Virtual Firewall Commands on Cisco IOS XR Software
The Cisco IOS XR Virtual Firewall (VFW) application runs on the Cisco XR 12000 Multi-Service Blade (MSB). A dual core CPU on the MSB runs the Cisco IOS XR software (standard edge engine code and firewall code) on core 1 and SanOS (Linux) with the Virtual Firewall application code on core 0.
This module describes the Cisco IOS XR software commands used to configure and integrate a VFW. The Cisco IOS XR software configuration sets up the interaction between the firewall and the router. Each VFW (or firewall context) is configured in the VFW application using SanOS on core 0. The VFW application commands are described in subsequent modules.
For detailed information about VFW concepts, configuration tasks, and examples, see Cisco IOS XR Virtual Firewall Configuration Guide. For information regarding the Cisco IOS XR software, see Cisco IOS XR Getting Started Guide.
default-interface-name
To configure the default interface that represents any unprotected interface in the router, use the default-interface-name command in firewall configuration mode. To remove the default interface configuration, use the no form of this command.
default-interface-name vfw-interface-name
no default-interface-name
Syntax Description
vfw-interface-name |
Name of the default interface that represents any unprotected interface in the router. |
Defaults
No default behavior or values
Command Modes
Firewall configuration
Command History
|
|
Release 3.5.0 |
This command was introduced on the Multi-Service Blade (MSB) for the Cisco XR 12000 Series Router. |
Release 3.6.0 |
No modification. |
Release 3.7.0 |
No modification. |
Release 3.8.0 |
No modification. |
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
To remove the service location from a configuration, you must first remove the default interface name.
The vfw-interface-name argument must match the interface name that is configured on the VFW application. Refer to Cisco Virtual Firewall Configuration Guide for additional information.
Task ID
Examples
The following example shows how to create a firewall named "fw1" in Cisco IOS XR software and specify a default interface named "outside."
RP/0/0/CPU0:router# configure
RP/0/0/CPU0:router(config)# firewall fw1
RP/0/0/CPU0:router(config-firewall)# service-location preferred-active 0/0/CPU0
preferred-standby 0/1/CPU0 auto-revert
RP/0/0/CPU0:router(config-firewall)# default-interface-name outside
Related Commands
|
|
failure-action |
Configures the action to take if a failure or misconfiguration occurs. |
firewall |
Configures a virtual firewall in Cisco IOS XR software. |
firewall (interface) |
Configures the firewall attachment. |
service-location |
Configures a physical interface on the Multi-Service Blade (MSB) to be associated with a virtual firewall or virtual VASI interface. |
failure-action
To configure the action to take if a failure or misconfiguration occurs, use the failure-action command in firewall configuration mode. To revert to the default failure action, use the no form of this command.
failure-action {drop | pass | shutdown}
no failure-action
Syntax Description
drop |
Drops all packets destined for the firewall. |
pass |
Bypasses the firewall. |
shutdown |
Shuts down the attached interface. |
Defaults
The default is drop.
Command Modes
Firewall configuration
Command History
|
|
Release 3.5.0 |
This command was introduced on the Multi-Service Blade (MSB) for the Cisco XR 12000 Series Router. |
Release 3.6.0 |
No modification. |
Release 3.7.0 |
No modification. |
Release 3.8.0 |
No modification. |
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the failure-action command to override the default failure policy. If there is a problem with the firewall attachment, the default (drop) behavior automatically drops all packets that should be diverted. All IPv4 unicast and broadcast packets are dropped, but multicast or packets that are not IPv4 packets are processed normally.
•Use the bypass keyword to specify that if a firewall attachment has a problem, all packets are to pass through without firewall protection.
•Use the shutdown keyword to specify that if a firewall attachment has a problem, the interface is shut down. All the hello or keepalive packets are dropped, and the interface is not used (if possible).
Task ID
Examples
The following example shows how to create a firewall named "fw1" in Cisco IOS XR software and configure the failure action to be "shutdown."
RP/0/0/CPU0:router# configure
RP/0/0/CPU0:router(config)# firewall fw1
RP/0/0/CPU0:router(config-firewall)# service-location preferred-active 0/0/CPU0
preferred-standby 0/1/CPU0 auto-revert
RP/0/0/CPU0:router(config-firewall)# failure-action shutdown
Related Commands
|
|
default-interface-name |
Configures the default interface that represents any unprotected interface in the router. |
firewall |
Configures a virtual firewall in Cisco IOS XR software. |
firewall (interface) |
Configures the firewall attachment. |
service-location |
Configures a physical interface on the Multi-Service Blade (MSB) to be associated with a virtual firewall or virtual VASI interface. |
firewall
To configure a virtual firewall in Cisco IOS XR software, use the firewall command in global configuration mode. To remove the virtual firewall configuration, use the no form of this command.
firewall context-name
no firewall context-name
Syntax Description
context-name |
Name of the virtual firewall. |
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
|
|
Release 3.5.0 |
This command was introduced on the Multi-Service Blade (MSB) for the Cisco XR 12000 Series Router. |
Release 3.6.0 |
No modification. |
Release 3.7.0 |
No modification. |
Release 3.8.0 |
No modification. |
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
A virtual firewall is tied to a physical location on the MSB using the service-location command. To remove the service location from a configuration, you must first remove the default interface name. Removing the service location also removes the firewall configuration.
The context-name argument must match the firewall context name that is configured on the VFW application. Refer to the Cisco IOS XR Virtual Firewall Configuration Guide for additional information.
Task ID
Examples
The following example shows how to create a firewall named "fw1" in Cisco IOS XR software:
RP/0/0/CPU0:router# configure
RP/0/0/CPU0:router(config)# firewall fw1
RP/0/0/CPU0:router(config-firewall)# service-location preferred-active 0/0/CPU0
preferred-standby 0/1/CPU0 auto-revert
RP/0/0/CPU0:router(config-firewall)# default-interface-name outside
RP/0/0/CPU0:router(config-firewall)# failure-action shutdown
Related Commands
|
|
default-interface-name |
Configures the default interface that represents any unprotected interface in the router. |
failure-action |
Configures the action to take if a failure or misconfiguration occurs. |
firewall (interface) |
Configures the firewall attachment. |
service-location |
Configures a physical interface on the Multi-Service Blade (MSB) to be associated with a virtual firewall or virtual VASI interface. |
firewall (interface)
To attach a virtual firewall to one of the router interfaces, use the firewall command in interface configuration mode.
firewall context-name firewall-interface vfw-interface-name
Syntax Description
context-name |
Specifies the name of the firewall. |
firewall-interface vfw-interface-name |
Specifies the name of the firewall interface on the VFW application. |
Defaults
No default behavior or values
Command Modes
Interface configuration
Command History
|
|
Release 3.5.0 |
This command was introduced on the Multi-Service Blade (MSB) for the Cisco XR 12000 Series Router. |
Release 3.6.0 |
No modification. |
Release 3.7.0 |
No modification. |
Release 3.8.0 |
No modification. |
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The interface firewall configuration is rejected if the interface type does not support firewall attachments, and the following error is returned:
!!% Firewall Attachments not supported on this interface type
The supported interface types are:
•Ethernet main interfaces and subinterfaces
•Packet over SONET/SDH (POS) and channelized POS main interfaces and subinterfaces
•ATM main interfaces and subinterfaces
•VRF-Aware Service Infrastructure (VASI) interfaces
The context-name argument and the vfw-interface-name argument (attachment ID) pair must be unique on each interface where the attachment configuration is applied. If two or more interfaces have an attachment configuration applied with the same context-name and vfw-interface-name pair, the configuration is accepted but both attachments are forced down and the following error message occurs:
LC/0/2/CPU0:Feb 22 17:34:29.251 : rspp_ma[234]: %RSPP_MA-4-DUP_CREATE : Attachment of
service ctx1 of type Firewall to interface POS0/2/0/0 with attachment ID inside1 invalid
due to duplicate attachment to interface POS0/2/0/3. Both attachments will be
invalidated.
The context-name argument and the vfw-interface-name argument must both match the firewall context and interface names that are configured in the VFW application. Refer to Cisco IOS XR Virtual Firewall Configuration Guide for additional information.
Task ID
Examples
The following sample configuration associates interface "inside1" of firewall context "ctx1" with the router physical interface on POS0/2/0/0:
RP/0/0/CPU0:router# configure
RP/0/0/CPU0:router(config)# interface POS0/2/0/0
RP/0/0/CPU0:router(config-if)# firewall ctx1 firewall-interface inside1
Related Commands
interface FirewallManagement
To provide remote access to manage the virtual firewall contexts, use the interface FirewallManagement command in global configuration mode. To remove the firewall management interface (FMI), use the no form of this command.
interface FirewallManagement number firewall context-name follow-active
no interface FirewallManagement number
Syntax Description
number |
Number of the FMI. Range is 1 to 65535. |
context-name |
Particular firewall instance on the MSB core. |
follow-active |
Attaches the interface to the active instance of the firewall. |
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
|
|
Release 3.5.0 |
This command was introduced on the MSB for the Cisco XR 12000 Series Router. |
Release 3.6.0 |
No modification. |
Release 3.7.0 |
No modification. |
Release 3.8.0 |
No modification. |
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The interface FirewallManagement command provides a remote management tool for the virtual firewall contexts. The firewall keyword associates the FMI with a particular firewall context on the VFW application. Any additional interface configuration items must follow, such as defining the VRF or the IP address for the interface. The IP connectivity does not work unless the FMI on the VFW application is configured with an IP address on the same network.
The context-name argument must match the firewall context name that is configured in the VFW application. Refer to the Configuring Virtual Firewalls on the Multi-Service Blade module in Cisco IOS XR Virtual Firewall Configuration Guide for additional information.
Task ID
Examples
The following example shows how to configure FirewallManagement1 as an active virtual firewall interface, including its IP address, and to associate it with the active instance of the firewall on the VFW application:
RP/0/0/CPU0:router# configure
RP/0/0/CPU0:router(config)# interface FirewallManagement1
RP/0/0/CPU0:router(config-if)# ipv4 address 10.1.1.3 255.255.255.0
RP/0/0/CPU0:router(config-if)# firewall fw1 follow-active
Related Commands
service firewall attach location
To attach to the VFW application, use the service firewall attach location command in EXEC mode.
service firewall attach location node-id
Syntax Description
node-id |
Specifies the location where you want to attach. The node-id argument is entered in the rack/slot/module notation. |
Defaults
No default behavior or values
Command Modes
EXEC
Command History
|
|
Release 3.5.0 |
This command was introduced on the Multi-Service Blade (MSB) for the Cisco XR 12000 Series Router. |
Release 3.6.0 |
No modification. |
Release 3.7.0 |
No modification. |
Release 3.8.0 |
No modification. |
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
You must be attached to the VFW application to configure a firewall context.
The service firewall attach location attaches from the MSB to the VFW application. After you use the command, use admin as the username/password combination to get a prompt in the VFW application. Refer to the Configuring Virtual Firewalls on the Multi-Service Blade module in Cisco IOS XR Virtual Firewall Configuration Guide to see an example of configuring a firewall in the VFW application.
Task ID
Examples
The following example shows how to attach to the VFW application:
RP/0/0/CPU0:router# service firewall attach location 0/3/CPU0
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2006, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
Related Commands
show services firewall attachments
To display any firewall attachments that have been made, including attachments that are in the failed state (and the reason for the failure), use the show services firewall attachments command in EXEC mode.
show services firewall attachments [interface interface-name | summary]
Syntax Description
interface |
(Optional) Displays the firewall attachments for a specific interface. |
interface-name |
(Optional) Name of the interface. |
summary |
(Optional) Provides information about the firewall attachments. |
Defaults
No default behavior or values
Command Modes
EXEC
Command History
|
|
Release 3.5.0 |
This command was introduced on the Multi-Service Blade (MSB) for the Cisco XR 12000 Series Router. |
Release 3.6.0 |
No modification. |
Release 3.7.0 |
No modification. |
Release 3.8.0 |
No modification. |
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the command keywords to modify or limit the information that is displayed for firewall instances. Refer to the notes in the examples within this section.
Task ID
Examples
The following example displays sample output from the show services firewall attachments command:
RP/0/0/CPU0:router# show services firewall attachments
3 firewall attachment(s) configured
! Firewall Interface: inside1
! Info: Duplicate attachment exists
! Firewall Interface: inside1
! Info: Duplicate attachment exists
Firewall Interface: Follow-active
State: Diverting to 0/3/CPU0
Note The output is sorted by the interface handle. The Firewall Name and FW Interface Name fields are truncated to 24 characters.
Related Commands
show services firewall interfaces
To verify if a firewall context exists between the Cisco IOS XR configuration and the VFW application, use the show services firewall interfaces command in EXEC mode.
show services firewall interfaces [context-name] [summary | detail | unoperational] [location node_id]
Syntax Description
context-name |
(Optional) Name of the firewall context. |
summary |
(Optional) Provides a summary of all the firewall instances. |
detail |
(Optional) Provides detailed information about each firewall instance. |
unoperational |
(Optional) Provides information about any unoperational firewall instances. |
location node-id |
(Optional) Specifies the location of the firewall. The node-id argument is entered in the rack/slot/module notation. |
Defaults
No default behavior or values
Command Modes
EXEC
Command History
|
|
Release 3.5.0 |
This command was introduced on the Multi-Service Blade (MSB) for the Cisco XR 12000 Series Router. |
Release 3.6.0 |
No modification. |
Release 3.7.0 |
No modification. |
Release 3.8.0 |
No modification. |
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the command keywords to modify or limit the information that is displayed for firewall instances. Refer to the notes in the examples within this section.
Task ID
|
|
firewall |
read |
interface |
read |
sbc |
read |
Examples
The following example displays sample output from the show services firewall interfaces command when the summary option is used:
RP/0/0/CPU0:router# show services firewall interfaces summary
Status codes: > Firewall operating correctly
! Interface not configured in MSB core
- No attachment configured
D Default interface (overriding attachment configuration)
Firewall name Location (State)
St Interface name Attached to
-- ----------------------------- -------------------------
> dmz GigabitEthernet 0/1/0/0
m> <Management: follow-active> FirewallManagement 3
m> <Management: follow-standby> FirewallManagement 4
> dmz GigabitEthernet 0/1/0/0
m> <Management: follow-active> FirewallManagement 3
m> <Management: follow-standby> FirewallManagement 4
firewall_A 0/3/CPU0 (Active)
m> <Management: follow-active> FirewallManagement 23
firewall_B 0/0/CPU0 (Active)
> customer GigabitEthernet 0/1/0/1
m- <Management: follow-active>
Note The output is sorted by the firewall name (in MIB-lexicographic order), and then by node ID. The firewall name can be specified to limit the output to a particular firewall, or the location can be given to filter the output by node—or both options can be given to restrict the output to a particular firewall instance.
The following example displays sample output from the show services firewall interfaces command without the summary option:
RP/0/0/CPU0:router# show services firewall interfaces
Firewall name Location State FW ID Mgmet I/F I/Fs
------------------------------ -------- ----- ----- --------- ----
bar 0/0/CPU0 Active 3 FwMgmt3 5
0/3/CPU0 Standby 6 FwMgmt4 5
fw1 0/0/CPU0 Dormant 4 --- 0
firewall_A 0/3/CPU0 Active 3 FwMgmt23 3
firewall_B 0/0/CPU0 Active 5 --- 3
Note•The management interfaces are indicated by special strings rather than by their actual names on the VFW application.
•The firewall name or location can be specified to limit the output, and the firewalls are sorted by name in MIB-lexicographic order, then by node ID. The interfaces are also sorted by name in MIB-lexicographic order within each firewall.
•If the unoperational keyword is used, only the interfaces that do not have an operational attachment or that have a configured attachment and are also configured as the "other" interface (such as the ones marked with "D" or not marked with ">") are displayed. Firewalls without unoperational interfaces are not displayed. The output can be restricted further by identifying additional firewall names or locations.
The following example displays sample output from the show services firewall interfaces command with the detail option:
RP/0/0/CPU0:router# show services firewall interfaces detail
Firewall: bar, location 0/0/CPU0 (Active):
Attached to: GigabitEthernet 0/1/0/0
Attachment is operational
Interface ID: none (not configured in MSB core)
Attachment is not operational
Interface: <Management: follow-active>
Attached to: FirewallManagement 3
Attachment is operational
Management Interface Hardware Identifiers received
Interface: <Management: follow-standby>
Attached to: FirewallManagement 4
Attachment is operational
Management Interface Hardware Identifiers received
Firewall: bar, location 0/3/CPU0 (Standby):
Attached to: GigabitEthernet 0/1/0/0
Attachment is operational
Interface ID: none (not configured in MSB core)
Attachment is not operational
Interface: <Management: follow-active>
Attached to: FirewallManagement 3
Attachment is operational
Management Interface Hardware Identifiers received
Interface: <Management: follow-standby>
Attached to: FirewallManagement 4
Attachment is operational
Management Interface Hardware Identifiers received
Firewall: fw1, location 0/0/CPU0 (Dormant)
Firewall: fw1, location 0/3/CPU0 (Dormant)
Firewall: firewall_name1, location 0/3/CPU0 (Active):
Interface ID: none (not configured in MSB core)
Attachment is not operational
Interface: an_interface_with_a_long_name
Interface: <Management: follow-active>
Attached to: FirewallManagement23
Attachment is operational
Management Interface Hardware Identifiers received
Firewall: firewall_name2, location 0/0/CPU0 (Active)
(Attachment to GigabitEthernet0/1/0/3 is not operational)
Attached to: GigabitEthernet0/1/0/1
Attachment is operational
Interface: <Management: follow-active>
Management Interface Hardware Identifiers received
Note The output is sorted by firewall name, node ID, and interface name in MIB-lexicographic order. The output can be restricted further by specifying additional firewall names or locations.
Related Commands