Basic FWSM Configuration
Before having access to the Firewall Services Module (FWSM), you need to perform some configurations on the Catalyst 6500 chassis where it resides.
Example 3-10 teaches how to locate a FWSM in a given 6500 chassis and verify the status of the module using the show module command. It also shows the Etherchannel connection (consisting of six Gigabit Ethernet ports) to the Switching Fabric. (You can see the logical representation of the Etherchannel connection in Figure 3-3.)
Example 3-10. Viewing Information About Modules on a Catalyst 6500
! Displaying Information about installed modules on a Catalyst 6500 switch
CAT6500B# show module
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
1 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX SAL1026SYKR
4 6 Firewall Module WS-SVC-FWM-1 SAD11270BNW
5 2 Supervisor Engine 720 (Active) WS-SUP720-3B SAL1015JH6H
Mod MAC addresses Hw Fw Sw Status
--- ---------------------------------- ------ ------------ ------------ -------
1 0017.5916.59b8 to 0017.5916.59e7 2.4 12.2(14r)S5 12.2(18)SXF1 Ok
4 001b.d59c.0ce0 to 001b.d59c.0ce7 4.2 7.2(1) 4.0(3) Ok
5 0013.c43a.ced8 to 0013.c43a.cedb 5.2 8.4(2) 12.2(18)SXF1 Ok
Mod Sub-Module Model Serial Hw Status
---- --------------------------- ------------------ ----------- ------- -------
1 Centralized Forwarding Card WS-F6700-CFC SAD102308FL 2.0 Ok
5 Policy Feature Card 3 WS-F6K-PFC3B SAL1015JHTB 2.3 Ok
5 MSFC3 Daughterboard WS-SUP720 SAL1010F7PX 2.5 Ok
Mod Online Diag Status
---- -------------------
1 Pass
4 Pass
5 Pass
!
! Verifying Etherchannel information for the FWSM
CAT6500B# show etherchannel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
Number of channel-groups in use: 1
Number of aggregators: 1
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
273 Po273(SU) - Gi4/1(P) Gi4/2(P) Gi4/3(P) Gi4/4(P)
Gi4/5(P) Gi4/6(P)
)
Figure 3-3 Logical Representation and Logical Topology for FWSM Analysis
Example 3-11 shows the baseline configuration tasks that should be accomplished on the Catalyst 6500 before using the FWSM. These tasks include the following:
- Creating VLANS: Using exactly the same procedure used for any other VLAN.
- Creating VLAN Groups: Instead of directly assigning VLANs to the FWSM, the configuration uses VLAN-Groups.
- Associating VLAN Groups with the physical module: Only the VLAN Groups defined with the firewall module vlan-group command become visible in the FWSM. The Catalyst 6500 behaves as a regular multilayer switch for all the VLANs that were not explicitly assigned to the services module.
Example 3-11 also registers the commands to verify the VLAN and VLAN-Group information (related to the FWSM) in the Catalyst 6500 chassis.
Example 3-11. Baseline Configuration for the Catalyst 6500
! Creating VLANs on the Catalyst 6500
vlan 1100
name SEC-MGMT
!
vlan 1240
name FWSM-OUT1
!
vlan 1242
name FWSM-DMZ1
!
! Creating VLAN Groups (SVCLC = Services Line Card)
svclc vlan-group 1 1100
svclc vlan-group 2 1240,1242
!
! Assigning VLAN Groups to the Firewall Module (installed in slot 4)
firewall module 4 vlan-group 1,2
!
! Verifying VLAN and VLAN-Group information
CAT6500B# show firewall vlan-group
Display vlan-groups created by both ACE module and FWSM
Group Created by vlans
----- ---------- -----
1 ACE 1100
2 ACE 1240,1242
!
CAT6500B# show firewall module 4 state
Firewall module 4:
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: 1100,1240,1242
Pruning VLANs Enabled: 2-1001
Vlans allowed on trunk: 1100,1240,1242
Vlans allowed and active in management domain: 1100,1240,1242
Vlans in spanning tree forwarding state and not pruned: 1100,1240,1242
Example 3-12 shows the procedure for getting access to the FWSM that resides in module 4, from the Catalyst 6500 console. This access is actually a Telnet connection that uses a reserved loopback address (belonging to network 127.0.0.0/8). This example also displays the source and destination IP addresses and L4 ports for the Telnet session.
Example 3-12. Accessing the FWSM from the Catalyst 6500 Console
CAT6500B# session slot 4 processor 1 The default escape character is Ctrl-^, then x. You can also type 'exit' at the remote prompt to end the session Trying 127.0.0.41... Open User Access Verification Password:******** Type help or '?' for a list of available commands. FWSM2> enable Password: ******** FWSM2# ! ! Viewing the Telnet connection from the Catalyst 6500 to the FWSM CAT6500B# show tcp brief TCB Local Address Foreign Address (state) 46DCBBD0 127.0.0.51.38778 127.0.0.41.23 ESTAB
Figure 3-3 displays the logical representation of the FWSM Etherchannel connection to the Catalyst backplane. It also shows the logical topology that serves as the base for the analysis of the configuration fundamentals related to the FWSM.
Example 3-13 refers to the topology on Figure 3-3 and assembles the fundamental commands for initial FWSM configuration. The FWSM does not have external network interfaces. All its logical interfaces are VLANs created on the underlying chassis and assigned to it through the firewall module vlan-group command (refer to Example 3-11).
One important difference between ASA appliances and the FWSM is that Internet Control Message Protocol (ICMP) traffic needs to be explicitly permitted on a per-interface basis (using icmp permit commands) on the Firewall Module. Conversely, the default behavior of ASA is to accept ICMP packets directed to its interfaces (refer to Example 3-7).
Example 3-13. Baseline FWSM Configuration
! Configuring Logical Interfaces interface Vlan1100 description *** Management Access *** nameif mgmt security-level 100 ip address 192.168.1.22 255.255.255.0 ! interface Vlan1240 nameif out1 security-level 0 ip address 172.16.240.22 255.255.255.0 ! interface Vlan1242 nameif dmz1 security-level 50 ip address 172.16.242.22 255.255.255.0 ! ! Enabling ICMP Ping to and from logical interfaces icmp permit any echo mgmt icmp permit any echo-reply mgmt icmp permit any echo out1 icmp permit any echo-reply out1 icmp permit any echo dmz1 icmp permit any echo-reply dmz1
Example 3-14 assembles some show commands that enable the visualization of interface-related information on the FWSM. The VLANs visible on the FWSM side can be seen from the Catalyst 6500's CLI with the aid of the show firewall commands presented in Example 3-11.
Example 3-14. Displaying Information About Interfaces and VLANs on the FWSM
FWSM2# show nameif
Interface Name Security
Vlan1100 mgmt 100
Vlan1240 out1 0
Vlan1242 dmz1 50
!
FWSM2# show vlan
1100, 1240, 1242
!
FWSM2# show interface vlan 1100
Interface Vlan1100 "mgmt", is up, line protocol is up
Hardware is EtherSVI, BW Unknown Speed-Capability, DLY 10 usec
Description: *** Management Access ***
MAC address 001b.d4de.3580, MTU 1500
IP address 192.168.1.22, subnet mask 255.255.255.0
Traffic Statistics for "mgmt":
798 packets input, 130180 bytes
15 packets output, 1270 bytes
55112 packets dropped