Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

ASK THE EXPERT - IMPLEMENTING FIREWALL SERVICES MODULE ON CATALYST 6500

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco expert Jazib Frahim the deployment and implementation of FWSM on Catalyst 6500. Jazib has been with Cisco Systems for more than six years. He started out as a Technical Assistance Center (TAC) engineer in the LAN switching team. He then moved to the TAC security team, where he was a technical and team leader for the security products. He is currently working as a senior network security engineer in the Worldwide Security Services Practice of Cisco?s Advanced Services for Network Security. He is responsible for guiding customers in the design and implementation of their networks with a focus in network security. He holds two CCIEs, one in routing and switching and the other in security.

Remember to use the rating system to let Jazib know if you have received an adequate response.

Jazib might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through November 17, 2006. Visit this forum often to view responses to your questions and the questions of other community members.

69 REPLIES
New Member

Re: ASK THE EXPERT - IMPLEMENTING FIREWALL SERVICES MODULE ON CA

hi jazib glad t have u back in the forum. i would to ask u how different is the FWSM as compared to pix or asa. and i am unable to find any configuration examples abt FWSM on the cisco website. there is only the configuration guide for it. and since the fwsm doesn;t have any ports of it;s own so the processing for inspection of packets will be loaded to the backplane engine right.

regards

sebastan

Cisco Employee

Re: ASK THE EXPERT - IMPLEMENTING FIREWALL SERVICES MODULE ON CA

Sebatan,

* FWSM general features:

The FWSM is only a firewall. The PIX/ASA are security appliances -- supporting firewall, IDS/IPS, VPN, and Anti-X (ASA).

* FWSM architecture:

The FWSM performs many functions in hardware whereas the PIX/ASA do not. The ramifications are that there are very hard limits on the FWSM, such as ACL rules, which do not exist on the PIX/ASA's, which just slow down when recommended limits are exceeded.

* FWSM Feature Parity:

See the first item -- FWSM is only a firewall. That said, the FWSM supports multiple context mode (just like the ASA/PIX) but it will support mixed mode (transparent and routed firewall contexts concurrently) whereas the ASA/PIX must all be tranparent or all routed (with current software).

The FWSM has some caveats around shared interfaces which the ASA/PIX do not. That is, do not share interface across multiple firewall contexts with the FWSM.

* Configuration examples: Most of the configurations are just like that of the PIX/ASA for 'firewall' features. Nothing jumps to the forefront of my mind. FWSM 2.x is similar to PIX 6.x, FWSM 3.x is similar to ASA/PIX 7.x.

* Ports: The FWSM has six gigabit ethernet 'ports' to the backplane which are all wrapped into an Etherchannel. You 'cable' interfaces by mapping vlan's to the FWSM from the supervisor engine.

Just a note -- you map a vlan to the MSFC by configuring 'interface vlan x' on the 6500/7600. You map a vlan to the FWSM by configuring 'firewall' commands. The configuration guide is really very good. If you have invested in a FWSM then do take the time to read through the entire configuration guide.

Best Regards,

Troy McCarty

New Member

Re: ASK THE EXPERT - IMPLEMENTING FIREWALL SERVICES MODULE ON CA

hi troy thanks a lot for ur detailed explanation. it;s really good thanks once again

regards

sebastan

Bronze

Re: ASK THE EXPERT - IMPLEMENTING FIREWALL SERVICES MODULE ON CA

Thanks Troy for your great explanation

New Member

Re: ASK THE EXPERT - IMPLEMENTING FIREWALL SERVICES MODULE ON CA

Jazeb,

Can a Cat6513 act as FWSM,SUP,MSFC at the same instance.Believe 6513 comes with 13 slots and here 2 are for SUP along with submodule for MSFC and 9th slot is for FWSM board placement.

Aksher

Cisco Employee

Re: ASK THE EXPERT - IMPLEMENTING FIREWALL SERVICES MODULE ON CA

Aksher,

The simple answer is yes, the 6513 can run a FWSM concurrently with the supervisor engine and the MSFC. In performing design work, it becomes critical to 'think' of these elements separately. The MSFC is a single router. The layer 2 vlans (the realm of the sup engine) may exist in an island or be associated with the MSFC or FWSM. The FWSM, supporting virtualization, may exist as many (up to 250 firewalls). Each firewall context (virtual firewall) should be illustrated in a logical design as separate firewalls.

You may place multiple FWSM's into a 6500 chassis -- it is not constrained to a particular slot. It is a best practice not to place it in slot 1 & to have an empty slot above it, if possible. Why? You may notice that the FWSM does not have a physical console port on its faceplate -- but that doesn't mean that it doesn't have one... Being able to access the top of the card may be desireable...

Best Regards,

Troy McCarty

New Member

Re: ASK THE EXPERT - IMPLEMENTING FIREWALL SERVICES MODULE ON CA

If all ports on a 6509/Sup720 native are configured as "no switchport" (i.e. routed interfaces), can the internally allocated VLAN numbers be used to direct traffic through the FWSM?

Thanks,

George

Bronze

Re: ASK THE EXPERT - IMPLEMENTING FIREWALL SERVICES MODULE ON CA

George,

FWSM has to use VLANs to route and filter traffic. If all the ports were routed ports, then how would you send the traffic to the VLANs on the FWSM?

-Jazib

New Member

Re: ASK THE EXPERT - IMPLEMENTING FIREWALL SERVICES MODULE ON CA

How to turn on the show module command on FWSM or is it not supported.

Can a 6513 chassis support multiple physical firwewalls rather than virtual firewall.

-Aksher

Bronze

Re: ASK THE EXPERT - IMPLEMENTING FIREWALL SERVICES MODULE ON CA

the show module command is used on the 6500 supervisor module. It is not issued on the FWSM. Why do you want to issue this command on the FWSM?

Yes, you can have multiple FWSM blades on a single 6500 chassis

-Jazib

New Member

Re: ASK THE EXPERT - IMPLEMENTING FIREWALL SERVICES MODULE ON CA

I have Cisco IDS 4235 installed . The IDS is showing 98% memory utilisation. And in IDS event viewer, when i try to see the logs through dashboard its shows the error " IOEXCEPTION IN OPENSUBSCRIPTION(): UNTRUSTED SERVER CERT CHAIN.CHECK IF THE SENSORED TIME & IEVHOST TIME SET CORRECTLY".

Regards

Nitin

Bronze

Re: ASK THE EXPERT - IMPLEMENTING FIREWALL SERVICES MODULE ON CA

Hi Nitin,

This session is on FWSM. For IDSM, I would post this question on the appropriate forum

However, I would say that this message appears to be an issue with the SSL communication with the IDSM and IEV. Can you verify the time between the IDSM and the IEV host?

Jazib

New Member

Re: ASK THE EXPERT - IMPLEMENTING FIREWALL SERVICES MODULE ON CA

We are using HP OpenView to monitor two 65xx with FWSM modules in each of them. One of the FWSM modules is active, while the second is a slave. How can I monitor the status (avalability via ping and SNMP) of the slave module while its configuration is being automatically mirrored from the master/active device and there is no private IP that I can communicate with the slave FWSM (or so it seems).

So what we have is an incomplete map of only one FWSM visible to OpenView.

Thanks,

Yigal

Bronze

Re: ASK THE EXPERT - IMPLEMENTING FIREWALL SERVICES MODULE ON CA

Hi Yigal,

you should be able to communicate with the standby module using the standby address. You can SSH/telnet/ping to that address

-Jazib

New Member

Re: ASK THE EXPERT - IMPLEMENTING FIREWALL SERVICES MODULE ON CA

Jazib,

Thanks for the answer. However as far as I understand the network admin tells me there is no specific IP address for the standby module. He says that it has the same config as the master module and if he tries to change the standy module config he gets warning regarding "Configuration out of syncronization with the master".

Thanks,

Yigal

Bronze

Re: ASK THE EXPERT - IMPLEMENTING FIREWALL SERVICES MODULE ON CA

Hi Yigal,

It is true that you cannot make changes to the standby, however, you can still access it using the standby IP address. Whenever you configure your active firewall, you have to specify the standby IP address that the standby module uses. Depending on the version of code you are running, the commands to configure a standby IP address (on the active module) could be different.

For 2.x version of FWSM, the command is:

failover ip address

For 3.x version of code, the command is:

ip address standby

Hope that helps

-Jazib

New Member

Re: ASK THE EXPERT - IMPLEMENTING FIREWALL SERVICES MODULE ON CA

hello,

I have different questions to the fwsm.

1) Is there a support planned for NAT using the contextes in transparent mode - if so, at which SW release ?

2) Bug fixes are done within interim releases. Such releases I can get only via contacting TAC. Are these releases tested with the same quality as the official available images ?

3) Is the code different to PIX/ASA code ? e.g. it seems that there are bugs in fixup protocols in the fwsm code which are not in the PIX/ASA code.

4) is there a practical amount of contextes which you should not exceed ? In theory you can have up to 250.

Thanks

Bronze

Re: ASK THE EXPERT - IMPLEMENTING FIREWALL SERVICES MODULE ON CA

HI Guehuber,

Please see my inline response.

===

1) Is there a support planned for NAT using the contextes in transparent mode - if so, at which SW release ?

Jazib>> you account team is in a better position to discuss a product roadmap

2) Bug fixes are done within interim releases. Such releases I can get only via contacting TAC. Are these releases tested with the same quality as the official available images ?

Jazib>> the interim releases are typically not tested as extensively as the major releases.

3) Is the code different to PIX/ASA code ? e.g. it seems that there are bugs in fixup protocols in the fwsm code which are not in the PIX/ASA code.

Jazib>> the code for FWSM is totally different than the code on the ASA/PIX

4) is there a practical amount of contextes which you should not exceed ? In theory you can have up to 250.

Jazib>> On a FWSM, you can safely have upto 250 contexts. That is the reason why Cisco sells that as a license

Hope that helps

-Jazib

New Member

Re: ASK THE EXPERT - IMPLEMENTING FIREWALL SERVICES MODULE ON CA

Hi,

I am migrating a in-production switch Cisco 6509 Sup720+FWSM from CatOS to IOS.The routing is not via MSFC and all inter-VLAN routing controlled is presently controlled via the FWSM.

In order to do have minimal impact on the production what can be recommended approach for integrating the FWSM after the Sup is migrated to IOS.

Thanks in advance.

Regards

Kgupta

Bronze

Re: ASK THE EXPERT - IMPLEMENTING FIREWALL SERVICES MODULE ON CA

Kaustav,

The migration from CatOS to IOS doesnt change the configuration on the FWSM at all. However, you need to make sure that the CatOS firewall-vlan command:

set vlan firewall-vlan

is properly migrated to the IOS compatible firewall vlan-group command:

firewall vlan-group [,..]

firewall module vlan-group

New Member

Re: ASK THE EXPERT - IMPLEMENTING FIREWALL SERVICES MODULE ON CA

Hi Jazib,

Thanks for your reply.I have juts a small query. If the CatOS core switch has the following config :

set vlan 3-4,6,8-9,12,16,21-27,31,33-40,43,51,60-61,110,301-303,601-603,800,900,991,999 firewall-vlan 2

after migration to IOS can i put any vlan-group number or it has to be specific.

Thanks in advance

Kaustav

Bronze

Re: ASK THE EXPERT - IMPLEMENTING FIREWALL SERVICES MODULE ON CA

you can select any vlan-group number. For example, this should work fine:

firewall vlan-group 10 3-4,6,8-9,12,16,21-27,31,33-40,43,51,60-61,110,301-303,601-603,800,900,991,999

firewall module 2 vlan-group 10

New Member

Re: ASK THE EXPERT - IMPLEMENTING FIREWALL SERVICES MODULE ON CA

Jazib,

I am going to be upgrading from 2.x code to 3.x on our FWSM's. I would like to switch to multi-context mode during this process.

1. Should a switch to multicontext before or after the upgrade?

2. Our current license is the basic one thats states the we can have the admin and two other contexts. I'm a little unsure as to what the admin context is. When I switch from single context to multi-context does my current configuration become the admin context or does it take up one of my other two contexts?

Thanks

Michal

Bronze

Re: ASK THE EXPERT - IMPLEMENTING FIREWALL SERVICES MODULE ON CA

Hi Michal,

1) I would say, migrate to 3.x first and then enable security contexts. This ways you will not run into any migration related issues for SCs.

2) That is correct. When you enable security contexts, then you current configuration is moved into the admin context. You can modify the admin context attributes as necessary.

Hope that helps

-Jazib

Re: ASK THE EXPERT - IMPLEMENTING FIREWALL SERVICES MODULE ON CA

Hi Jazib,

I had an instance in one of my projects where I needed it to somehow being able to translate a broadcast sent by a client PC located behind one FWSM 's interface to a unicast so that traffic will be directed to another FWSM's interface where the server was located. ( kind of similar to the ip helper functionality we have in routers). I have found the dhcp relay command but it was only for DHCP 67 and 68. So my question is is there any way to get this sort of set up working through a firewall ..? I ended up telling teh customer that the firewall does not support that type of set up .. but I would like to confirm with you that it is the case.

Cheers,

Bronze

Re: ASK THE EXPERT - IMPLEMENTING FIREWALL SERVICES MODULE ON CA

Fernando,

You are correct. FWSM only allows DHCP traffic to be relayed to a specified server. it should nto allow other broadcast traffic to pass through.

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/fwsm_3_1/fwsm_ref/d2.htm#wp1563790

-Jazib

Re: ASK THE EXPERT - IMPLEMENTING FIREWALL SERVICES MODULE ON CA

Cheers for confirming this Jazib

New Member

Re: ASK THE EXPERT - IMPLEMENTING FIREWALL SERVICES MODULE ON CA

Hi Jazib,

Is multicast supported in FWSM in routed mode with current software version

?

regards

Ashish Panda

Bronze

Re: ASK THE EXPERT - IMPLEMENTING FIREWALL SERVICES MODULE ON CA

181
Views
15
Helpful
69
Replies