Q. What is the Cisco® Network-Based Security Services solution?
A. The Cisco Network-Based Security Services solution helps service providers deliver cost-effective, scalable, integrated security services for businesses of all sizes. Service providers can expand their service portfolio with secure, on-net and off-net remote access, remote site-to-site services, and firewall capabilities - and offer a more comprehensive bundle of secure VPNs and security services for enterprise and small and medium-sized-business (SMB) customers.
The Cisco XR 12000 Series provides virtual firewalls (VFWs) on the multiservice blade. Additionally, the Cisco XR 12000 IP Security (IPsec) Shared Port Adapter (SPA) provides the secure, on-net and off-net remote-access and remote site-to-site services available on the Cisco XR 12000 from Cisco IOS® XR Software Release 3.4 forward.
Q. What are the common deployment applications?
A. Using the Cisco Network Based Security Services solution, which combines VFW and network-based IPsec VPN services, service providers can support the multiple applications and use the network edge devices to provide security services to multiple customers at the same time.
Application examples follow:
• Internet access - The firewall can be deployed to support Internet offload for VPN customers. It provides the ability to apply individual firewall policies per customer.
• Site-to-site firewall access - The solution can be used to provide site-to-site firewall service, allow users to apply policies on a per-site basis, and control access between locally connected sites as well as between the sites and the rest of the VPN network.
• Shared services access - The firewall can be used as an interface between the VPN customers and any shared services offered by the provider that they access.
Q. Does the Cisco XR 12000 VFW require special hardware?
A. Yes, the Cisco XR 12000 VFW is based on the multiservice blade hardware (part number XR-12K-MSB) to provide enhanced security features with rich stateful inspection firewall services.
Q. Can I apply virtual security contexts to a customer-facing interface?
A. Yes, the innovative Router Service Packet Path (RSPP) scheme enables a simple way to attach security contexts to the broad set of Cisco XR 12000 interfaces and subinterfaces. Similar to other type of polices that can be applied to the Cisco XR 12000 interfaces (such as quality of service [QoS]), the security context policy can be attached to any interface without an effect on dynamic routes protocols.
Q. Can I use single security contexts to protect multiple customer interfaces?
A. Yes, multiple customer-facing interfaces can be attached to a single security context.
Q. Can I use the Cisco XR 12000 VFW between Virtual Route Forwarding (VRF) instances?
A. Yes, the VRF-aware service infrastructure (VASI) enables transparent insertion of services to inter-VRF traffic.
Q. Does the multiservice blade support VRF-aware Network Address Translation (NAT)?
A. Yes, each security context can be used for such application. Static and dynamic NAT and Port Address Translation (PAT) are supported.
Q. What is a VASI interface?
A. The VASI infrastructure provides the ability to configure a VASI pair interface, a routable dual virtual interface for inter-VRF binding that provides the ability to easily apply services on the inter-VRF traffic.
Q. Does the Cisco XR 12000 Multiservice Blade firewall support URL filtering?
A. No, only basic URL filtering is available, without the option to connect to an external device such as Websense and N2H2.
Performance and Scalability
Q. Can I use multiple multiservice blades in a single Cisco XR 12000 chassis?
A. Yes. The total numbers of contexts and interfaces are subject to the overall Cisco IOS XR Software scalability capabilities.
Q. How many security contexts are supported per multiservice blade?
A. Cisco IOS XR Software Release 3.5 supports 250 VFW contexts; future releases will scale up to 500 contexts.
Q. What is the maximum throughput per multiservice blade with VFW?
A. Each multiservice blade can scale up to 8 Gbps or 2 Mpps.
Q. What is the maximum number of Layer 4 connections per second that a single multiservice blade can process?
A. Each multiservice blade can scale up to 150,000 connections per second.
Q. What is the maximum number of connection per second with Layer 7 inspections that can be processed in a single multiservice blade?
A. Each multiservice blade can scale up to 15,000 connections per second with HTTP inspection.
Q. How many access list entries (ACEs) are supported per single multiservice blade?
A. Each multiservice blade can support 250,000 ACEs.
Q. How many VASI pair interfaces can be configured on a single multiservice blade?
A. Up to 500 VASI pairs can be configured on a single blade.
Q. Is the number of virtual interfaces independent of the number of interfaces in the chassis?
A. Yes, the total number of interfaces in the chassis is subject to the overall Cisco IOS XR Software scale capabilities.
Q. What is the maximum number of interfaces supported on a single multiservice blade?
A. Up to 2000 interfaces can be supported. Note that each VASI pair consumes 2 interfaces, each firewall management interface (FMI) consumes 1 interface, and each interface protected by firewall contexts consumes 1 interface.
Management
Q. What Simple Network Management Protocol (SNMP) versions does the multiservice blade firewall support?
A. SNMPv1, v2c, and v3 are supported.
Q. What is FMI?
A. FMI is a firewall management interface that can be configured under each security context to provide a virtualized management interface. The FMI can be used to connect management devises such as Telnet, Secure Shell (SSH) Protocol clients, authentication, authorization, and accounting (AAA) servers, etc.
Q. What options are available to configure and monitor security contexts?
A. Each security context is virtualized with its own management IP address and can be configured or monitored with the following options:
A. Role-based access control (RBAC) enables the option to assign different roles within specific security contexts with different levels of rights and capabilities to each person working within a context, ensuring that each team can operate almost completely separately.
• The goal of connection replication is to synchronize eligible connections so that a failover does not disrupt existing connections.
• Very short-term connections cannot be synchronized; TCP connections that are terminated or "proxied" are not eligible.
Q. The Cisco XR 12000 supports route processor failover. How does it affect firewalls?
A. Route processor failover is a platform feature and is totally transparent to the firewall. No firewall-specific configuration is required to support this type of failover.
Q. What are the triggers for multiservice blade switchover?
A. Triggers:
• Service location configuration change (Cisco IOS XR Software)
• An active multiservice blade has detected some anomaly (such as a Linux process crash)
• Heartbeat loss (hardware failure, etc.)
• Auto-revert (preferred active node becomes operational)
Q. How do you connect to the active and or standby location of a context for management purposes?
A. Connecting to security context is available from:
• Indirect access from the route processor - After you have connected to the route processor, you can attach your session to a specific multiservice blade and access each of the security context configurations and statistics.
• Direct access to the security context IP address - Each security context can be configured with a management interface (FMI) with a dedicated IP address. A separate IP address (peer's IP address) is available for direct access to the standby contexts.
Note that FMI is required on both the preferred active and preferred standby security contexts.
Q. When failover occurs, do I need to switch my direct management access to the standby contexts?
A. No, this happens automatically. The FMI can be configured to always send traffic to the active (or standby) location. The IP address of the active security context is preserved during switchover.
Q. Can I configure failover between two service blades in different Cisco XR 12000 chassis?
A. No. Only intra-chassis failover is supported.
Additional Information
Q. Where can I find more information about the Cisco XR 12000?
