 removing 5-22 resource management 5-12 VLAN allocation 5-20 security level allowing communication between the same level 6-8 overview 6-6 PIX comparison 6-7 same security 6-8 setting 6-8 security policy 1-8 Sentian filtering server 14-1 serial number 5-10 server AAA 12-6 filtering 14-2 sessioning from the switch 3-1 session management path 1-5 shared VLANs 5-5 show command, filtering output C-3 shutting down an interface 6-10 Simple Network Management Protocol See SNMP single mode backing up configuration 5-10 configuration 5-11 enabling 5-11 restoring 5-11 SIP inspection engine 13-16 SiteServer 13-11 site-to-site tunnel 11-9 Skinny fragmented packets 13-19 H.323 13-18 inspection engine 13-18 SMTP inspection engine 13-19 protection from attacks 1-6 SNMP MIBs 17-2 overview 17-2 traps 17-2 software installation any partition 16-3 current partition 16-2 maintenance 16-5 source quench, ICMP message D-9 SPAN session 2-1 specifications A-1 SQLNet inspection engine 13-20 SSH authentication 12-8 concurrent connections 11-2 login 11-4 management access 11-2 maximum rules A-5 RSA key 11-3 username 11-4 version 11-2 standard ACL 10-17 standby state, failover 15-2 startup configuration 5-2 stateful failover See failover stateful inspection 1-5 state information 15-3 state link 15-3 static ARP entry 7-4 static bridge entry 7-2 static NAT See NAT static PAT See NAT static routes 8-3 stealth firewall See transparent firewall subcommand mode prompt C-2 subnet masks /bits D-3 address range D-4 dotted decimal D-3 number of hosts D-3 overview D-2 Sun RPC, inspection engine 13-21 supervisor engine versions 1-2 supervisor IOS 1-2 SVIs configuring 2-8 multiple 2-6 overview 2-6 switch adding VLANs 2-3 assigning VLANs to module 2-2 assigning VLANs to ports 2-3 BPDU forwarding 2-12 configuration 2-1 failover compatibility with transparent firewall 2-12 failover configuration 2-11 maximum modules A-1 resetting the module 2-13 sessioning to the module 3-1 system requirements 1-2 trunk for failover 2-12 verifying module installation 2-2 switched virtual interfaces See SVIs Switch Fabric Module A-1 SYN cookies 1-7, 5-29 SYN packet attack protection 1-7 syntax formatting C-2 system configuration network settings 5-2 overview 5-1 system requirements 1-2 T TACACS+ adding a server 12-6 command authorization 12-13 network access authorization 12-24 support 12-4 TCP intercept 5-29 overview 1-7 security level requirements 6-6 TCP ports and literal values D-5 TCP sequence number randomization disabling routed mode 9-23 same security level 6-11 transparent firewall 6-11 security level requirements 6-7 Telnet authentication 12-8 concurrent connections 11-1 management access 11-1 maximum rules A-5 test 15-14 testing configuration 17-4 TFTP inspection engine 13-21 time exceeded, ICMP message D-9 timestamp reply, ICMP message D-9 timestamp request, ICMP message D-9 traffic flow routed firewall 4-3 transparent firewall 4-12 transparent firewall ARP inspection enabling 7-4 overview 7-3 static entry 7-4 data flow 4-12 DHCP packets, allowing 10-3 embryonic limit 6-11 EtherType ACL 10-16 examples B-15 failover 15-9 guidelines 4-11 HSRP 4-9 MAC address timeout 7-2 MAC learning, disabling 7-2 management IP address 8-2 maximum connections 6-11 mode, setting 4-16 multicast traffic 4-9 NAT 4-11 overview 4-9 packet handling 10-3 static bridge entry 7-2 TCP sequence number randomization, disabling 6-11 VLANs 4-9 VRRP 4-9 traps, SNMP 17-2 trunk, failover 2-12, 15-4 U UDP connection state information 1-5 ports and literal values D-5 Unicast Reverse Path Forwarding 1-7 Unicast RPF 1-7 unprivileged mode accessing 3-2 password 6-2 prompt C-1 unreachable, ICMP message D-9 URL context configuration, changing 5-23 context configuration, setting 5-20 filtering 14-1 user, logged in 12-18 V virtual firewalls See security contexts Virtual Re-assembly 1-6 VLANs adding to switch 2-3 allocating to a context 5-20 assigning to FWSM 2-2 assigning to switch ports 2-3 failover interface 15-3 interfaces 2-2 mapped interface name 5-20 maximum A-2 overview 1-8 shared 5-5 VoIP gateways and gatekeepers 13-7 H.323 13-7 MGCP 13-12 SCCP 13-18 Skinny 13-18 VPN basic settings 11-5 client tunnel 11-7 management access 11-5 site-to-site tunnel 11-9 transforms 11-6 VRRP 4-9 W WAN ports 1-2 Websense Enterprise filtering server 14-1 X XDMCP, inspection engine 13-22
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.