Table Of Contents
Catalyst 6500 Series Firewall Services Module Installation and Configuration Note
Contents
Overview
Before You Begin
Understanding How the Firewall Services Module Works
Multiple Firewall Services Module Configuration
Redundancy Failover
Feature Set
Specifications and System Limitations
Front Panel Description
STATUS LED
SHUTDOWN Button
Module Specifications
Safety Overview
Installing the Firewall Services Module
System Requirements
Memory and Storage Requirements
Software Requirements
Hardware Requirements
Required Tools
Installing and Removing the Module
Slot Assignments
Removing a Module
Installing a Module
Verifying the Installation
Using the CLI
Getting Started
Configuration Overview
Configuring the Switch Interface
Cisco IOS Software
Catalyst Operating System Software
Sessioning into the Module
Configuring the Module
Saving the Configuration
Using PDM
PDM Overview
Firewall Services Module and PDM Restrictions
Platform and Browser Requirements
Setting Up the Module for PDM
Installing or Upgrading the PDM
Starting PDM
Configuring Firewall Services
Configuring Firewall Failover
Setting up a Single-Chassis Configuration
Setting Up a Dual-Chassis Configuration
Configuring Firewall Failover
Using SNMP
MIB Support
SNMP Traps
Receiving Requests and Sending Syslog Traps
Compiling Cisco Syslog MIB Files
Using the Firewall and Memory Pool MIBs
SNMP Usage Notes
Configuring OSPF Routing Support
Enabling OSPF
Configuring OSPF Interface Parameters
Configuring OSPF Area Parameters
Configuring OSPF NSSA
Configuring Route Summarization Between OSPF Areas
Configuring Route Summarization when Redistributing Routes into OSPF
Creating Virtual Links
Generating a Default Route
Changing the OSPF Administrative Distances
Configuring Route Calculation Timers
Logging Neighbors Going Up or Down
Changing the LSA Group Pacing
Blocking OSPF LSA Flooding
Ignoring MOSPF LSA Packets
Displaying OSPF Update Packet Pacing
Area Border Router Type 3 LSA Filtering
Monitoring and Maintaining OSPF
Configuring IPSec for Management
Administering the Firewall Services Module
Administering the Software Images
Quick Software Upgrade
Image Locations
Logging into the Application Software
Logging into the Maintenance Software
Upgrading Software Images
Changing and Recovering Passwords
Changing the Application Partition Passwords
Changing the Maintenance Partition Passwords
Recovering the Application Partition Passwords
Recovering the Maintenance Partition Passwords
Resetting the Firewall Services Module
Resetting the Module with Cisco IOS Software
Resetting the Module with Catalyst Operating System Software
Troubleshooting the Firewall Services Module
Firewall Services Module and PIX Commands
Command Reference
access-list
access-list (ospf)
area
clear console-output
clear logging rate-limit
default-information originate
distance
firewall module
firewall vlan-group
interface
ip prefix-list
logging rate-limit
match
nameif
network
ospf
redistribute
route
router ospf
route-map
set metric
set metric-type
show console-output
show crashdump
show firewall module
show firewall vlan-group
show interface
show ip ospf
show logging rate-limit
show vlan
summary-address
timers lsa-group-pacing
timers spf
upgrade-mp
System Messages
System Log Messages
System Message Log Differences
Failover Messages
Connection Messages
FTP and URL
HTTP
ICMP
Routing Messages
RSH
RTSP
SMTP
TCP
UDP
SSH
Telnet
AAA and ACL
Configuration
FWSM Management
PDM
Stateful Failover
Memory and Resource Allocation
SNMP
DHCP
VPN
Internet Protocol Routing
OSPF
Shun
Standards Compliance Specifications
FCC Class B Compliance
Related Documentation
Cisco IOS Software Documentation Set
Obtaining Documentation
Cisco.com
Ordering Documentation
Documentation Feedback
Obtaining Technical Assistance
Cisco TAC Website
Opening a TAC Case
TAC Case Priority Definitions
Obtaining Additional Publications and Information
Catalyst 6500 Series Firewall Services Module Installation and Configuration Note
WS-SVC-FWM-1-K9
This publication describes how to install and configure the Firewall Services Module (FWSM) in the Catalyst 6500 series switches and Cisco 7600 Optical Services Router (OSR). See the "Related Documentation" section for more information about software configuration for the switch.
Throughout this publication, the Firewall Services Module (FWSM) is referred to as "the module"
Note 
For translations of the warnings in this publication, see the "Safety Overview" section and refer to the Regulatory Compliance and Safety Information for the Catalyst 6500 series switches.
Contents
This publication consists of these sections:
•Overview
•Safety Overview
•Installing the Firewall Services Module
•Administering the Firewall Services Module
•Firewall Services Module and PIX Commands
•Command Reference
•System Messages
•Standards Compliance Specifications
•FCC Class B Compliance
•Related Documentation
•Obtaining Documentation
•Documentation Feedback
•Obtaining Technical Assistance
•Obtaining Additional Publications and Information
Overview
This section describes the Catalyst 6500 Series Firewall Services Module, how it operates, how to manage it. This chapter contains these sections:
•Before You Begin
•Understanding How the Firewall Services Module Works
•Feature Set
•Specifications and System Limitations
•Front Panel Description
•Module Specifications
Before You Begin
To help you get started using the Firewall Services Module, refer to this roadmap:
Note The Firewall Services Module uses many of the same commands as the PIX application software.
Refer to Table 10 for information on these commands.
Table 11 lists the Cisco IOS commands for the module.
Table 12 lists the new commands specific to the module. These commands are described in Command Reference
Table 13 lists the PIX commands that were changed for the module.
Table 14 lists the PIX commands that are not used by the module.
Table 15 lists the PIX commands used by the module and their PIX version.
Understanding How the Firewall Services Module Works
Firewalls protect an internal (inside) network, such as a data center, from unauthorized access by users on an external (outside) network, such as the public Internet.
Note The term inside refers to networks or network resources protected by the firewall. The term outside refers to networks not protected by the firewall.
You also can protect one or more networks, also known as demilitarized zones (DMZs). DMZs are those portions of the network that contain resources which you may want to allow access to for specified users. Access to a DMZ is usually more restricted than access to the outside network, but less restricted than access to the inside network.
A DMZ allows you to protect your network resources that need to be accessed by users on the public Internet, for example, mail servers or web servers. By placing them in a DMZ, you obtain some protection without jeopardizing the resources on your internal network.
Connections between the inside and outside and DMZ networks are controlled by the module through the firewall using a network-modeled protection scheme based upon a configuration and security policy. By implementing a security policy, you can ensure that all traffic from the protected networks only passes through the firewall to the unprotected network. You also can control who accesses the networks and with which services. Features on the module allow you to control how your security policy is used.
The security policy determines the security level, which allows you to isolate networks that are assigned the same security level from each other. To route traffic between different networks, you assign each network a different security level. A lower security level provides less protection for the interface than a higher security level. The security levels to your networks can range from 0 to 100.
All interfaces connecting the inside, outside, and DMZ networks through the module are virtual and logical Layer 3 interfaces consisting of a VLAN, an IP address, and a security level. The module supports 100 firewall interfaces. All traffic between these VLANs is protected and controlled. Because the module supports multiple interfaces, you can create one or more DMZ networks.
The Firewall Services Module is a fabric-enabled module that connects to both the Catalyst 6500 bus and the switch fabric module if one is present. The Firewall Services Module does not require a Switch Fabric Module to function.
The module has a 6 Gbps dot1q EtherChannel connection to the backplane where the hosts of the various security zones are connected to ports on the Catalyst 6500 chassis.
The module can be configured in a multiple, failover, or redundant configuration.
Figure 1 shows a firewall configuration. The Multilayer Switch Feature Card (MSFC) is used as a router on the network inside the firewall. The MSFC is connected to only one of the controlled firewall interfaces. All other router interfaces configured on the MSFC are considered to be the same security level as the interface to which the MSFC is connected. For example, traffic between VLAN 201 and VLAN 202 is routed directly.
Figure 1 Firewall Services Module Configuration
Multiple Firewall Services Module Configuration
Figure 2 shows multiple modules that are located in the same switch, and how they can operate independently. There is no restriction to the number of modules installed in the same switch. The network requirements and topology determine the configuration.
Figure 2 Multiple Firewall Services Module Configuration
In a multiple-module configuration, the following conditions apply:
•Modules cannot share the same firewall interface definition. Separate VLANs must be defined for each module.
•Multiple modules in the same chassis do not share loads or synchronize states among each other unless they are configured as active or standby modules.
•Two modules in the same chassis or two modules that are in separate chassis can be configured to maintain firewall protection in case either module fails. When one module (active) fails, another (standby) immediately takes its place.
Redundancy Failover
The failover configuration has these features:
•A dedicated logical interface is created for failover communication. No failover cable is required in this configuration as is required in the PIX configuration.
•All firewall interfaces between the active module and standby module are separated from each other in Layer 2. The interfaces on the active module must be present on the standby module and the trunk must be configured to pass all VLANs.
•Both the active module and standby module have corresponding interfaces in the same VLAN.
•When the active module fails, the switchover to the standby module is transparent to other nodes in the network. After switchover, all interfaces on the new active module have the IP addresses and the MAC addresses of the interfaces of the failed module.
The module can be configured to use stateful failover as shown in Figure 3. Stateful failover allows you to maintain the operating state for the connection during the failover from the primary module to the standby module.
Figure 3 Stateful Failover Configuration
When a failover occurs, each module changes its state. The new active module begins accepting traffic. The new standby module assumes the failover IP and MAC addresses of the module that was previously the active module. Because network devices do not detect a change in these addresses, there are no ARP entries changed nor is there a time out anywhere on the network.
Be sure that both modules have the same software version, VLAN configuration, Flash memory, and RAM or the configuration copied to the standby module will not work. After you configure the primary module and provide the failover link, the primary module automatically copies the configuration over to the standby module.
Note We recommend that you separate the failover and logical update interfaces into separate links. Packets on the failover link are tagged with a higher priority for QOS. Because stateful traffic can be high in volume, the advantages of prioritizing failover traffic are lost by keeping both the failover link and failover LAN interfaces the same.
Figure 4 shows two modules located in separate chassis: one module is designated as the active module and the other module is designated as the standby module.
Figure 4 Firewall Services Module Multiple Configuration in a Network
In this multiple-module configuration, the following conditions apply:
•A dedicated logical interface is created for failover communication. No failover cable is required in the configuration as is required in the PIX configuration.
•All firewall interfaces between the active module and standby module are separated from each other by Layer 2 requiring at least a 1-gigabit link between them. Performance is limited to the link throughput. For better performance, we recommend that you provide up to a 6-gigabit IEEE 802.1q EtherChannel link.
•Both of the switches have an identical definition of the firewall interfaces on the MSFC.
•There is a dedicated failover interface between the active module and the standby module used for the stateful failover. This interface synchronizes the states between the active module and the standby module.
Feature Set
The Firewall Services Module (FWSM) is a high performance firewall used on the Catalyst 6500 series switch and Cisco 7600 series router. The FWSM can occupy a single slot in the Catalyst 6500 series and Cisco 7600 series chassis or two slots in a redundant configuration. Two modules can also reside in separate chassis in a failover configuration.
The Firewall Services Module provides the following features:
•Switch fabric compatibility.
•Interface configuration that can be done through both the native Cisco IOS command-line interface and the module command-line interface.
•PIX 6.0-based feature set and some 6.2 features.
•LAN failover active or standby (both intra- or inter-chassis).
•Dynamic routing, Open Shortest Path First protocol (OSPF) (the module maintains its own OSPF tables), and Routing Information Protocol (RIP).
•IPSec for management only.
•Command authorization.
•Object grouping.
•URL filtering enhancement—The module checks the outgoing URL requests with the policy defined on a Websense, Windows NT, or UNIX-based server. The module either permits or denies the connection depending on the response from the server, which matches a request against a list of website characteristics that are considered inappropriate for business use.
•Support for PIX 6.0 application inspection which ensures the secure use of applications and services. Application inspection rules are configured using the fixup command, which is why application inspection is called "fixup."
Note Throughout this document, the term "fixup" applies to application inspection and configuring the application inspection process or application inspection rules.
•Support for Lightweight Directory Access Protocol (LDAP) or Input [buffer] Limiting Scheme (ILS) fixup for NetMeeting.
•Security—Cisco firewalls provide the latest in security technology, ranging from stateful inspection firewalls to content-filtering capabilities that help protect your network environment from future attacks. Another security feature is the Adaptive Security Algorithm (ASA), which maintains the firewalled areas between the networks controlled by the firewall.
The stateful, connection-oriented ASA creates session flows based on source and destination addresses, TCP sequence numbers (which are non-predictable), port numbers, and additional TCP flags. You can control all inbound and outbound traffic by applying security policies to each connection table entry.
•Reliability—Cisco firewalls provide adaptable security services for operation-critical network environments by using the integrated stateful failover capabilities within the module. Network traffic can be sent automatically to a hot standby module in the event of a failure, while maintaining concurrent connections with automated state synchronization between the primary module and the standby module.
•Network Address Translation (NAT) and Port Address Translation (PAT)—Cisco firewalls provide NAT and PAT services that conceal IP addresses of internal networks and expand network address space for internal networks.
•Denial-of-service (DoS) attack prevention—Cisco firewalls protect the firewall and networks behind them from attempts to gain access, which can bring a network to a halt.
•Cisco PIX Device Manager (PDM) 2.1 support—PDM is a browser-based Java applet you can use to configure the Firewall Services Module.
–PDM must be downloaded and installed for the Firewall Services Module release 1.1. Refer to the "Upgrading the PDM" section on page 3-10 of the Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note for download and installation information.
–The Firewall Services Module 1.1(2) software release is shipped with a preinstalled PDM 2.1 image. You can download the image from CCO to upgrade PDM if necessary.
When the Firewall Services Module software is the platform, PDM will display modified screens for features not supported by the module. To use the PDM to configure the module, refer to the Cisco PIX Device Manager Installation Guide, Version 2.1.
The following PIX firewall features are not supported by the module:
•Virtual private networks (VPN) (The module supports IPSec VPN only for management purposes.)
•Intrusion detection system (IDS) syslog messages.
•Cisco Secure Policy Manager (CSPM)
•Conduits
•DHCP (Dynamic Host Configuration Protocol) client
Specifications and System Limitations
Table 1 lists the specifications and system limitations of the FWSM.
Table 1 FWSM Specifications and System Limitations
Specification Type
|
Specification Names
|
Description
|
Physical Attributes
|
Modules per switch
|
Maximum of four modules per switch.
If you are using failover, you can still only have four modules per switch even if two of them are in standby mode.
|
|
Memory
|
•1 GB RAM.
•128 MB Flash memory.
|
|
Bandwidth
|
CEF256 line card with a 6-Gbps path to the Switch Fabric Module (if present) or the 32-Gbps shared bus.
|
Feature Limits
|
Filtering servers
|
16 Websense Enterprise filtering servers.
|
Managed System Resources
|
IPSec management connections, concurrent
|
5 connections.
|
|
TCP1 or UDP2 connections between any two hosts, including connections between one host and multiple other hosts, concurrent and rate
|
999,900 connections.
100K connections per second.
|
|
Fixup connections, rate
|
10,000 per second.
|
|
PC based fixup connections, rate
|
10K per second.
|
|
Host connections, concurrent
|
256K
|
|
SSH3 management connections, concurrent
|
5 connections.
|
|
System messages, rate
|
20K per second.
|
|
Telnet management connections, concurrent
|
5 connections.
|
|
NAT translations, concurrent
|
256K.
|
Fixed System Resources
|
NAT statements
|
1K statements.
|
|
High-performance firewall
|
5 GBps (aggregated).
|
|
Concurrent connections.
|
1 million
|
|
Packets-per-second.
|
3 million pps
|
|
New connections per second for HTTP, DNS, and enhanced Simple Mail Transfer Protocol (SMTP).
|
7K
|
|
VLAN interfaces (no physical interfaces on the module).
|
100
|
|
Static NAT statements
|
1K statements.
|
|
Global statements
|
1K statements.
|
|
Shun statements
|
2K statements. The FWSM supports at most 2000 shuns - that number is contigent upon finite hardware resources and cannot be increased.
|
|
Alias statements
|
1K statements.
|
|
User authentication sessions, concurrent
|
5K sessions.
|
|
User authorization sessions, concurrent
|
150K sessions.
Maximum 15 sessions per user.
|
|
ARP4 table entries, concurrent
|
64K entries.
|
|
Route table entries, concurrent
|
32K entries.
|
|
Packet reassembly, concurrent
|
30,000 fragments.
|
Rules
|
Filter Rules, Fixup and Filter statements combined.
|
3K rules and statements.
|
|
Established CLI Rules
|
1K rules.
|
|
Established data
|
1K implicit rules used by TCP and UDP fixups to allow back channels.
|
|
|
3K statements.
|
|
AAA Rules
|
3K rules. 1K rules for authentication, 1K rules for authorization, and 1K rules for accounting.
|
|
ICMP5 , Telnet, SSH, and HTTP6 Rules
|
1K rules.
|
|
ACEs
|
72K ACEs (best case).
|
Front Panel Description
The front panel includes a STATUS LED and SHUTDOWN button. (See Figure 5)
Figure 5 Firewall Services Module Front Panel
STATUS LED
The STATUS LED indicates the operating states of the module. Table 2 describes the LED operation.
Table 2 STATUS LED Description
Color
|
Description
|
Green
|
All diagnostic tests pass. The module is operational.
|
Red
|
A diagnostic other than an individual port test failed.
|
Orange
|
Indicates one of three conditions:
•The module is running through its boot and self-test diagnostic sequence.
•The module is disabled.
•The module is in the shutdown state.
|
Off
|
The module power is off.
|
SHUTDOWN Button
Caution Do not remove the module from the switch until the module has shut down completely and the STATUS LED is orange or off. You can damage the module if you remove it from the switch before it completely shuts down.
To avoid corrupting the compact Flash memory, you must correctly shut down the module before you remove it from the chassis or disconnect the power. This shutdown procedure is initiated normally by commands entered at the supervisor engine CLI prompt or the module CLI prompt.
If the module fails to respond to these commands properly, you must use the SHUTDOWN button on the front panel to initiate the shutdown procedure. Use a small pointed object (such as a paper clip) to push the button.
The shutdown procedure may require several minutes. The STATUS LED turns orange when the module shuts down.
Module Specifications
Table 3 describes the specifications for the module.
Table 3 Specifications
Specification
|
Description
|
Dimensions (H x W x D)
|
1.18 x 15.51 x 16.34 in. (30 x 394 x 415 mm)
|
Weight
|
Minimum: 3 lb (1.36 kg)
Maximum: 5 lb (2.27 kg)
|
Environmental conditions:
Operating temperature
Nonoperating temperature
Humidity
|
32 to 104×F (0 to 40×C)
-40 to 167×F (-40 to 75×C)
10 to 90%, noncondensing
|
Safety Overview
Safety warnings appear throughout this publication in procedures that, if performed incorrectly, may harm you. A warning symbol precedes each warning statement.
Warning This warning symbol means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents. To see translations of the warnings that appear in this publication, refer to the Regulatory Compliance and Safety Information document that accompanied this device.
Warning Waarschuwing Dit waarschuwingssymbool betekent gevaar. U verkeert in een situatie die lichamelijk letsel kan veroorzaken. Voordat u aan enige apparatuur gaat werken, dient u zich bewust te zijn van de bij elektrische schakelingen betrokken risico's en dient u op de hoogte te zijn van standaard maatregelen om ongelukken te voorkomen. Voor vertalingen van de waarschuwingen die in deze publicatie verschijnen, kunt u het document Regulatory Compliance and Safety Information (Informatie over naleving van veiligheids- en andere voorschriften) raadplegen dat bij dit toestel is ingesloten.
Warning Varoitus Tämä varoitusmerkki merkitsee vaaraa. Olet tilanteessa, joka voi johtaa ruumiinvammaan. Ennen kuin työskentelet minkään laitteiston parissa, ota selvää sähkökytkentöihin liittyvistä vaaroista ja tavanomaisista onnettomuuksien ehkäisykeinoista. Tässä julkaisussa esiintyvien varoitusten käännökset löydät laitteen mukana olevasta Regulatory Compliance and Safety Information -kirjasesta (määräysten noudattaminen ja tietoa turvallisuudesta).
Warning Attention Ce symbole d'avertissement indique un danger. Vous vous trouvez dans une situation pouvant causer des blessures ou des dommages corporels. Avant de travailler sur un équipement, soyez conscient des dangers posés par les circuits électriques et familiarisez-vous avec les procédures couramment utilisées pour éviter les accidents. Pour prendre connaissance des traductions d'avertissements figurant dans cette publication, consultez le document Regulatory Compliance and Safety Information (Conformité aux règlements et consignes de sécurité) qui accompagne cet appareil.
Warning Warnung Dieses Warnsymbol bedeutet Gefahr. Sie befinden sich in einer Situation, die zu einer Körperverletzung führen könnte. Bevor Sie mit der Arbeit an irgendeinem Gerät beginnen, seien Sie sich der mit elektrischen Stromkreisen verbundenen Gefahren und der Standardpraktiken zur Vermeidung von Unfällen bewußt. Übersetzungen der in dieser Veröffentlichung enthaltenen Warnhinweise finden Sie im Dokument Regulatory Compliance and Safety Information (Informationen zu behördlichen Vorschriften und Sicherheit), das zusammen mit diesem Gerät geliefert wurde.
Warning Avvertenza Questo simbolo di avvertenza indica un pericolo. La situazione potrebbe causare infortuni alle persone. Prima di lavorare su qualsiasi apparecchiatura, occorre conoscere i pericoli relativi ai circuiti elettrici ed essere al corrente delle pratiche standard per la prevenzione di incidenti. La traduzione delle avvertenze riportate in questa pubblicazione si trova nel documento Regulatory Compliance and Safety Information (Conformità alle norme e informazioni sulla sicurezza) che accompagna questo dispositivo.
Warning Advarsel Dette varselsymbolet betyr fare. Du befinner deg i en situasjon som kan føre til personskade. Før du utfører arbeid på utstyr, må du vare oppmerksom på de faremomentene som elektriske kretser innebærer, samt gjøre deg kjent med vanlig praksis når det gjelder å unngå ulykker. Hvis du vil se oversettelser av deadvarslene som finnes i denne publikasjonen, kan du se i dokumentet Regulatory Compliance and Safety Information (Overholdelse av forskrifter og sikkerhetsinformasjon) som ble levert med denne enheten.
Warning Aviso Este símbolo de aviso indica perigo. Encontra-se numa situação que lhe poderá causar danos físicos. Antes de começar a trabalhar com qualquer equipamento, familiarize-se com os perigos relacionados com circuitos eléctricos, e com quaisquer práticas comuns que possam prevenir possíveis acidentes. Para ver as traduções dos avisos que constam desta publicação, consulte o documento Regulatory Compliance and Safety Information (Informação de Segurança e Disposições Reguladoras) que acompanha este dispositivo.
Warning ¡Advertencia! Este símbolo de aviso significa peligro. Existe riesgo para su integridad física. Antes de manipular cualquier equipo, considerar los riesgos que entraña la corriente eléctrica y familiarizarse con los procedimientos estándar de prevención de accidentes. Para ver una traducción de las advertencias que aparecen en esta publicación, consultar el documento titulado Regulatory Compliance and Safety Information (Información sobre seguridad y conformidad con las disposiciones reglamentarias) que se acompaña con este dispositivo.
Warning Varning! Denna varningssymbol signalerar fara. Du befinner dig i en situation som kan leda till personskada. Innan du utför arbete på någon utrustning måste du varamedveten om farorna med elkretsar och känna till vanligt förfarande för att förebygga skador. Se förklaringar av de varningar som förkommer i denna publikation i dokumentet Regulatory Compliance and Safety Information (Efterrättelse av föreskrifter och säkerhetsinformation), vilket medföljer denna anordning.
Installing the Firewall Services Module
This section describes how to install the Firewall Services Module including the software and hardware requirements.
This chapter contains these sections:
•System Requirements
•Required Tools
•Installing and Removing the Module
•Using the CLI
System Requirements
This section describes the software and hardware requirements for the module.
Memory and Storage Requirements
There are no additional memory or storage requirements for this module. The module contains the following memory:
•1 GB RAM
•128 MB compact Flash
Software Requirements
Table 4 lists the Firewall Services Module software versions supported by Catalyst operating system and Cisco IOS software.
Table 4 Firewall Services Module Software Compatibility
Firewall Services Module Software
|
Catalyst OS Software
|
Cisco IOS Software
|
Application Image
|
Maintenance Image
|
|
|
1.1(1)
|
1.1(1)
|
7.5 with a Supervisor Engine 1a, and an MSFC 2 or a Supervisor Engine2 and an MSFC 2.
|
12.1(13)E with Supervisor Engine 2 and an MSFC 2
|
Hardware Requirements
Before you can use the Catalyst 6500 series and Cisco 7600 series Firewall Services Module, you must have a Supervisor Engine 1a (Catalyst operating system only) and an MSFC 2, or a Supervisor Engine 2 (Catalyst operating system and Cisco IOS) and an MSFC 2, and any module with ports to connect server and client networks.
Note Before installing the module, you must install the Catalyst 6500 series switch chassis and at least one supervisor engine. For information on installing the switch chassis, refer to the Catalyst 6000 Family Installation Guide.
Required Tools
These tools are required to install the module in the Catalyst 6500 series switches:
•Flat-blade screwdriver
•Phillips-head screwdriver
•Wrist strap or other grounding device
•Antistatic mat or antistatic foam
Whenever you handle the module, always use a wrist strap or other grounding device to prevent electrostatic discharge (ESD).
Installing and Removing the Module
Warning During this procedure, wear grounding wrist straps to avoid ESD damage to the card. Do not directly touch the backplane with your hand or any metal tool, or you could shock yourself.
All Catalyst 6500 series switches support hot swapping, which allows you to install, remove, replace, and rearrange modules without turning off the system power. For more information on removing the module from a switch, see the "Removing a Module" section.
When the system detects that a module has been installed or removed, the system automatically runs diagnostic and discovery routines, acknowledges the presence or absence of the module, and resumes system operation.
This section describes how to install and verify the operation of the Firewall Services Module in the Catalyst 6500 series switches and contains the following sections:
•Slot Assignments
•Removing a Module
•Installing a Module
•Verifying the Installation
Slot Assignments
The Catalyst 6006 and 6506 switch chassis have six slots, the Catalyst 6009 and 6509 switch chassis have nine slots, and the Catalyst 6513 switch chassis has thirteen slots.
Note The Catalyst 6509-NEB switch has vertical slots, which are numbered 1 to 9 from right to left. Install the modules with the component side facing to the right.
Each slot is used as follows:
•Slot 1 is reserved for the supervisor engine.
•Slot 2 can be used for a redundant supervisor engine in case the supervisor engine in slot 1 fails.
•If a redundant supervisor engine is not required, slots 2 through 6 on the 6-slot chassis, (slots 2 through 9 on the 9-slot chassis, and slots 2 through 13 on the 13-slot chassis) are available for switching modules, such as the Firewall Services Module.
•The empty slots require filler plates, which are blank switching-module carriers, to maintain consistent airflow through the switch chassis.
Removing a Module
This section describes how to remove an existing module from a chassis slot.
Warning During this procedure, wear grounding wrist straps to avoid ESD damage to the card. Do not directly touch the backplane with your hand or any metal tool, or you could shock yourself.
Warning Before you install, operate, or service the system, read the Site Preparation and Safety Guide. This guide contains important safety information you should know before working with the system.
Warning Invisible laser radiation may be emitted from disconnected fibers or connectors. Do not stare into beams or view directly with optical instruments.
To remove a supervisor engine or module from the chassis, perform these steps:
Step 1 Disconnect any network interface cables attached to the supervisor engine or module.
Step 2 Verify that the captive installation screws on all of the modules in the chassis are tight.
This step ensures that the space created by the removed module is maintained.
Note If the captive installation screws are loose, the electromagnetic interference (EMI) gaskets on the installed modules will push the modules toward the open slot, reducing the opening size and making it difficult to install the replacement module.
Step 3 Loosen the two captive installation screws on the supervisor engine or module.
Step 4 Depending on the orientation of the slots in the chassis (horizontal or vertical), perform one of the following set of substeps:
Horizontal slots
a. Place your thumbs on the left and right ejector levers, and simultaneously rotate the levers outward to unseat the module from the backplane connector.
b. Grasp the front edge of the module and slide the module part of the way out of the slot. Place your other hand under the module to support the weight of the module. Do not touch the module circuitry.
Vertical slots
a. Place your thumbs on the ejector levers located at the top and bottom of the module, and simultaneously rotate the levers outward to unseat the module from the backplane connector.
b. Grasp the edges of the module, and slide the module straight out of the slot. Do not touch the module circuitry.
Step 5 Place the module on an antistatic mat or antistatic foam, or immediately reinstall it in another slot.
Step 6 If the slot is to remain empty, install a module filler plate to keep dust out of the chassis and to maintain proper airflow through the chassis.
Warning Blank faceplates (filler panels) serve three important functions: they prevent exposure to hazardous voltages and currents inside the chassis; they contain electromagnetic interference (EMI) that might disrupt other equipment; and they direct the flow of cooling air through the chassis. Do not operate the system unless all cards and faceplates are in place.
Installing a Module
This section describes how to install modules in the Catalyst 6500 series switches.
Caution To prevent ESD damage, handle modules by the carrier edges only.
Warning During this procedure, wear grounding wrist straps to avoid ESD damage to the card. Do not directly touch the backplane with your hand or any metal tool, or you could shock yourself.
Warning Invisible laser radiation may be emitted from disconnected fibers or connectors. Do not stare into beams or view directly with optical instruments.
Warning Before you install, operate, or service the system, read the Site Preparation and Safety Guide. This guide contains important safety information you should know before working with the system.
To install a supervisor engine or module in the chassis, perform these steps:
Step 1 Choose a slot for the supervisor engine or module.
Step 2 Verify that there is enough clearance to accommodate any interface equipment that you will connect directly to the supervisor engine or module ports. If possible, place modules between empty slots that contain only module filler plates.
Step 3 Verify that the captive installation screws are tightened on all modules installed in the chassis.
This action ensures that the EMI gaskets on all modules are fully compressed in order to maximize the opening space for the new module or the replacement module.
Note If the captive installation screws are loose, the EMI gaskets on the installed modules will push adjacent modules toward the open slot, reducing the opening size and making it difficult to install the replacement module.
Step 4 Remove the module filler plate by removing the two Phillips pan-head screws from the filler plate. To remove a module, refer to "Removing a Module" section.
Step 5 Fully open both ejector levers on the new or replacement module. (See Figure 6.)
Figure 6 Positioning the Module in a Horizontal Slot Chassis
Step 6 Depending on the orientation of the slots in the chassis (horizontal or vertical), perform one of the following sets of substeps:
Horizontal slots
a. Position the supervisor engine or module in the slot. (See Figure 6.) Make sure that you align the sides of the module carrier with the slot guides on each side of the slot.
b. Carefully slide the supervisor engine or module into the slot until the EMI gasket along the top edge of the module makes contact with the module in the slot above it and both ejector levers have closed to approximately 45 degrees with respect to the module faceplate. (See Figure 7.)
Figure 7 Clearing the EMI Gasket in a Horizontal Slot Chassis
c. Using the thumb and forefinger of each hand, grasp the two ejector levers and press down to create a small (0.040 inch [1 mm]) gap between the module's EMI gasket and the module above it. (See Figure 7.)
Caution Do not press down too hard on the levers. They will bend and be damaged.
d. While pressing down, simultaneously close the left and right ejector levers to fully seat the supervisor engine or module in the backplane connector. The ejector levers are fully closed when they are flush with the module faceplate. (See Figure 8.)
Figure 8 Ejector Lever Closure in a Horizontal Slot Chassis
Note Failure to fully seat the module in the backplane connector can result in error messages.
e. Tighten the two captive installation screws on the supervisor engine or module.
Note Make sure the ejector levers are fully closed before tightening the captive installation screws.
Vertical slots
a. Position the supervisor engine or switching module in the slot. (See Figure 9.) Make sure that you align the sides of the switching-module carrier with the slot guides on the top and bottom of the slot.
Figure 9 Positioning the Module in a Vertical Slot Chassis
b. Carefully slide the supervisor engine or module into the slot until the EMI gasket along the right edge of the module makes contact with the module in the slot adjacent to it and both ejector levers have closed to approximately 45 degrees with respect to the module faceplate. (See Figure 10.)
c. Using the thumb and forefinger of each hand, grasp the two ejector levers and exert a slight pressure to the left, deflecting the module approximately 0.040 inches (1 mm) to create a small gap between the module's EMI gasket and the module adjacent to it. (See Figure 10.)
Figure 10 Clearing the EMI Gasket in a Vertical Slot Chassis
Caution Do not exert too much pressure on the ejector levers. They will bend and be damaged.
d. While pressing on the ejector levers, simultaneously close them to fully seat the supervisor engine or module in the backplane connector. The ejector levers are fully closed when they are flush with the module faceplate. (See Figure 11.)
Figure 11 Ejector Lever Closure in a Vertical Slot Chassis
e. Tighten the two captive installation screws on the module.
Note Make sure the ejector levers are fully closed before tightening the captive installation screws.
Verifying the Installation
This section describes how to verify the module installation.
To verify that the system acknowledges the new module and has brought it online, enter the show module [mod-num | all] command.
This example shows the output of the show module command:
Mod Slot Ports Module-Type Model Sub Status
--- ---- ----- ------------------------- ------------------- --- --------
1 1 2 1000BaseX Supervisor WS-X6K-S2U-MSFC2 yes ok
15 1 1 Multilayer Switch Feature WS-F6K-MSFC2 no ok
2 2 6 Firewall Service Module WS-SVC-FWM-1 no ok
When the module initially boots, by default it runs a partial memory test. To perform a full memory test, enter the hw-module module module_number reset device:partition mem-test-full command. This command is specific to Cisco IOS software and is not available in Catalyst operating system software.
A full memory test takes more time to complete than a partial memory test depending on the memory size.
Table 5 lists the memory test time and approximate boot time for a long memory test.
Table 5 Memory Test Duration
Memory Size
|
Boot Time
|
1 GB
|
6 minutes
|
This example shows how to do a full memory test for module 5:
Router(config)# hw-module module 5 reset mem-test-full
Using the CLI
The software interface for the module is the Cisco IOS command-line interface accessed through a Telnet connection to the switch or through the switch console interface. Refer to the Catalyst 6500 Series IOS Software Configuration Guide and the Catalyst 6500 Series Software Configuration Guide for details.
To understand the Cisco IOS command-line interface and Cisco IOS command modes, refer to Chapter 2, "Command-Line Interfaces," in the Catalyst 6500 Series IOS Software Configuration Guide.
Unless your switch is located in a fully trusted environment, we recommend that you configure the module through a Telnet connection using Secure Shell (SSH) encryption.
You can session into the module from the switch console and configure the firewall. Session is a Telnet interface through the Ethernet out-of-band channel (EOBC) of the switch backplane.
You can also make a Telnet connection into the module from a specified host and on a specific interface. Telnet support for this host should be configured or enabled from the module console.
Console output is redirected to all active Telnet sessions. When no Telnet session is available, the output is saved to a buffer. The buffer output can be subsequently examined when you make a Telnet connection into the module.
The module application software is similar to the Cisco PIX firewall software. This publication describes only the commands unique to the Firewall Services Module. For information about the PIX commands, refer to the PIX documentation at the following URLs:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/index.htm
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/index.htm
Getting Started
This section describes how to begin configuring the Firewall Services Module from the CLI and contains these sections:
•Configuration Overview
•Saving the Configuration
•Using PDM
Configuration Overview
This section describes the Firewall Services Module configuration and contains these sections:
•Configuring the Switch Interface
•Sessioning into the Module
•Configuring the Module
The Firewall Services Module can be used in a variety of topologies depending on the needs of your network. For example, in a data center you may want to provide access control or segregate your security domains. The security domain can be a collection of servers with the same security level. Within that domain, multiple subnets or server farms can exist.
When you configure the Firewall Services Module to function on the perimeter of the network, the module can provide access control to the inside network as a whole, or segregate multiple security zones through VLAN interfaces of different security levels. The security zones can be either in the same network or can define the boundaries of multiple customer networks.
The Firewall Services Module configuration has the following characteristics:
•Each firewall interface is a Layer 3 interface.
•Each firewall interface has a fixed VLAN.
•The switch MSFC is used as a router connected to only one of the module interfaces (SVI).
•The module views all networks (or subnetworks) beyond an interface as belonging to the same security level.
•Traffic from all of the non-firewall VLANs in the switch (those not recognized by the module) is routed through the MSFC without being stopped by the firewall.
You can configure the module in various situations by selecting the firewall features that meet the requirements of a particular network. Figure 12 shows a typical firewall configuration.
Figure 12 Firewall Configuration
Configuring the Switch Interface
This section describes the basic configuration steps performed on the switch and the Firewall Services Module.
Cisco IOS Software
To set up the configuration on the switch using the Cisco IOS CLI, follow these general tasks:
:
|
Command
|
Purpose
|
Step 1
|
Router# configure terminal
|
Enters VLAN configuration mode.
|
Step 2
|
Router(config)# vlan vlan_number
|
Creates VLANs.
|
Step 3
|
Router(config)# interface vlan vlan_number
|
Defines a controlled VLAN (SVI) on the MSFC (route processor).
Note You must configure a controlled VLAN (SVI) on the MSFC or you will be unable to configure VLANs on the module.
|
Step 4
|
Router(config)# firewall vlan-group
firewall_group vlan_range
|
Creates a firewall group of controlled VLANs.
|
Step 5
|
Router(config) firewall module module number
vlan-group firewall_group
|
Attaches the VLAN and firewall group to the slot where the module is located.
|
Step 6
|
|
Updates the VLAN database and returns to privileged EXEC mode.
|
Step 7
|
Router#show firewall vlan-group
|
Displays the firewall VLAN groups.
|
Step 8
|
Router#show firewall module
|
Displays the module configuration.
|
Step 9
|
Router#show interface vlan vlan_number
|
Displays the interface configuration.
|
Note To prevent trunks from carrying firewall VLANs, enter this command:
switchport trunk allowed vlan {add | except | none | remove} vlan1, [, vlan [, vlan [,...]]]}
This example shows how to configure the switch interface:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config-vlan)# vlan 56
Router(config-vlan)# vlan 57
Router(config-vlan)# exit
Router(config)# firewall vlan-group 50 55-57
Router(config)# firewall vlan-group 51 70-85
Router(config)# firewall module 8 vlan-group 50-51
Router(config)# int vlan 55
Router(config-if)# ip address 55.1.1.1 255.255.255.0
Router(config-if)# no shut
Router# show firewall vlan-group
Router# show firewall module
Vlan55 is up, line protocol is up
Hardware is EtherSVI, address is 0008.20de.45ca (bia 0008.20de.45ca)
Internet address is 55.1.1.1/24
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
ARP type:ARPA, ARP Timeout 04:00:00
Last input never, output 00:00:08, output hang never
Last clearing of "show interface" counters never
Input queue:0/75/0/0 (size/max/drops/flushes); Total output drops:0
Output queue :0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
L2 Switched:ucast:196 pkt, 13328 bytes - mcast:4 pkt, 256 bytes
L3 in Switched:ucast:0 pkt, 0 bytes - mcast:0 pkt, 0 bytes mcast
L3 out Switched:ucast:0 pkt, 0 bytes
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
4 packets output, 256 bytes, 0 underruns
0 output errors, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
Catalyst Operating System Software
To set up the configuration on the switch for the Firewall Services Module using the
