Вы находитесь на странице: 1из 414

DcNI-1I

Im plem enting C isco


D ata C enter N etw ork
Infrastructure 1
Volum e 2
Version 2.0

Student G uide

TextParlNum ber'97-2674-01
.111,1111
t l56 Q .

DISI'LAlM !!R W ARRANTY:THIS UONTENT IS BlfING PRIIVIDEi!)''AS IS.''C1SC()M AKISS AND YOU RIfCEIVEN()W ARRANTIISIN +
CIINNECTII)N !.5'ITH TH1:Q'IINTIENT PROVIDED HE:REUNDER.I(XPRESS!IM PLI1iD. STATUTORY OR 1N ANY OTHER PROV ISl()N OF
TH ISCON rI'NT (1RUO M M UNICATION BIT'E'W EIfN CISfJ()AN D YOU.CISCO SPITCIFICA LLY DISC LA1M 5ALL lM PLl!'
,D
%.
%ltRAkNl'IES.lN('LUDINIIWARRANTIl!SOF M EIRCHANTAB1LITY,N()N-INI?IlINGEMIiNT AND 17ITN IESSFOR A PARTICULAR
PtIRPOSEL,()R ARl%ING 17R(IM A (.'IIURSIfOFDEALING.USAG E(IRTRADE PRACTICE.n islrarningproductnlaycontall:carlyrclcasc
contcnt,andwhiIe('iscobcIi
evesittobcacctdratc itfallssubjccttothedisclain3erabove
Table of C ontents
V 0 Ium e 2
Describinq the C isco Blade Sw itch Fam ilv 1-433
O verview 1-433
Objectives 1-433
Introducing the Cisco Blade Switches 1-434
W here and W hyAre Blade Switches Used? 1-434
Blade Servers and Switches Benefi ts 1-434
Comparing Cabling DesignO ptions 1-435
Managem ent 1-436
Securi ty 1-436
QoS 1-436
HighAvailability 1-437
Configuring Layer2 Trunk Failover 1-438
Introducing the Cisco Blade Switch forHP Blade Servers 1-440
HP c7O00 Bladesystem Characteristics 1-440
HP c300O Bladesystem Characteristics 1-440
Network lnterconnectBays 1-441
Introducing the Cisco Blade Switches forDellBlade Seers 1-445
Cisco IOS on Cisco Blade Switches 1-452
Licenses 1-452
License Activation 1-452
Replacing M alfunctioning Devices 1-453
Obtaining the License 1-454
Removing a License 1-454
Exam ining the License Inform ati
on 1-454
Replacing a Switch in a V i
dualBlade Sw i
tch 1-457
Standalone O peration 1-457
Introducing the Cisco Blade Switches forFCS Blade Servers 1-459
Sum mar 'y 1-461
Module Summary 1-462
References 1-463
Module Self-check 1-466
Module Self-checkAnswerKey 1-472
lm Dlem entinn FW SM fora Data CenterNetwork lnfrastructure 2-1
O verview 2-1
ModuleObjectives 2-1
Im plem entinq Traffic Flow s 2-3
Overview 2-3
Objectives 2-3
Firew allOverview 2-4
Isolated Legacy Networks 2-4
Connected Networks 2-4
Firew alllm pl
em entation 2-6
FW SM O vervi ew 2-11
Scaling FW SM Perform ance 2-11
FW SM Ini tialConfiguration 2-21
W hen to Use PVLAN? 2-34
Firew allM odes 2-35
Routed M ode 2-35
TransparentM ode 2-35
Using Transparentvs.Routed M ode 2-36
Configuring IP Addresses in Routed M ode 2-37
Configuring the Translation 2-41
ldentity NAT 2-48
Static ldenti
ty NAT 2-48
NAT Exempti on 2-49
Maximum NumberofNAT Statements 2-51
Summary 2-57
Im plem entino ACLS 2-85
Overview 2-85
Objectives 2-85
Configuring Layer2 Filtering 2-86
FW SM and Layer2 Security 2-86
MAC AddressTable Attackand Remedy 2-88
Consguring MAC Address Table Custom izati
on 2-88
Configuring ARP Inspection 2-90
Configuring Ethedype Fil tering 2-92
Configuring ACLS 2-93
ACL Processing 2-94
ACL Configuration 2-95
Manipulating ACLS 2-95
Time-BasedACLS 2-99
ACL Logging 2-100
ACL System Resource Utilizati on 2-104
Summary 2-106
Im plem entinc Contexts 2-107
Overview 2-107
Objectives 2-1()T
FW SM Virtualization Overvi
ew 2-108
Security Contexts Ovewiew 2-108
Classifying PacketsW hen Sharing the Interface 2-113
Configuring FW SM Contexts 2-119
System Execution Space 2-119
Adm in Context 2-120
Accessing Contexts 2-120
Adm in Context 2-122
Verifying Contexts 2-124
Removing Contexts 2-124
Changing the Context 2-125
Managtng ContextResources 2-126
Configuring Resource Management 2-126
Defining Resource Limitations 2-128
Configuring Memory Parti tions 2-130
Verifying MemoryPaditions 2-130
Sum mary 2-132
Im olem entinq Routinn 2-133
Overview 2-133
Objecti
ves 2-133
Configuring Static Routing 2-134
How to Determ ine W here to Forward the Traffic 2-134
How FW SM Makes Forwarding Decisions 2-134
DefaultRoute 2-135
Static Route Convergence 2-136
Configuration Exam ple 2-136

Ii lmpiementingCiscoDataCenterNetworklnfrastructure 1(DCNI-I)v2.0 @ 2008Ci


scoSystemsll
nc.
Configuring Dynam ic Routing 2-137
OSPF Limitations 2-138
Verifying OSPF Operation 2-140
BG P Lim itations 2-144
OptionalBGP Comm ands 2-146
Using RH1to lnjectTranslated IP Addresses 2-147
Using Asym metric Routing Groups to Allow Asymmetric Routing 2-148
Using Asymmetric Routing Groupswi th AsymmetricRouting in Fai
loverwith Multiple Contexts 2-149
Summary 2-150
Im plem entinq Failover 2-151
O verview 2-151
Objecti
ves 2-151
FailoverO vew iew 2-152
Active-standby Failover 2-152
Active-Active Failover 2-153
FailoverLinkRequirem ents 2-154
State Link 2-155
FailoverEventwith Acti ve-Active 2-157
FailoverO peration 2-160
Rapid Link Failure Detection w ith Cisco 1O S Autostate 2-164
Configuring Failover 2-165
Primary and SecondaryRoles 2-165
Configuration Replication 2-165
Sum m ary 2-180
Im plem entinq Deep PacketInspection 2-181
Over
Niew 2-181
Objectives 2-181
Deep Packetlnspecti on Overvi
ew 2-182
URL Filtering O vew iew 2-190
URL Filtering O peration 2-190
Configuring W ebsense Server 2-192
Configuring Secure Computing SmartFilter 2-193
Enabling Buffering 2-193
Enabling Caching 2-193
ldentifying Traffic 2-194
Sum m ary 2-196
Module Sum mary 2-197
Module Self-check 2-198
Module Self-checkAnswerKey 2-200
lnm lem entinn N etw ork A nalvsis w ith Cisco NA M 3-1
Ovew i
ew 3-1
ModuleObjectives 3-1
Introducinq C isco NAM 3-3
Overvi
ew 3-3
Objecti
ves 3-3
NetworkTraffic M onitoring O vew iew 3-4
Challenges 3-4
Benefits 3-4
NAM DeploymentDependenton Moni toring Purposes 3-9
The Big Picture Defined 3-11
Cisco NAM Service Module 3-16
Cisco NA M Data Sources 3-33
Plan forC isco NAM Depl oyment 3-40
Cisco Catalyst6500 Seri es Sw itch NAM S 3-43
Sum m ary 3-48

u2008ClscoSystems,lnc. lmplementingClscoDataCenterNetworkInfrastructure(DCNI-I)v2.0 iii


Im nlem entinq InitialConfiquration 3-49
Overview 3-49
Objectives 3-49
Cisco NAM lnstallation 3-50
NAM Hardware Installation 3-52
Verifying NAM Installati
on 3-53
Cisco NAM lnitialConfiguration 3-54
InitialIP Settings 3-55
Enabling W eb Server 3-56
VLAN Configuration 3-57
W hatAre SNMP Community Strings? 3-57
Summary 3-74
M onitorinq.View inq.and Savinq Data 3-75
Overview 3-75
Objectives 3-75
Scenario 1:Li ve Network Moni toring and Analysis 3-76
Problem Description 3-76
Monitoring Plan 3-76
Action 1:PortMonitoring 3-77
HistoricalReporting and Trending 3-79
Action 2:Detailed PortMonitoring 3-82
Action 3:Using NDE with Cisco NAM 3-96
Scenario 2:Response--rime Monitoring 3-103
Verify Cisco NAM Deployment 3-103
Scenario 3:URL Moni toring 3-114
Scenario 4:Troubleshooting 3-121
Action 1:Threshold: and Alarm s 3-122
Action 2:TriggerPacketCaptures 3-135
Summary 3-149
Cisco NAM M aintenance 3-151
Overview 3-151
Objectives 3-151
Cisco NAM Software Upgrade 3-152
Nonresponding Cisco NAM 3-154
Shutting Down Cisco NAM 3-155
Cisco NAM Troubleshooting 3-156
Sum mary 3-161
Module Summary 3-162
Module Self-check 3-163
Module Self-check AnswerKey 3-165

w SmpsemenlingCiscoDataCenlerNetworklnfrastructure1(DCNI-I)42.
9 (I)2923 CiscoSyslems,lnc,
uesson12I

D escribing the C isco B lade


S w itch Fam ily

O verview

Objectives
Introducing the C isco B lade Sw itches
Tlhistopie dcscribcsthe Cisvo blade family switches.

Using C isco B lade Sw itches


w Data Center- blade serverenclosures
wO ptim ize rack space and high availability
Cisco Catalyst6500

> A

'1'
11563:
T. :

Encl-of-Row Top-of.qackAccess 1,lslf.t?.It('/61Itf(I'ot''''i.


Ac%$l<;t
q
Access Catalyst4948 Clsco Blade Switch

W here and W hy A re B lade Sw itches Used?


Data centcrstypically llavenum erous scrverswhich take spacc,need cabling and m anagemcnt.
Integrated bladeswitchcsprescnta third cabling design option,in addition to end-of-row and
top-of-rack,
From a Iogicalnctwork pcrspcctive,thisdesign ism ostsim ilarto a top-of-rack design.
M ind thatthe blade switch dcsign can introducc com plications forthc spanning treedesign
bccauscthereare more access layersw itchesperrack

Blade Servers and Sw itches B enefits


I3lade serversare used to optimize serverdcploymentin data centcrs.M ultiplc serversare ptlt
ilyto oneenclostlreand tllus:
K Optim izc rack spacc usagc--bladc serversand switchcsuse less space than standalone
cotlntcrparts
w Reduce thc nccessa!y cabling from selwersto thc network cquipmcnt
. Nlorc cfticicntly usc powcrand producc lcsstherm aloutputperscrvcrunit
w Add resilicncy with rcdundantfan and powerunitsfrom theblade chassis
K M ake the solution more scalablc

1.434 lmplementingCiscoDataGenterNetworklnfrastruclure1(DCNI-I)v2.Q (I)2Q()8CiscoSystems.lnc.


C om paring Cabling D esign O ptions

@ 2008 Ci
sco Systems,fnc. fmpementi
ng the Ci
sco Catalyst6500 Series.Cisco Catafyst4900Senes,and Bfade Switches 1-435
Cisco B lade Sw itch Features
Managem ent:
Cisco IOS CLI,SNMP MlBs,CiscoW orks m anagem enttool
Integration with ManagementVodule
* Integrated security:
ACL,802.1:,TACACS+/RADIUS
. High availability:
STP enhancementslUDLD,t.2 trunk failoverlIEEE 802.3ad
. Quali
tyofservice (QoS)

2= s . I a r
uz N ' .... .u
.
w
F ' #'**>>' j ,.
?.
'
- 4. S'X '
# ..** -
'x . .
' :;

A
r
:
,y k
,,,1
.a0)

Al1Cisco blade switchcsofferacomplcte setofintelligcntserviccsto deliversecurity,quality


ofscrvice(QoS),and availability in thcscrvcrfarm accessenvironment.
A Cisco bladcsw itch cxtendsCisco infrastructurc scrvicesto thc scrvcredge and uscscxisting
llctwork investm cntsto help reduceoperationalexpcnscs.

M anagem ent
Thcbladc switchcsoftbralltlle Ilctwork managem elltcapabiliticsavailableon standalone
Cisco Catalystsw itchcsalong w ith bladc scrverellclosure managcmentintcgration:
w BasicaccesswiththcCisco IOS comlnand-lincinterface(CLI)
* Dcvicc lcvclacccsswith standard Sim ple Nctwork M anagcmentProtocol(SNM P)M IBS
availablcacrossCisco CatalystSericsSwitches
* Integration with blade serverm anagclnentm odulc
w CiscoW orksm anagementtool

S ecurity
Security Inechanism sincorporatc security accesscontrollistsIACLSI,IEEE 802.1x,
TACACS''/RADIUS.ctc.

Q oS
QoS l
ncclpal:ismsavailablcincludc ingressratclimitingmmarking,sllapcdround robin (SRR).
al
ld priority queuing.

1-436 lmplemenlingCiscoDalaCenterNetworkinfrastructure1(DCNI-!)v2.0 Q 2908CiscoSystems,lnc.


H-
1gh va-
1lab -
1l-
1ty
'rllc bladc sw'itchcs incorporatc lhespanl,ing-lreecllhallcclnclttstll;llarcavailablc on Catalyst
SericsSsvitclles:
* Port.tlplink,backbollc fast
w Rootgtlard.bridgc protocoldatatll)it(13PDU )guard/filtcr
* PcrV LAN Spalllli1)g Trec Plus(PVST i)alld Pc'
r'VLAN RapitlSpanlpillg Trec PItls
(IIVRST-I.)
* I
.J1)iDircctiollalLillk Dctcction (UD1..D)
* I-klyer2 trunk failllvcr

(
I)2008 Cisco Systems,Inc. Implementing the Cisco Catal
yst6500 Seri
es,Cisco Catal
yst4900 Series.and Blade Switches 1-437
Layer 2 Trunk Failover
. Challenge'
.Uplink pod failure should triggerIink outage to server
ports:
Serverwith NlC teaming can switch ffom prim aryto secondary
N IC
+

4' 5 link state track l


?%'A. 1
' -. :'.
'
' lnterface Portchannetl
. ' G
K c j
ltnk et*t* group 1 upstre&m
..' '.
'1 .
'
) lnterface rlngeGlgableEtherneto/l - IQ
link stlte group l downatream
1 '
I t..
y . 1
I ' LJ f 1
10 1 1
Server1 l
Blades j
1y
-''<.
f * ** '-%.
'.w. ':
$-4..
) j
I
I- . - . - . - - - - . . - . - . . . . .1
BladesewerEnclosure

Bladc serverbladcsconnccted to a bladcsw itch havc l:o knowledge ofw'hethera switch llas
colyncctionsto thcrcstofthcnetwork.
lIpcase ofan tlplink portfailure,a scrvcrusing NIC tcalning would notsw itch ovcrfroln thc
prilnary to the sccondary NlC (ustlally connected to anotllcrswitch).
Laycr2 trunk failoverisused on the blade sw itchesto triggerlink outagcsto serverportsin
cascofa link outageon thcuplink ports.thusenabling selwerto switcllovcrto thcsccondar.y
N IC .

C onfiguring Layer2 Trunk Failover


To enable Laycr2 trunk failover.the following contigtlration stepshave to be takcn:
Step 1 Contigtlrca Layer2 trtlnk failovergrotlp w'ith lhe link state track global
contigtlration comm and.
step 2 Detincthctlplink ports asupstream with the link state group upstream intcrface
collfiguration com mand.
step 3 Dcfine theserverdownlillk portsasdowllstrcam with thclink stategroup
dow nstream interfacccontiguration com m and.

Note ln the exam ple.the interface Porlchannel1 was configured in advance.

1-438 lmplementirtgCiscoDataCenterNetworklnfrastructure 1(DCNl-1)v20 @ 2008CiscoSyslems, Inc,


C 1sco B Iacl(.)S w 1tc1) P Iatfo rm s
HP c-class ''' s7 ' '

.'J
I1';*
DELL 'hx'
-px-r--' cT z d ' I *I

FujltsuSl
emens $.lr:
*F*v,.
e
..A -
z ; - ,4,

.A

I
sM ;I,
.-.
Jz 7

HP pr lass

Cisco ollkrsthcse bllltlutswilches:


K Fih'c'isco bladesw'itchcsforIIP.I)cl1.and FtljitstlSienlellsbllltlescrvcrsyslcllls
K Tu'()()L.51blatlc svvilcllcsforH P alld lB51 blatlc servcrsystcllls:

Note The OEM ctlstom swi tches offerm anyofthe sam e features benefi
ts and value butare
designed speci
ficall
y forIBM and HP blade products.They are sold by IBM and HP only.

@ 2008Clsco Systems.lnc. fmptementing the Csco Catafyst6500Seri


es.Cisco Catal
yst4900 Series,and Blat
je Switches 1-439
Introducing the C isco B lade Sw itch for H P B lade
S ervers
Thistopic dcscribesthc Cisco blade sw itch forHP blade senrers.

H P c7000 B ladesystem O verview


Front:
- 8 full-height/l6 half-heightsefverbl
ades perenclosure
. Rear'
-
2 slotsforGigabitEthernetswitches
.-
2 slots FC orGigabitEthernetswitches
-
4 slotsforhi
gh-speed I/O (forexample InfiniBand,10Gigabit
Ethernet)
. i
LAN e tchor LAN switohof
tr .
.
p- thrx gh p-wtllrxqh
j
;' )J sANswlzhor sANswi tchor
1
; pess.throuqh pass.throogh
'
. . sAN swlyctTor SAN swllch(pr
3d pass.throuh pass.tbcotlgh
F7ront Rear SAN smtchor SAN switchchr
pass.throogb pass.tbrough

HP c7000 B ladesystem C haracteristics


The HP c7000 Bladesystcm hasthese characteristics:
w 10 rack unit(RU)cllassis
w Ftlll-heightserverbladcswith up to cightpcrenclosure
w Half-heightserverbladeswith up to 16 perenclosure
K Half-hcightstorage bladew ith up to 15 pcrenclosure and a totalof90 drivcs pcrenclosure
. 10 GigabitEthenlet-capablebackplanc
. l/O options:1?'I0 G igabitEthernet,InfiniBand.Fibre Channel
* lntegratcd HP Bladcsystem lnsightDisplay lillked to ollboartlmanagementadlninistrator
forIocaland rem otc systeln managclnent
. Up to six hot-swappablcpowcrsuppliesconfigtlrable forN +N orN+1redundancy

H P c3000 Bladesystem C haracteristics


Thc HP c3000 Bladesystcm hasthcse characteristics:
w 6RU chassisortower
w Full-hcightsetwerbladesw ith tIp to fourperenclosure
. I'lalf-lleiglltserverbladcswith up to cightpercnclosure
w Four1/0 intercollnectbayswith eithcrEthcrnet,InfiniBandeorFibre Channcl

1-440 lmplemenlipgCiscoDataCenterNetworklnfrastructure 1(DCNI-!)v2.0 @ 20()8CiscoSystems, lnc.


Netw ork Interconnect Bays
The lIP 1)ladcsystcln c-classcllassisllas tbtlrpairsofintercollneclbays(using k'rtlss-eonltects
llorizolltalIy acrossll1cbays).

(()2008 Cisco System s.lnc. Implem enting the Cisco Catalysl6500 Series,Clsco Catatyst4900 Series,and Blade Switches 1-441
C isco B lade Sw itch 3020
* 8 external10/100/1000BASE-T RJ45 uplink pods:
- 4 shared with SFP ports - one can be active ata tim e
-
2 shared with internalcrossoverto paired CatalystBlade
Switch 3020
. 16 internal10/100/1000BASE-T downlinks forsewerconnecti ons

PortLEDS

/ls)
,
'
,'
7
T
ky
X
?
.:%*
'
.S
-'
.E'
j:jj'/r
t
.y
j?j
f
) '
r
. ..

(;L.k
we ' .z
o
. .A
.

Console 4x SFP 8x R.145


Uplink Ports Upl
ink Ports

Tlle Cisco Blade Switch 3020 forIIP c-class Bladcsystcm providesan intcgrated switching
solution w ith Cisco rcsilicncy,advanced security.and enhanccd m anagcability to thc scrk'
cr
edgcxwllich reducescabling rcquircments.
Thc Cisco Bladc Switch 3020 shipsasa singlc tlnitand should be ordercd in quantiticsoftwo
forrcdundancy purposc.A singlc bladecan llaveup to fouroptionall000Base SX tibersmall
form-factorpluggablc(SFP)modulcs. +

The Cisco Blade Switch 3020 isa Laycr2+ sw itch and suppol'tslnany Layer3 functions,
exceptIP rotlting.Itiscompatible with the HP c-class servcrblades likc BL460c.BL480c.
BL456c.BL685c.and BL8x0c.
The following system properticspcrtain to the switch:
* l28 M B ofm eluory and 32 M B oftlash
p 48-(Jb/ssw itching fabric
. Up to 36-M p/sforwarding ratc bascd on 64-byte packets
. Up to 8l92 M AC addresses
T11e tbllow ing intcrfaccsare availablc:
* I('
tinternal10/l00/l000BASE-T downlinksused forscrvcrconnections
* 8 1-Gb 11.145 coppcruplinks
.

w OptionalfourSFP SX m odules fortiberconllcctivity w'


hcrc eithercoppcrorSFP portis
activc

Note Ports 17-20 are com bination ports,suppoding ei


therGxed RJ..45 connectors orSFP
connectors lnsertion ofan SFP connectorautomatical ly isabses the associated copper
connector

1.442 ImplementingCiscoDataCenterNetworkInfrastruclure 1(DCNI-I)v2.0 @ 2008CiscoSystems,lnc.


Note Ports 23 and 24 uplinks can opti
onally be configured as internalcross-connects to a paired
Cisco Blade Switch 3020.

tJp to six tlplink portscanbc ptltinto aportcllanncl.providing 6-(ib/sconllcctivitjr.

C isco Blade Sw itch 3020 Features

Categofy Features
Spanning Tree . IEEE 802.1D.802 1s.802.1w
* PVST.PVST+.RapidPVST
M PeC-VLAN Rapid Spanning-Tree (PVRST+)
* PortFast.UplinkFast BackboneFast
. Spanning--rree RootGuard (STRG),UniDirecti
onalLlnk
Detection (UDLD)
LinkAggregation . IEEE 802.3adwith LinkAggregationControlProtocol(LACP)
* Etherchannelusing PortAggregationProtocol(PAgP)
VLANS w IEEE 801.Q and Cisco ISL tagging
. VLAN Trunking Protocol(VTP)
. DynamicTrunking Protocos(DTP)
* 1024 VLANS and 4000 VLAN lDs
Advanced QoS . 802 1pclassofservi
ce (CoS)anddi fferentiated sel
-vices
codepoint(DSCP)field classification
. Cisco QoS ACLS
w SRR scheduli
ng
w Cisco Commi tted Information Rate (CIR)
Vullicasting * lnternetGroup ManagemenlProtocop(IGMP)snooping vl&
v2
w Multi
castVLAN Registration (MVR)
w Per-portbroadcast multi
cast and unicaststorm conlrol
. 1000 Consgurable IGM P groups
Security * TACACS+,RADIUS
. IEEE 802.1x
. Port-based ACLS(PACLS)
K SSHVI& SSHVZ.Kerberos,SNMPV:S
> MAC address notification
. Protected por!feature
Management > Cisco Discovery Prolocol
. Cisco 1OS CLI.CiscoW orks
. R MO N 1 and II
. SNM PVI,SNMPv2c,and SNMPV: S
. SPAN,RSPAN
. End-to-end Cisco so com mon userinterface and soflware
upgrade across entjre switch nelwork

@ 2008Cisco Syslems.Inc. Imptementing the Clsco Catatyst6500Seri


es.Cisco Cataf
yst4900 Series.and Bfade Switches 1-443
Sw itch A rchitecture
(.
-(
711E;(91()r'
9(.
)rt
1 1
l I
'
1 32M8 *e - 1 . - 12aMB '
Flash ; # SDRA I
I I
l 1
l I
l 1
1 I
I TCAM *-. ASICS '' TCAM I
I
I j
I I
I 1
I . I
l
X II)tL'
arqb%'ItC)t)1 '' I
(- In 1
. )(lrlet..,l1t?1th
z( pjlE
'()f1S 16 tE
qf.
'
lrvtlr1
J)owrl11(jl
' q
(Ig(.J$
74.
?(I ilavt1' . F(
z3 ?w), 4SFP po(.ts' I
!J;.
'I1;lk.Pr.
,rlq)I P@rt: I

Thc figure showsan ovcrvicw oftheCisco Blade Switch 3020 arcllitecttlrc. The following key
col
npollontsconstitutc tlle switch:
* Processorthathandlesthc controlplane functionality
* FlaFll,TCA M .and w'
orking memory thathold thc Cisco IO S il
nage. loaded Cisco I()S
code.and N'ariousmemot'y structurcs
K ASICShandling packetlnanipulation
w Physical(Pl1Y)layerforbridgingbetweenASICSand physicalports
. Ports intenpal(l6 servcrdownlink ports).cxtcntal(eightRJ-45 and fotlrSFp-bascd ports)
and interswitch(two connectivityports;ifuscd.twouplinkportslesscanbeused)

1-444 bmplementingCiscoDataCenlerNetworktnfrastructure)(DCNI-!)v2.D (
t)2008CiscoSystems, lnc.
Introducing the C isco B lade Sw itches for D ell
B lade Servers

D e1IPow erEtlge 1955 O vorv1ew


v Front:10 seerblades perenclosure
Rear:4 slots forI/O sw itches

It): ,.*' ' - IChI


: . . Iu w w 'xx ;
... - I .T . . .
k:l . ...
0amxj ,Io3
# ' ' ,t>
1. '' 711 '''*'
': X> O -e=. v
- ,.. .. .
N.
NQ ,
'
'
,..
j
;)
jK
-.
#w
,.
,-
'.
., ..
(
.
t
g .
'
:
.. ,
. ,
)
:<
'.
j,
c
'o
q
,
a
.
c
,
k.
'
ve
dr
i
rxf,

Note DellPokverEdge 1955 System is a DellPewerFdge 1855 System stlccessor.

$)2008 Cisce Systems,lnc. tmpfementiflg the Cisco Catalys6500Seri


es,Csco Cataf
yst4900 Series,and Blade Switches 1-445
C isco Blade Sw itch 3030
* 6 externaluplink ports:
-
4 SFP pods
-
2 R.145 10/100/1000BASE-T copperports
. 10 internal10/100/1000 Mb/s downlinks forsewerconnections
EOS:June 9,2008

4. 71i.k.'i. r - 4-- .aw.


. .k.- . . @#..*#>@@
console .: L
r@
.- wjw:..jf,?.l( ,y/
'

:dt2x'
-lt t-
1-
R.145 4: SFP
Uplink Ports Uplink Pods

Thc Cisco Blade Sw itch 3030 forDellPowcrEdgc l955 and 1855 Blade ServcrSystcms
providesan intcgratcd switching solution with Cisco resiliency.advanccd sccurity,and
elthanced m anagcability to thcscrvercdge which reduccscabling rcquircments.

Note The switch reacbesen-of-sale(EOS)statusonJune 9.2118.

Tlyc Cisco Blade Switch 3030 isa Layer2+ switch and stlpportsmany Layer3 functions,
uxceptIP routing.Itiscom patible with tlw DellPowerEdge 1955 and predecessor l855 Bladc
ScrvcrEnclostlre.
Up to fourcan be installcd perchassis,w ith thc second sctoftwo requirillg Ethenletdaughtcr
cardson each serverblade.
Thc follow ing systcm propertiespcrtain to the switch:
K l28 M B ofmem ory and 32 M B offlash m emory
* 32-Gb/ssw itching fabric
* Up to 24 M p/sforwarding ratcbased on 64-byte packets
* Up to 8192 M AC addrcsscs
Thc follklwillg interfacesareavailable:
K l0 itlterlpal10/100/I000Base-T downlillksused forserverconllections(ports l-l0. portfast
cnabled)
* Two cxtcrnal10/l00/1OOOBASE-T copperports(ports l1.l2)
. FourcxternalI0/l00/1000 SFp-based copperorfiberSx-based ports(pol-ts l3-I6)
. Serialconsolew ith portredirection to DcllDM RAC

1-446 ImplementingCiscoDataCenterNetworklnfrastrudure 1(DCNI-I)v2.0 @ 2008CiscoSystems.Inc.


C isco B lade Sw itch 3030 Architecture
Console Port
C I
1 1
l . I
1 3ZMB . . ' -' .#.+.;'...: *e 128 ve I
I Flash SDRAM I
1 1
I 1
I 1
1 1
I 1
I
l
TCAu ASIC ASIC TCAM 1
1
I I
1 1
I I
1 I
..
c.. g j
I
I 1
'
1
4sF ' ,Ra.s 10 ServerDownlink '
,z 1
I ,
;
.,
.l
p
?.gt
l,kx Ports Ports 1

@ 2008 Cisco Systems.Inc. trnpfementing tbe Cisco Cata


yst6500 Serl
es,Cisco Cataf
yst4900 Serfes.and Bl
ade Switches 1-44:
D ellPow erEdge M 1000e O verview
Front:16 half-serverblades perenclosure
Rear:6 slots forI/O switches

DcllPowcrEdge M 1000c Systcm Charactcristics: *

. 10RU clpassis
w t!p to 16 half-servcrbladesperenclosure
w Hot-swappablcnonreduntlant(thrce)orredundant(31I.3q'3)powcrsupplics
. Six 1/()sw itch modules forthree rcdundantfabrics(can hostCisco BladeSwitch M 3032.
M 3l3()G,M 3I30X )
K Nine llot-swappable fan modules
K Threc chassiscontrollersw ith KVM switclh

Note EthernetFlexso Swi


tches provide on-dem and stacsi
ng and uplinkscalability.

1.448 lmplementingCiscoDataCenterNetworklnlrastructure 1(DCNI-I)v2,O @ 2908CiscoSystems,lnc.


C isco B lade S w itch 3032
. 8 externaluplink pods:
4 10/100/1000BASE-T R.145 copperpods
4 SFP ports(using Cisco TwinGigConverterinX2 slots)
. 16 internal10/100/1000 Mb/sdowntinks forserverconnections

.
o j N 111# .
g

1
4x R.145 4x SFP
1
Console
Uplink Ports Uptink Pol
'
ts

-1'1)i
J(.'isco Blade Sw itch 3032 forDellPowcredge N1ll)()()e l3ladc SenrerSystclnsprovidcs:11)
illtegratcd s' kvitcllil'
lg soltltion '
w itl:Cisco resilicllcy-adv'
allced sectlrity.and cnllanced
lllallageabi1ity to tlle scrN'credge.urllicl' lredtlcescablillg rcqtlirelnellts,Tl'
le-isco Bladc Sqvilcll
3()32 isa Layer3 s'k vitch.
'I-1)etbllovvillg systcl'
llpropertiespcl
lain to tllc s'
w itch'
.
lelnor.v alld 64 N1B of'llasl)I'
* 256 N1B ofl' lltvlllt'ry
w 4Fl-CJb/sswitching fabric
K U1
)to 36 Vlp/sfonvarding ratcbasctl01164-by1c packels
* L;1
)to 8l92 N1A(.
aaddrcsses
Tllttlbllow ing illterfacesarc availablc'
.
* It'Iillterl:all0/I00/l000Basc-T do'
kvlllillkstlsed t'
tlrservcrctlnllections
* F()Llrcxtcnlall07100/l000BASIE-T R.145 collpcrptll
4s
* FotlrcxternalSFp-based ctlpperorfibttrpllrtstlsing'isco T'
svintiig converternltltltllc il'
l
5:2 qlots
K Serialcollsolc
m F:1st1
-,
Tlllenletl
'
nallagttnlentintcrlce colllttlctetltt,C'isco NlallagclllentConncction

(()2008 CiscoSystems,I
nc. Impl
ementi
ng the Ci
sco Catalyst6500 Series.Cisco Cataiyst4900 Serles,and Blade Swi
tches 1-449
C isco B lade Sw itch 3130G and 3130X *

* 3130G:8 externa!uplink ports:


4 10/100/1000BASE-T 9.145copperports
4 SFP ports(using CiscoTwinGig Converterin X2 sl
ots)
. 3130X:6 externalupl inkpods:
4 10/100/1000BASE-T RJ45 copperports
2 X2 10 GigabitEthernetports
w 16 internal10/100/1000 Mb/s downlinks forserverconnecti
ons
3130G 3130X
,. r(r
'.:.
'''
,.m- r- ,..

*@ k w w * .

4: RJ45 4: SFP
1*
conscle 4
t 1:
Upll
nkPods Upls
nkPods Uplx RJ
lnk 45ls Uply
Por xXPor
lnk 2 ts Console

'rhcC isco Bladc Sw itches313OG and 3130X forDcllPowcrEdgeM 1000e BladcServer


Systclllsprovidc an integrated sw itching solution w ith Cisco rcsilicncy. advanced security.and
cnhanccd lnanagcability to thc scrvcredge.which rcduccscablingrequircments.
Thc following systcm propertiespertaillto thc switcll:
. 256 M B ofmcm ory and 64 M B oftlash l
nemory
. l28-G b/ssw itching fabric
. Up to 59.2 M p/sfonvarding rate bascd on 64-bytc packcts
. Up to l2.000 M AC addresses(dependson lhc telnplatc tlsed)
Tllc following intcrfacesarc available:
w l6 intcrllalI0/100/1000Basc-T downlinkstlsed forserverconncctions
* Scrialconsole
. FastEthernetm anagementinterface conncctcd to CM C
. Cisco Blade Switch 3I30G:
FourcxtenlallO/IOO/IOOOBASE-T RJ45 coppcrports
FotlrcxternalI-Gb Sll
-p-based coppcrorfibcrportstlsing Cisco TwinGig convcrtcr
module in X2 slots
* Cisco Bladc Switch 3130X :
Fourexternall0/100/lOOOBASE-T RJ45 coppcrpol'
ts
Fourcxternal10-Gb X2 bascd ports
'isco Bladc Sw itches3l30G and 3I30X supportvirtualbladc switch functionalit
'y.

1-450 smpl
ementiggCsscoDataCenterNetworklnfrastructure1(DCN-I)42.
0 Q 208CiscoSystems,lnc.
'

C isco B Iade Sw itch 3130 and 3032


A rch 1tecture
16 Server
Dow nlink Ports Console Port
10/100 Ethernet
1
I .N . I
I : . . .
. ' l
I / .. #F .2;.: ''' 4
..
I ' . .'' I
I 1
1 I
I 1
I 1
I I
l ASIC I
I
I
ASIC ASIC I
I
I I
I I
I 1
I I
I I
1 x..e.
oojj
. 4jaj
tx
j 4 R.J45pods XZ/SFP XZ/SFP .. ,. u o.ty,
. I

Q 2008 Ci
scoSystems.lnc. Itnpi
ementingthe Cisco Catalyst6500 Series Cl
sco Catalyst4900 Series.andBfade Switches 1-451
S oftw are Licenses and Features
Same im age with differentlicensesto activate feature set
Cisco Blade switches 31xO ship with IP Base image
. Cisco Blade switch 3032 can run only IP Base im age

standarL2+Featureset X 1 X i x
IP Source Guard and DynamicARP Inspection X X j ...X
. . .. . . . .. . . . . . . j. ..

R1
P/St
at1
c,EI
GRP Rub X X 1 X

I
Pv6Manageabh l
ity
MullicastOSPF BGP
.
X 1 X
s
j
i
X
x
- J. . . 1 . . - -- . - .

X l x
1 x
.

t ( x -'
C isoo IO S on C isco Blade Sw itches
Cisco Blade Switches3Ix0 run a ullivcrsalCisco IOS image thatisthesam e imagcused ffar
any fcaturc sctand containsallCisco IOS featurcs.
Only thccrypto version(K9)isavailableseparatcly from theCiscosoftwarecenter.
Licenses
Thrce licellsctypesexist:IP base, IP services,and advanccd IP scrviccs.
A liccnse isrequired foreach switch. including each sw itch in a stack. and islocked to 1he
tlniqtledcviccidentit-ier(UD1)oftheswitchand doeslpotexpire .

Cisco Blade Switchcs31xo ship w ith IP Base Stantlard license installcd. thusto activatcany
otherfcaturcseta licensc file hasto be changed.
Thishasno impacton Cisc.
o lOS version updatis.

Note T'
he Ci
sco Blade Switch 3032 can only run the IP Base image.

License A ctivation
A ctlstolnerpurchascsaProductAtlthorizationKey(PAK), obtainsU Dlsforthc deviccsto
tlpgradc.and passcsthc illformation to Cisco liccnsc portal.
Licenscsare then elcctrollically scntto tllccustolncr, wllo appliesthem to thc dcviccs.
No intcrnetconncctivity from thc switch to Cisco isreqtlired.

Note DifferentPAKS fordifferenttypes ofswitches exist, and an individualPAK can generate


multipleIicensesbefore itexpires (similartoa debitcard).

The Cisco liccnscportalcan provide thc liccnse history forany device.

1-452 lmplemenling Ci
sco Data CenterNetworklnfrastructure 1(DCNI-I):2.0 @ 2008 Cisco Systems, lnc.
Replacing M alfunctioning Devices

Thisrcqtliresa ('isco.col'
l'
llogil'
lsthe oltlU DImtllcncw U r)1.aI1(!llle servicc contractl'
. ltll'
lpbcr.
No PAK isreqtlired.

Note A maxim um ofthree replacemenlIicenses can be generated from the originalIicense before
a TAC callis required.

Tlleotlleroptiollisto tlse spariIlg.and replace thc failcd s'


w'itch '
svilh 11likesparc.

C
0 2008Cisco System s.jnc. lmplementlng lheClscoCatal
yst6500 Senes,Cisco Catalyst4900 Serles,and Blade Switches 1-453
anagl
-ng C I
'SCO I S L-
ICPNSes

''- - ..
e . s
):
l' - ' ' ' '
'''-..q
,2q
r
.2
:
y4
7
d
J
d
j;
7
*
8jlll .' ..E
..
jg:'
x -- '$
...' '' !!..
.
.. .........
..

ewttch# llcense install flash; rlfs-lps


Inltlkliag lic*nmee from *'kalhlrltl-iplm
'n@ta1lx ...#*etut*lipgew 1c**... :uecwelfutz:uppoyt*d
1/l licenpea vere succesafully inatllled
0/l licsnsea wer. extsttng licensea
0/l llcenses were fasled to inatall

switch# 19:46:56: %10: LICENSE IMAGE APPLICATION-S-LICKNSE LEV:LI


Next reboot level = lpaervlce, and Lsrenae a paervicee

O btain1ng the License


Thesearcthe options tbrobtainingthe license:
. BtlythcPAK codcfor:1spccificIiccnsc(itrepreselytsthcproofofpurchase).
* GctthcUD Iforthe switchesto bcupgraded.
w Log to tlpe Cisco Iiccnsc portala!http:''
5NNy'v'u'isc(),c()l1)'g()'liccllscs alld creatc a Iicense t5le
.

using the PAK and UD1.


* Download the license file reccived by cmailto the sw itch tlash lnemory.
% Installthe licensew ith the llcenseinstallcom mand.
>
Rem oving a L'
Icense
Ifrcquircd-a licensc can be removed with licenseclear EXEC eom m and.
switch#license clear ipaervices
Feature: ipservices
l License Type : Permanent
License State : Active , In Use
License Addition: Exclusive
Comment:
Are you sure you want to clear? (yes/(no)): yes

Exam ining the License Inform ation


Usctlpe following colnmandsto cxam inc and vcrify the liccnse infonnatiolp:
* To display availablclicenscs.usc thc sbow license filecom mand.
. To cxalnine stattlsofindividtlally licensed tkatures. use tlleshow Iicense statusand show
licensedetailcom mantls.
. To display licensable UDls, use theshow Iicen&eudicomm and.
* To dcbtlg liccnsing,usethedebug licensecomlnand.

1-454 ImplemeotingCi
scoDataCenterNetworkInfrastructure1(DCNI
-I)v2.0 @ 2008Cisco Syslems, Inc.
Use

1
'
T
.xlllnfl'
lc 1)1e s'
kvilc'
llLl1'
)I(rkz
'
quircd foroblailling !J1e Jjtrellsc).
'
switch#show license udi switch 1
Device# PID SN UDI
*1 WS-CBS3I3OX -S FOC1132HZSR WS -CBS II3OX .S :FOC II3ZH ZSR

C)2008 Cl
sco Systems.lnc. Impl
ementing the CiscoCatalyst6500 Series.Cisco Catalyst4900 Series.and Blade Switches 1-455
*

V irtualB Iade Sw itch


. Stack CatalystBlade Swi tch 3130 swi
tches
Manage as one switch
* Enables active-active serverconnectivity
* Virtualportchannel- combine portsfrom differentblade switches
. Catalyst6500
- *%,
.- ...
.
3130VBS r
9SS I
. ..
/+
. 7
' .
v ' ' '
4.
x ..
7. <.
t.
' j Q l
1 . .. 1
xtc.
. .7c':. 1 .
f 1
74
<. **
.
a
,.' .
,, I
Loca(server.server
XN
V'' I
j
1
-
7q
-> k.
7p
' w d
lrafficstays within <''' 1
VBS domain I . j
h7'
< L73'
. . ':':.y6 I
.'Q jy
.
s.
..
.c I ps I
<.
.k. 1 1

Villualbladc switch technology providesa higll-bandwidth intcrconnectbctw een up to eight


Cisco CatalystBladc Sw itch 3130 switchcs.ellabling thcm to bcconfigurcd and lnanagcd as
onc logicalswitch.
ThisFim pliiics managemcnt,allowsserver-servertrafficto stay within thc virtualbladc switch
dolnain instcad ofcongcsting thccorc nctwork. and can hclp significantly consolidatc exterllal
cabling.
The following pertainsto thevinualblade switch stackl
* CatalystBladc Switch 3130G and 3l30X can bc tlsed in thc same stack
m Serveractive-activeN IC team ing ispossible witl)Pol-tchannclto span multiplephysical
switclles
* M anaged asa singlc switch
* Singlcswitch in a spanning trce and Layer3 topology
* Enablesvirtualportchanneldeploylnent--colnbining ports t-
rom diffcrentphysicalblade
Sw itchesin a stack
m Spccialstack cablescan be0.5.l, or3m eterslofg'
,they are keycd t-
ol'dircction
1I:a singlc virtualbladcswitch domain thcrc isonc mastcrSwitch with lIN rcsiliency for
master;thatis each m cmberisa copy ofthc Iuastcrsw itch.
N ew virtualblade switch membcrsgetCisco IOS Sohwareautomatically tlpgradcd (to the
salne Cisco IOS Software asthc lnastcrswitch has)and automatically contigured from the
m astcrswitch.

1-45: lmplementingCiscoDataCenterNetworklnfrastructure1(DCNI-I)v2.D @ 2008 Cisco Systems, Inc.


Replacing a Sw itch in a VirtualB lade Sw itch

Standalone O peration
A f'atalystIlladc Srvitcl'
l3032 ora (ralalystBladeSwitcll3I30 (lpcrating iI1stalldaIone lllodc
bellavcs1ikca CatalystB Iade Swritch 3030 switcll.

@ 2008Clsco Systems,Inc. Impp


ementingthe Cisco Catalyst6500 Series,Ci
sco Catalyst4900 Series.and Bl
ade Swi
tches 1-457
V B S D eploym ent S cenarios
4 NIC perserver
Moreserverbandwi
dth

single VBS Separate VBS :


9.
.
t
11
j:
:' .
7
P
C
II
kj;
:
CostEffective Moreresili
ent '%t E
t'
'v

... Ika -7. .'Jl2 w .


etF
J
: jjjy;y pjrjky' y ..
. ijz
=
k)r-- ypj;-:*.
'
.
s. t
. .
k . .
?, . +.b.
.<' .Y*.-
<x
,''
-
.- .
' x
.
. ;
x ' -
.4z.
. .
x.
.
x'. '
% '' ,
@aj
dh.pzw T
'.
'. *
.7eu
jt.>. '...71'r
t. Q..' .
q
.
x

V irtualblade switchesean be deployed in differentscenarios,depending ofthe eustom ernceds,


assllown in thc figtlrc:
. A single virtualbladeswitch isthe costcffectivc solution and m ostcom mon.
. Separatcringsw ith separatevirtualbladeswitchesarc morc rcsilicnt.
* FourNlC serverscenariogivesmoresclazcrballdwidth(forcxampleforVMware).

1-458 lmplemenli
ng Cisco Data CenterNetwork lnfrastructure 1(DCNI-!)v2,0 @ 2008Cisco Syslems, Inc.
Introducing the C isco B lade Sw itches for FC S
B lade Servers
Tllistopicdcscribcsthe ('isco bladc sw itcl
lcslbrFCS B latle Servcrs.

Fujitsu Sien3ens Prim ergy BX600


O verview
* Front:
.
10 dual-socketserverblades perencl
osure
5 quad-socketserverblades perenclosure
. Rear:4 slotsfor1/O switches

l: .
'
;- .,.
.
r :j
> .

(D 2008 Cl
sco Systems,lnc. Impl
ementingthe Ci
scoCatalys!6500 Sertes.Ci
sco Catalyst4900 Series,and Bl
ade Switches 1-459
C isco B lade S w itch 3040
. 6 externaluplink ports:
- 4 SFP pods
- 2 R.145 10/100/1000BASE-T copperports
w 10 internal10/100/1000 M b/s downlinks forserverconnections

'-
t, ,. k... $
Console ?,
. j
lj
1' 1Ql
S jj
jI--
llll
;l1114.
JX1 JJX- j.
t'
u)v.j,
.
!:..
<-
y
t
.

2: R.345 4xSFP
Uplink Ports Uplink Ports

TheCisco BladeSwitch3040forFtl
jitsuSiemcnsPrimergy BX600 BladeServcrSystcms
provides an illtcgrated swritchillg solution with Cisco resiliency- advanccd security.and
elphanccd lnanageability to the servcrcdgc. yvllich rcducescabling rcquircjnellts.
Tlle Cisco Bladc Sw itch 3()40 isa Laycr2+ switch and stlpportsm any Layer3 functions.
cxceptIP routing.Up to fourcan bcinstalled perchassis.
Thc fbllow ing system propcrtiespertain to thc sw itch:
> I28 M B ofm cmory and 32 M B oftlash mem ory
@ 32-Gb/s switclling fabric
* Up lo 24 M p/sfolavarding rate based on 64-bytepackets
@ Up to 8192 M AC addresscs
Tlpc following intcrfacesarc availabte:
* l0 internall0,'l00/I000Basc-T downlinksuscd forscrvcrconnections
* Two extcrnal10/lQII/IOOOBASE-T copperports
> FourcxtcnlalI0/l00/1000 SFP based copperortiberSX based ports
w Serialconsole with portredircction to DellDM RAC
The llardware architecttlre isthe salne as forthe CBS 3030 switch.

1-460 ImplementingCl
scoDalaCenterNetworkInfrastructtlre1(DCNI-I)72.0 (()2008 Cisco Systems, Inc.
S um m ary
This topic stlmlnarizesthe key pointstllatwere disctlssed in this lesson.

Sum m ary
w Cisco blade switches are used in blade serverenclosures.
. A Cisco blade switch is equivalentto a standalone Cisco Catalyst
sw i
tch.
x Layer2 trunk failovershuts the serverporlupon corresponding
uplink failure,
*Cisco bladeswitchesareavailableforHP,Dell,and Fujitsu
Siem ens blade system s.
@ VBS functionality enables CatalystBlade Switch 3130 stacking.
, Cisco OEM blade switchesare available forHP and IBM blade
system s.

@ 2008 Cisco Systems,Inc. lmplementing the Cisco Catalyst6500 Seri


es Cisco Catal
yst4900 Series and BladeSwitches 1.461
M od ule S um m ary
Tllistopic stlm marizesthe key pointsthatwere discussed in this modulc.

M odule S um m ary
@To
ECNM
depl
oythsc
wi aer
hilaar
ble
cjma ndesi
ica!agegab
nl
e'anied.
appl dSOA datacenters'follow the
.The Cisco Catalyst4900 Series Switch is desi gned to deliverthe highest
reliabil ity and serviceability in a 1RU or2RU configurati on.
. Mul tiple generations ofsupervisors existforthe Ci sco Catalyst6500
Seri es Switches:Supewisor1,2,32.and 720.
. The Supervi sor Engine 720 provides higher-perform ance managem ent
and forwarding functions to Catal yst6500 geries Switches than any other
supervi sorengine available.
. The Supew i sorEngine 720 is designed to suppod three generations of
Iine cards.providing flexibili ty in network design and investment
protection.
* The VSS 1440 manages redundantIi nks,which eternall y actas a single
po4 channel.
. Thz Catalyst6500 Series Switch with Ci sco 1O S Software M odularity
m inimi
evos utizes
ona! down
y soft
' imeeand
twar boos
infras tructs oper
tur ation
e adv aleffici
ancement es,
ncy through e

Module Sum m ary (Cont.)


. Exported NetFlow data can be used fora variety ofpurposes,including *
network m anagementand planning.enterprise accounting and
depadmentalcharge backs ISP billing,data warehousi ng,and data
mining formarketing purposes.
. To suppor tQoS Ievels,severalfeatureshave been incorporated into the
hardware ofthe Catalyst6500 Series Swi tch,Including the M SFC,the
PFC,andthe portASICS.
. EEM off ers the ability to monitorevents and take inform ationalor
corrective action when specific monitored eventsoccurorwhen a
threshold is reached.
. High-availabilityand reliabilityfeaturesare integrated technologi es onthe
Catalyst6500 Series Switch,and the platform offers integralcom ponents
to deli
vermaximum uptime and faultdetection.
. SPAN.RSPAN,and ERSPAN sessi ons allow the network adm inistrator
to monitorand analyze traffic Iocall y orrem otely.
w Blade servers are used to optimize serverdeploymentin data centers.

1-462 lmplementingCiscoDataCenterNetworkl
nfrastructure 1(DCNl-1)v2,0 @ 2008CiscoSystems,Inc.
R eferences

k
ll2008 ClscoSystems.lnc. fmpf
ementlng the Cisce Catal
yst6500 Series.CiscoCatalyst4900 Serles.and BfadeSwitches 1-463
'

* Fornlore illfonnation on the Cisco Catalyst6500 SeriesSecure SocketsLayer(SSL)


ServiccsM odule,go to SSL s' c?a'ce.
j'A./fpJ///c #)?
'thetrW&7)'
. .
5'/6500 JrCisco 7600Seriesat
llttp:..w u'w vcisct.co1'1.
'eI1.
'LJS.
.'
p1'
otltIcts,
'lllv.
'sw itcllcs.l)s7()8'
prodtlcts data sl1ect09l86a0080
()t24f'
e9.l1tl11I
* Formoreinformation ontheCisco ContentSwitching ModulcsgotoCiscoCalalb'
st6500
5'cp'?'cx Colitentls-u'/c/lfzig A/f.
?dlf/t?at
lltt1):,Furww ,cisctl.colll/cll'tls' 'lprtpdtlcts.
lhss'
.
f
tsvN'itclles.ps708'prodtlcts data shcctog18ba()()80
(1887t3.1141111
K Form ore inforrnation on thc Cisco Application ControlEngine,ge to Cisco Application
C)>r??;/?w/E':gine A, /t)Jl//c at
1)ttp:/'.'w'w'u.,cisct).ck)m. .'en.
'tJS.
. .'
pl'()tI,'colllyteral-
'll'
lfltltlltlsa
/psz7()6''
pstlgll6.
'pl'odtlct data sllcctot
.
l
()()accd8()4586l1
.
7...ps708 Products Data Sheet.htlnl
. Formore information on theCatalyst6500 ScricsSwitch W irclessServicesM odule, go to
Cisco ()Q//f//)o'/6500SeriesWireless5'
t?/'a/t'c.j
.tvodtlleat
l)ltp:,'/'
w'&v'
u?.cisco.colA'
1,
?'
0I1,
7U S?7
pl'ot1/co1Iatcral/lllotltlIcs./
'ps27()6/ps(n526/I)rt)dtlct data slhtzctog
.

()()kl(
.
tctl8()36434() 1)s7()8 Prodtlt-ts r)ala S11(?t'
' rt.1)t11ll
. Forluore infonnation on Cisco M ultiproccssorW AN Application M ode.go to Cisco
A.
/l//?#??'
f?cc.
tf)rlf'
.,
4x Applicatiol'A/()J(?at
lltt1):,'.
'1.
5.urNvqcisc(.co1)1.
'cll.
't.
3S.
'))l'
tAd.
'
ct'llatcrttl'111t)dt!1cs.'
j)s551tl.
/prodtlct data sllcctot
looaeu'd
8l(1()1Xt)4'
. ,.
5 I)s7()8 Prodtlcts Data S1)ecl.l1tJ111
w Formore infonnation on Cisco ContentServicesGatcways.go to Cisco Co?olt>rl/Sen' ices
(J't7?(JIt'qJ'at
l'
lltp: ' $$'!N'N'.cisc().c()m.
'e1).'
. LISJprtltl//
ctll1ateraI%$irclcss.
. ''
w irclssNv'
'ps77g.
'pl
'oduct data shcfltt)
t)l8()k,( '
)08()lab17. 5 ps708 Prodtlcls I')al:l 1
..... h
;l1cklt.l1ll1'
1l
* Form ore inform ation on lhe Catalyst6500 ScricsComm unication M ediaM odel, go to
CiscoCatalb'
v
%l6500Series(7,14/Ci.
%c()zfif'
lpSeri(
:s()-bl??l?;,/??k'
t'
?//()l'
lsiedia Jz
/otf/t?at
1)ttp:.'.
'w'!w .cisco.coln'el/U S'
'prkxtl.
'collatcral/sw ittwlles.'l3ss7I8,'ps708?prodtlct data shei
ltot)
()()k!eet!S()(3(z42(3t'.l
At!ul
. Formorcillformationon1heTl/E 1and ScrvicesModule,goto Catalb'
st6000Ffzrn/r
l'oiL'
e T1t'
??lJ Services Affpt///cat
Ilttl):?'.
'$zvs,!N'.cisc(7.c()lzA/'
cl1J't-rS,
7):rs?dtIrts/
'I1:v'/
'I1)()dt1lcs/ps.
!lIslroducts data shcetog186a()()8 *
(1()9231
,8.lllm I
* Formoreinforlnation onCiscoNetworkAnalysisM odulcs(NAM-landNAM -2),goto
Cis(.
()C-t7/t'
?('
.
j'/6500Seriesand (7't:'
f?7600SeriesNt?/1$'
f?l'l'AnalbsisModltleat
l'
kttp:)ss.
'w'u .cistzo.
coln/en/t.
TSr
'
)7!'tbt('
rrt)l1kttet
':1l.
J'
1l4ttlttles.
')
7s27fJ(7.
Jps525.
')nrt7dt1ct tlata slhectotl
(ltlaeckl8tl4bal
ll1 1,s708 Products I'
lata Slp(?0t.lllltlI
* Forlnorc infonnation on Catalyst6500 Scrics Sw itch Allomaly Guard,go to Cisco
,
1?1t??,?t7'k'G'lal'd atT(?Jlf/t?at
11ltp: h' 'y!'
!. ss'.elset.
h.colll'ell.I-/S.
.pl'od.collateral,Inllkltlli
lsy'
psz70f7,psb235'prodtlct (lata sllecttlt?
()():lcu'tlhl()22()a7c ps7()8 Prokltlcls Data Slleet.lltlnl
. FormoreinformationonCiscoTrafticAnomaly Dctcctor.gotoCisco Fl'
qflczlr7tp??7t7tJ'
Dgfcctor Ar foc/l//e at
l1tlp:. '.u'u hv.cisckl,clllll'cn,'tlS.'pro(l/
'coIlateral'l'lotltllcs''ps27()(>/
'I>s6236'
'pl't'(luct data shcctot
?
t4pilt:cd8()2201)6c ps708 .
... 13rtldt.
lcts L7:1t1
.1 S1
1et'tt.l'
1(l111
w Formorcinformationondefaultqucuemappingsanddropthresholds.gotoDqjtlltD?'tl/?-
Thwxhold Pel'centagesand L-b5'lQ?/?fc M appingx at
llttp://ww w.cisco.cole en/us/docs/switclles/lall/catalyst6soo/ios/lz.zsx/configuration/guid
e/qos.htm l#wpl478881

1-464 Impl
ementi
ngCiscoDataCenlerNetworkInfrastructure 1(DCN1
-1)v2.
0 @ 2008CiscoSystems,jnc.
k
ll2008 ClscoSystems,lnc. fmpf
ementi
ng the CiscoCafal
yst6500 Series,CiscoCatatyst4900 Serles,and Btade Switches 1-465
M odule S elf-c heck
Usc the qtlestions here to revicw whatyou leanled in thismodule.Thecorrectallswcrsand
Folutionsarc found in theM odule Sclf-check AnswerKey.

W hich data ccnterevolution driverslowsthepowerdem and growthby incrcasing thc


utilization ofthe resources? (Source:Dcscribing theCatalyst6500 and 4900 Series
Switch DataCenterArchitecturc)
A) Human collaboration
B) Businesscontinuity
C') Virtualization
D) Agility
()2) qrhichtwoofthefollowing Ciscodalacelpterplatformsarcsuitableforthcdatacentcr
core laycr?(Choose two.)(Source:Dcscribing the Catalyst6500 and 4900 Scries
Switch Data CenterA rchitecttlrc)
A) Cisco Catalyst4900 ScricsSwitches
B) Cisco Ncxtls 5000 ScriesSw itches
C) Cisco Catalyst6500 Serics Sw itclles
D) Cisco Nexus 7000 ScricsSw itchcs
E) Cisco Blade ScricsSwitchcs
Q3) W hich ofthefollowingCisco Catalyst4900 Seriesswitchismodular?tsourcc:
Dcscribing and Positioning theCisco Catalyst6500 and4900 ScriesSwitchcs)
A) Catalyst4900-51
B) Catalyst4948
C) Catalyst4948-I0G E
D) Catalyst4948-M
Q4) W hichthrcchigh-availability fcattlrcsdoCiscoCalalyst4900Scricsswitchcsoffcr?
(Chooscthrce.)(Sourcc:Dcscribing and Positioning thcCisco Catalyst6500 and 4900
ScriesSwitchesJ *
A) l+ lrcdundanthot-su' appablc powcrstlpplies
B) Rcdtlndantstlpcrvisorengiltcs
C) Rcdundantbackplanc
D) Rcdundant,hot-swappable fallswith variable speed
E) HSRP,VRRP and G LBP support
F) StatcfulSwitehover(SS(3)

$-466 lmpl
emenlingCiscoDataCenterNetworklnfrastructure)(DCNI-!)v2.
D @ 20OBCiscoSystems, lnc.
A1 Access laycr
B) Aggrcgatitllllaycr
(--) Corc laycr
Nexus70()0
Nextls5000
'isco k'atalyst65()0 Scrics Switcll
Cisco C'atalyst49()0 ScricsSu itcll
5. f.
'isco blatlesu'itc11

5. Distribtlted sustaillcd 48 M p/'


sperDF('3

(.)8) NVIIicl)two slots il:(Misco Catalyst6509 Switcllchassiscal)llosta Supervistlr720


engillci.(Choose two.l(Sotlrcc:Dcscribing thcCisco ('atalyst65()4)Scl'icsSwitch
A
Stlpervisots)

C)2008Clsco Systems,1nc lmptementingthe Cisco Catalyst6500 Series.Ci


sco Catalyst4900 Seri
es,and Bl
ade Switches 1-467
()9) W hich componclltoftheSupervisor720holdstherouteandswitchprocessors?
(Sourcc:Describing tlpe Cisco Catalyst6500 ScriesSwitch Stlpenrisors)
A) PFC3
B) M SFC3
C) Switch fabric
D) DFC3
Q I0) W hichtwo ofthcfollowing arebcnefitsofthcVSS?(Choosctwo.)(Source:
Describing thc Cisco Catalyst6500 SeriesSwitch Stlpervisors)
A) M EC
B) V irtualdcvicc contexts
C) Active-activc data plane
D) Enhanced 1-2 security
E) Redtlced sw itchovertimc
Q lI) W hichofthefollowing modulescanbeuscdtodeploy theVSL?(Sotlrce:Describing
thcCisco Catalyht6500 Series Sw itch M oduleand PowerSupply Options)
A) W S-X6704-10GE
B) W S-X6708-l0GE
C) W S-X6716-10GE
D) W S-X6724-SFP
W hattwoVSL protocolsareusedto illitializeVSS'?(Choosctwo.)(Sourccz
ImplerncntingCiscoCatalyst6500VSS 1440)
A) StatefulSwitchover
B) Link M anagclncntProtocol
C) IP BidircctionalFonvarding
D) Enhanced PAgP
E) Rolc Resolution Protocol
Q I3) W'lpich DualActive Detcctionmechanism isdeploycd overLayer3directEthcrnet
collnection'?(Sourcc:ImplemcntingCisco Catalyst6500 VSS 1440)
A) IP BidircctionalForwarding
B) Enhanced PAgP
C) RoleRcsolution Protocol
D) H SRP
Q l4) W hatisthe Iaststep ofVSS convcrsionprocess?(Source:ImplclnentingCiscoCatalyst
6500 V SS 1440)
A) sw itch convertm ode virtualcom mand
B) reload comlnand
C) switch virtuallink sbilch-ntlm bel'comm and
D) switcllacteptm ode virtualcom m and

1-468 lmptementingCi
scoDataCenterNelworkInfrastructure1(DCNI-I)v2.0 (()2008CiscoSystems, 1nc
'

A) (71S('
0 BASE
13) (-1S(*0 l.ATI-'S'F
.

(') C1S('0 LATEST AI'TIVATE


Relllll&'c ollc lcq'clofillstalIlilcs

A) DEST-SRL'
I1) SR('()N I-Y
(-') D EST ON l.Y
I)) D IEST-SRC-IN T
I() Ft-lLl-

Trtle
Falsc

C)2008Cisco Syslems.Inc. Implementing the Cisco Calal


yst6500 Seri
es,Cisco Catal
yst4900 Series,and Bl
ade Switches 1.469
Q20) W hichofthefollowingcommandshastobeuscd inordertoenabletheQoSprocessing
on PFC?(Sourcc:ImplcmentingQoS)
A) enabIeqos
B) m lsqos
C) enablepfcqos
D) pfc qos
()2l) W hcreisaCOPP policy applicd?(Source:ImplemcntingOoS)
A) Through a globalconfiguration
B) On thcincolning intert-
ace
()') To a internalPFC to M SFC intcrt
-ace
D) To a controlplane intcrface
Q22) W llichtwooptionsareavailabletodcfincanEEM policy?(Choosctwo.)(Sourcc:
llnplcm cnting EEM )
A) EvcntDctcctors
B) CLIApplet
C') EvcntM anager
D) EventM allagerPolicy Engine
E) TclScript
Q23) W llattwo GOLD diagnosticscanbeuscd fortroublcshooting?(Choosetwo.)(Sourcc:
Utilizing Automatcd Diagnostics)
A) Bootup diagnostics
B) On-demand diagnostics
C) IIealth m onitoring diagnostics
D) Schcduled diagnostics
Q24) W hatisuscdto triggerthcSmartCallHometo send themessagc?(Source:Utilizing
Atltomatcd D iagnostics)
A) Contactinformation
B) Alcrtgroup
C) Profilc
D) Destination addrcss
E) Destination transportmethod
W hatarcthethrecsupported traftic sourcesforthcSPAN source port'
?(Choose threc.)
(Sourcc:ImplcmcntingSPAN,RSPAN,andERSPAN)
A) Interface
B) NetFlow
C) VAC L
D) VLA N
E) Portchanncl
926) W hatisthesourceofRSPAN sessiononthedcstinationswitch?(Sourcc:
Im plem cnting SPAN.RSPAN .and ERSPAN )
A) Intcrface
B) RSPAN VLAN
C) VLAN
D) Portc-hanncl

1-470 ImplementingCiscoDataCenterNetworkInfrastructure 1(DCNI-I)v2.0 @ 2008Ci


scoSystems, Inc.
vruj
y
F:tIse

@ 2008 Cisco Systems.Inc. Impl


ementing the Cl
sco Catalyst6500Series.Cisco Calalyst4900 Series.and Blade Swftches 1-47.
4
M odule Self-c heck A nsw er Key
Q l1 C
Q2)

1-B ('

1-B

Q8)
Q9) B

Q)20)

Q23) B.D

1-472 ImplemectingCiscoDataCenterNetworkI
nfrastructure 1(DCNI-I)72.0 @ 2008Ci
scoSystems, lnc.
@ 2008ClscoSystems.fnc. Implementi
rlg the Cisco Catal
ysl6500 Series.ClscoCatalyst4900 Series.andBladeSwitches 1-47.
3
1-474 implementingCiscoDataCentefNetworki
nlrastructure)(DCNl-1)v2.
9 @ 2998CiscoSystems,lnc.
uodqle21

Im plem enting FW S M fora


D ata C enter N etw ork
Infrastructure

O verview

M odule O bjectives
2-2 ImplementlngCiscoDataCenterNetworkl
nfrastructure 1(DCN1-1)v2.0 (D2008Ci
scoSystems,lnc.
Lesson1l

Im plem qnting Tra#i FIpF q

O verview
TheC isco Catalyst6500 ScricsSwitch callbcprovisioncd Nvith Cisco scrvice lnodtllcsto
provide additionalprocessing ftlnctionsbcyolld routing and switchillg.01,eof'tllese nlodulcsis
tlte Cisco Catalyst6500 Serics FircwallScrvicesM odulc (FSVSM ),n'hich providesintegratcd
fircwallservices in the C'atalyst6500 Scries Sw itch chassis.Desiglling networksthattlse the
Catalyst6500 Scries FSVSM rcqtlircsan ullderstalpding oftirewallscrviccsalld thc FNVSM .
This lcssolldiscussesthe IP lletvvorkilpg ten' ns and concepts relevalltto the undcrlyillg
operations ofthc Catalyst6500 SeriesFW SM .describestlpcchallengestllatlircvvallsaddress.
alld tllekey fcattlrcsand arcllitccttlre ofthe Catalyst6500 ScricsFSVSM .

Objectives
Upon completing thislesson,yotlwillbcablcto explain the basic installation and configtlration
procedtlresforconfigtlring thc Catalyst6500 SeriesFW SM .Thisability includesbeing ablc to
mecttllcseobjectives:
> Explain tlle ptlrposcand opcration offircwalls
* Describe the charactcristicsoftlle Cisco Catalyst6500 ScricsFW SM
w Describe tlle stepsnccdcd to deploy basic Catalyst6500 Scrics FSVSM colltiguratiolt
* ExplaillCatalyst6500 SeriesFW SM nctworking modcs
K Dcscribc thc stcpsneeded to cont-
igtlrc routcd modc
* Describc the stcps ncedcd to colptigure trallsparentntodc
* Explain the Catalyst6500 Serics FW SM NAT alpd PAT
* Dcscribetlle stcpsncedcd to configurc NAT alld PAT
Firew allO verview
Thistopic describesthe fundam entalprobem sthatGrewallsarc tlcsigned to address.

C o nnected N etw orks

f? / / h
k e, J
, :
Telecom m uters

N
N '' . . f '''
,
i
. .
'' '
i
) '.
f
'
$7
:
1. ).
' . l
i
x. .

Internet
hj /..' '
o o Net
works
y,. N.% I Headquarters
#e <
A e' *N I
- :7k=

Mobil
e Users Branch Of
fice

Isolated Legacy N etw orks


Early corporatc datanetworksw ere builton proprictary technology and wcrcoften attachcd
directly to mainfralneorm id-size systcm s.Early IP networks in acorporate sctting replaced
proprictary lransporttechnology with Ip-based nctworkscarricd prim arily cm facilities
detlicated to the company constructing the nctwork.assllown in thc figurc.
AI1im portantattribtlte oftheseearly corporate IP nctworkswasthc amountofisolation that
cxisted betwcen thecorporate network and any othernctwork.1l)gcncral, thc isolation was
colnplctcatthe IP layerw ith no mechanismsfortraft ic fiom unatlthorized dcvicesto be
ill
jcctedilltothenetwork.Securityconcernsil:thisnctworkrcvolvedprimarilyaroundthe
strcl,gth ofthcatlthentication providcd by the acccssserver.M uch ofthedata security issuesin
tllcsccarly nctworkswere controlled by thc mainfram eorm id-size system s, w hich stillowncd
nlostof'thcdata,

C onnected Netw orks


M odcn)corporate IP nctw orksare connected to the globalInternctand m ake use ofthe lntcrnct
forsom coralIot-theirdata transpon needs.as showl)in the figurc. Private circuitsstillexist
alld arc uscd forsecurity reasons.orm ercly to providc dedicated site-to-sitc bandwidth. The
ptlblic Intcrnetisalso tlscd forsite-to-sitc lillksand hasrcplaccd thc public switched telephone
network (PSTN )asthe prevalentmeansforconnccting remotc users. Additionally,corporations
arcproviding lnore servicesviathe lntenletto customersand btlsinesspartners.
Conllecting corporatc nctworksto 1hcptlbliclnternctoftkrsm any advantagcs. Low-cost,high-
specd access to the com orate network iseasily providcd forremote uscrsw ith w idely availablc
Intcrnctaccess in hom es.hotels.rcstaurants.ail-ports,etc.Traffic Ioadscan be convergcd on
one Illtenlet-based infrastructure.resulting in cost-savingst'
t)rsite-to-sitc and company-to-
colnpany connectivity.
2..
4 ImplementingCiscoDataCenterNetworkl
nfrastructure 1(DCN1-1)v2.0 Q 2008Ci
scoSystems. Inc.
Alollg with the advantagesofconnectingthe corporatcnetwork to thc globalIntcrnetcomesa
sctofnew sccurity challenges.Unknown and unauthcnticated systelnsare now capablc of
gcncratingIPtrafficthatisinjectedintoandrotltedbytllccorporatenetwork.Systemsfroln
wcb sclwersto lnainfralnesto workstationsare llow acccssiblc froln anywhcre in the world.
Conlprolnising onc system llasIlow bccolne al)easiertirststcp il:Inounting aI)attack on a
corporateIletwork
Thcrc are severaltechnologiesavailable to m itigatc the risksofllltcrnctcollneetivity while
I
llaintaining thc benetits.Tllesctecllnologiesincludcfircw allscrvices.

@ 2008 Cisco Systems,lnc. lrrlplementingFW SM foraDataCenterNetworklnfrastructure 2-5


W hat 1s a F -
1rew a II9.
. A firewallcontrols trafficflow from networkto network

X'- se
we
we
br
Demiti
tarizedZone(DMZ)
1
'-' y .r
. t
Intemet ' x.
7 - v .,..:.,.
y. 7e
Outside ynside
Network Network

A tircwallcontrolsacccssam ong a collection oftwo orm ore networksorinsidea nctwork.


This isaccom plisllcd by controlling tllc traftic thatfiowsfrom an intcrfacc to an interface.

Firew allIm plem entation


In the sim plcstilnplem cntations.a fircwallconncctstwo networkstogether. One network isthe
insidenctwork.thcothcristhe otltsidenetwork.Theinside network isthccollcction ofnctwork
resourcesthatmustbcprotected from thc outsidc nctwork.
Additionalnctworkscan be added to the collcction ofnetworksthalare controlled by a
firewall.A typicaluscofthiscapability isthccreation ofadclnilitarized zone(DM Z)nctwork.
DM Z nctworksarcalso referred to aspcrilncternetworks.Resotlrcesin theDM Z network often
have Icssstrillgclltsccurity rcquirem entstlpan thoseem ployed fortlpe insidc network. Systcm s
m ightalso be placed in thc DM Z ifthey arctlscd to providcscrvices to thc generalpublic.
The t'igure sltow'san cxampleofa tirewalltleploym entin which a public web serverisplaced
into thc DM Z while corporate workstationsand internal-use-only scrversareplaced into thc
insidc nctwork.Thc outside network isused to connectthc corporatcnctwork with theIntenlct.
The Grewallin thisexample can im plem cnta policy thatthe ptlblic wcb scrverisallowed to
receive HTTP requcstsabutresourcesiI)the ilpside nctwork canllot.

2-fh lmplementingCiscoDataCenlerNetworklnfrastructure1tDC.Nl-1)v2.
0 Q 22*8CiscoSystems lnc.
P a cket F 1lter111g
4'- W eb
f::
...' 15;f
?r,/6,r

DMZ

'- Intem et JA<


' '' *
h .. l
x .k
j #
.
.
outside ,...*1 'N loside
Network Network
.
,:;
< . pr.
..
I .' * ., c. :
j

Outside DMZ 150 Yes


Outside DMZ !80 No
DMZ Any Yes
lnside Any Yes
Outslde lnsIde No

(
t
))2008Cisco Systems,Inc. Implementing FW SM l(7ra Data CenterNetwork I
nfrastructure 2-7
'

P roxy S erver

=. w eb/Proxy
t
:
J
:1 servers
DMZ
I. -.,- r
... Intem qt :7
.c. :
.'# L 'f ' '
. #
NOutside :k....
. .
. Iraside
Otwork ' ' Net work

> *z :t: . @ *:
; .
Outside W eb:80 Yes
Outside W eb180 No
Outside Proxy Yes
DMZ Any Yes
lnslde Any Yes
Outslde lnslde No

Proxy scrvcrscan bc uscd to addressthc lim itationsoffirewallsthatrely on simplcpackct


Gltcring.A proxy scrverisa systcm thatacceptsconncctionsforprotccted uscrsand thcn
cstablishcsa second connection to thcrcqtlested resourcc.
Il1thc tigurc,thc policiesforpacketfiltering have becn changcd.An additionalsystem hasbccn
addcd to the DM Z and isrunning proxy selwersoftware.Traftic to thc wcb serverisstill
lilnitcd to port80.
.however,traffic from anywhere isallowed to reach thc proxy scrver.Any
illsidcsystem thatchoosesto acccssan Intcrnet-based rcsource iscontigurcd with the IP
addrcssoftheproxy scrvcr.Any conncctionsfrom the insidc nctwork go to thcproxy scrvcrto
cstablish itsown conncction withthc rcsource on thc Intcrnet.
Insidc userscan now acccssrcsourccson the Internet.However,theproxy sen'erisa systcln
thatisopen to alltraffic and necdsto be carefully sccurcd.A failure ofthcsccurity ofthe proxy
servcrwould com prom isc the protcction offered by thc tircwall.

2-8 lmplementingCi
scoDataCenterNetworklnfrastructure1(DCNI-I):2.0 (
I)2008CiscoSystems,lnc.
S tateftlI Packet F 1Itering
'tLt.. W eb
x. a Server

lnternet
. . .
, -/?
Outsi
de ..
se v.
. I
nside
Netwof'k Network

h' t$.
. jr . Jl.. .* '.' *
. 4 ) u -: *
Outside DMZ 80 Yes
Entri
esforeach activeconnecti
on: Outside DMZ:p80 No
. Source/Desllnationaddress
DMZ Any Yes
' Source/Desllnatlonport
Inslde Any Yes
. sequence numbers
TCF7f
lags tk' Outsl
de 1
nsl
de No
'L Establlshed Sesslon Yes

@ 2006 Ci
sco Systems.lnc. Impl
ementl
ng FW SM fora Data CenterNetworklnfrastructure 2-9
ConceptofV irtualFirew alling
. Logicalpartitioning ofa single FW SM into m ultiple
Iogicalfirewalls
pLogicalfirewall= Security context

Policiesand management
IPaddressspacetcanb:Pusedbetweencontextq) .... .y. w- a
. .y.<u
<&
Opqrati
onalmode(routqdjyYansqarent) e W ..
SetofVI-AN lnte#aces
Resource usage

V il-ttlalfirewallsprcscntIogicalpartitioning ofasingle physicalCatalyst6500 SeriesFW SM


illto lnultiplc logicalfirewalls.A logicaltircwalliscallcd a security context(orvirtual
f5rcwall).
Security contextsallow adm inistralorsto separatcand secure datacentersiloswhilcproviding
casy managelncntusing a singlc system .They Ioweroverallmanagem entand supportcostsby
hostilyg m ultiplc virltlaltirewalls in asinglc devicc.

2-1O lmplementlngCiscoDataCenterNetworklnlrastructure1(DCNI
-I)v2.
O @ 2008CiscoSystems,lnc.
FW S M O verview
Tliislt/pic iderltifies rhc characlcris!ics(,rtlle Catalystf)5f)0 sericsFB/SM

FW S M H arclw are
. Cisco Catalyst6500 Series Swi tch and Cisco 7600 Series Router
firewallsystem
. Hi gh performance firewall,5.5 Gb/s
@ M axim um of1 m illion simultaneous connections
. Maxi mum of100,000 connection setupsand teardowns per
second
. 256,000 PAT and 256,000 NAT translations
p Up to fourblades perchassis
' ) 1

Scaling

@ 2008 Cisco System s.lnc Implementing FW SM fora Data CenterNetworkInfrastrtlcture 2-11


. Tlpcsccond solution consistsin assigning each Catalyst6500 SeriesFW SM adistinctsetof
VLAN S.Tram c istherefore associatcd to agivcn Catalyst6500 ScricsFW SM based on its
illcorning oroutgoing VLAN tag.
w The tllird solution consistsin the network adm inistratorovcrriding the dynam ic routing
proccssby Inanually assigning a specit ic Catalyst6500 Series FW SM based on the source
ordestination ofthe traffic.

2-12 lmpiementingCiscoDataCenterNetworklnfrastructure 1(DCNI-!)K .


0 @ 2008CiscoSystemsllnc.
FW SM K ey Features
Fabric-enabled card
Based on proven Cisco PIX firewalltechnology
> Suppodstransparentorrouted firewallmode
* Upto250 securitycontexts(virtualfirewallinstance)
Up to 256 VLANS in a single routed context
Up to 100 VLANSpereach routed contextin m ulti-contextmode
, Up to 8 pairs ofVLANS in each transparentcontext
. Up to 1000 VLANS in aI1contexts

Key IkattlresoftheC'atalyst6500 SeriesFW SM incltlde thesc:


* Supportstransparentor routed firewallInode:W hcn contigured to run in rotltcd modc.
the Catalyst6500 SericsFW SM isconsidered arotlterhop in thenctwork and pcrforms
NAT bctwecn conllected nctworks.W hcn contigtlred in trallsparelltm ode.theCatalyst
6500 ScricsF'W SM acts1ike a Qsbump in thcwirc''alld is notcollsidered arotltcrllop.The
illside and otltside interll
acesare the same nctworks,btltdiffcrelltVLANS,with theC'atalyst
6500 Series FW SM providing thecon,lectivity.
* Supportsup to 250 security contexts:Tlle Catalyst6500 SeriesFW SM can bc in sillgle or
lntlltiple contextmode.In mtlltiplecolllcxtInode,up to 250 scparatc sccurity colltextscallbe
colltigtlrcd,depcncling oI1the softwarc licensebeing tlscd.M tlltiple contcxtsarcsim ilarto
havillg mtllliplestand-alonc rcwalls,convcnielltly colltaincd within a single module.
* Supportsup to 256 VIaAN Sin a single routed context:Up to 256 V LANScallbe
conligtlred in a singlc rotltcd context.
* Supports up to 100 V LANSper each routed contextin rnulticontextmode:W hcn
m tlltiplerouted contextsare tleployed,each contextcotlld have l00 VLANS.
* Supportsup to eightpairsorV LAN Sin each transparentcontext:Each transparent
contcxtcotlld bedcploycd w itlleightpairsofVLANS bridgc groups.
* Supports up to 1000 V I-A NS acrossalIcontexts:A crossa1lcontexts.a luaxilntllu of
l000 VLANScan becontigured.
* Supports5-G b/sthroughput:ThcCatalyst6500 ScricsFW SM providcsup to 5-Gb/s
tllrotlgl'
lput.

@ 2008 Ci
sco Systems,l
nc. lmpl
ementing FWSM fora Data CenterNetworklnfrastructure 2-13
w Supportsone m illion concurrentconnections:The Catalyst6500 ScriesFW SM supports
t1p to onc m illion concurrentconncctionsatany givelltime.
w Supports 100,000 connectionsper-second:Up to 100,000 conncctionscan be established
per-second.
* slultiple bladesare supported in onechassis:In a single Catalyst6500 SeriesSwitcll
cllassis,up to fourCatalyst6500 ScriesFW SM m odulcscan be supportcd.

2-14 ImplementingCi
scoDataCenterNetworklnfrastructure1(DCNI-I)v2.
0 @ 2008CiscoSystems.Inc.
FW SM Key Features (Cont.)
. High-availabilityfeatures include:
Active-acti
ve and active-slandby contexts
Pre-em ptopti on foractive-active
lntra-orinter-chassis statefusfailover
. Routing
Dynamic
Asymm etric
q Network integration improvem ents include:
Mixed Layer2 and Layer3 mode support
PrivateVLAN (PVLAN)support
Perinlerface DHCP relay ' -
. Scalability .' '

Interchassisor Intrachassisfailover:Failovcrcallbcdcploycd in a singlcor


I'lultip1e cllassis.

('
))2008 CiscoSystem s,Inc. tmplementing FW SM fora Data CenterNetworkInfrastrucltlre 2-15
* Ncwork intcgration
M ixed lxayer2 and Layer3 m ode support:M ixed Laycr2 and Laycr3 modc
supportisnow pennittcd on thc sam cCatalyst6500 SericsFW SM .enabling tlcxiblc
network deploym ents.
PrivateVLAN (PVLAN)support:ThcCatalyst6500 ScricsFW SM isnotaware
ofPV LANSconfigurcd on tlle switch supervisor, and propcrly processestraffic
com ing from a secondary VLAN thatisconfigured asa secure VLAN with IEEE
802.IQ taggingoftheprimary.thusleveraging theIogicalscparationand traffic
isolation pros'ided by PVLANS.
Per-interfaceDH CP configured per interface:Per-intcrfacc DHCP relay can now
bcconligured perinterface instead ofpcrthe cntirc colhtext, providingbcttcr
grallularity and controlofDIICP scnziccs.
* Scalability
Supportfor 250 virtualcontexts:Contextshave bccn incrcascd from l00 to 250.
Ability to apply thew'rite mcm ory com mand to aIlcontexts:Thisfeaturem akcs
cont-iguring a large ntlm berofvirtualcontextseasicr.
Increased num berofglobalstatem ents to 4000:This illcreasc ilnproves
scalability when detining apoolofglobaladdresscs.
ACL m ernory enhancem ents:An increase of20 pcrcentin totalavailable ACL
m em or.y improvesscalabilit
y.
Sessionsfor IIOn-TCP/UDP packets:Thisfeature pcrm itsthcscpackelslo be
forwarded througllthefastpath instead ofthe slow path.improving perfonnancc for
Gcneric Routing Encapsulation (GRE).Extended ServicesPlatform s(ESPs).and
mtllticasttraffic. +

Supportsup to 10 DH CP relay statem ents:An increase from 4 to 10 D HCP relay


statcmclltsprovidcsscalability bcncfits.
Provides80 HTTPS sessionsfor Cisco Adaptive Securlty Device M anager
(ASDM ):Thisrepresentsan increasefrom 32to 80 HTTPS sessionsforASDM .

2-16 lmplemenlingClscoData CenlerNetworklnfrastructure 1 (DCNi-!)v2.D Q 2D08 Clsco Systems. lnc.


FW S M A rchitecture O verview

g13/1
-'h,.- g'ayz 111ld11
,
1
.
b
.( ' 9,
3/4 L
l.
p'
x i'l. 2 '.
(-- J4,
i
t qi
rws t
h4Jw.,
' t-;
';
1. .. '' >
.pz-
j r
>
/
tN.
t..
;
.
tr
uj' ,i3I6
y 8%
.)
.
,.
$$
.<,
.
, x
t-
'..
,
3m
..
. / r
)
Cisco Izw sM
Calalyst6500

@ 2008 Cisco System s,Inc Implementing FW SM fora Data CenterNetworklnfrastructure 2-17


Three-Layer rchitecture verview
ControlPath
. ct-t/ospF/tixups

. ....
. :' .
:.j'
Jt:.
T. r. Sessitm Vanagem ent
' .
:. . . .
' '
-:
.
);:t
.):. 1Gb
,)
y ,
/. j,- /1(iW:.; k.
.3 ....
...,,
-.
2
.
j,.
:
..
k
,..j:
;-.E.y'
k
y
t
..
y
.;.
:r'
;t
.
rl
!!
.jljk
/lp1
r-
lpl
'1fIld
tl
'
:
l1:,,jd
sk
.l
::llk
.
. ' 'i t:k .
't)
'
l
k;
sy-)
;,
. .
j1ip?r:z
( '
r-
, ?$y,jj
4 k
jt.
tj-rt.
( k:-:.L: lii'.j,:y
@yl
,
iky,(i
y.
t,J
;yjf:r-..k
j;t,C'
r(
.t
.? .;.2 .;..
''' ;;
-'it '
k $
yt'
(f
i .'
t )C
;'
(
;)
k
'
,
itl
.
;
?(
J1:!.s . . ;.3: ,..$
,.
)l
),.
q .. ... . . .,
T
y
jhijy
lij
.;f.
.p
n
'.6...
%
.
p
t-t

.
-)-
,t
..i.
(
,
., ,z
.
. t
. .;
-?I
)t
'tp
rp
t;:
$
'
..gj...
. o )
!
$
.($
'
tk
ytr
,
.-
jt
''
:rt'
j
;'
?
z j
t
l!
'
;
:)-
:
rr.'
k
yr
.
;..-. ..r
,- .
;.
-
i
r
'?
t'
d
....f
'1
t.
ri k
.'
:
.!
.
''.
.. $
,
. ''
l!'i
t;
l
jl
t
't
k
l
..
;'
'
tz
'
;L
.(
)
@.)
i'
'(
l
t
jf
1'
yl&y
.
rt
'h
lyf
or,!
tz
' r'
,,
t
.i, ))'qJ
C'J
)r
lt
L
li
Lf
l'''i
'
.'
.. @
. . p? ,:.. FastPath

6 Gb/s Ethercharlnel

To ClscoCatalyst6500
Localbus fabric orbus

The processing functionson thc Catalyst6500 SericsFW SM areprovided by a three-layer


architccture consisting ofthrce nctwork processorsand a PC com plcx.
Tllc IowestIayerofthc architecttlrc consists oftwo nctwork proccssorsthatconnectdirectly to
the Ethclf hannetPortchannclfrom the backplane oft14eCatalyst650 ScricsSwitch. Thcse
network processorsprovidc fast-path processing ofpacketsthatarc partofexisting flows.
Thc sccond layerofthe architccttlrc consistsofoncnetwork processorconnected to both
nctwork proccssorsfroln thc fast-path layer.The scssion m anagementnetwork processor
proccssesncw session rcquesls.Thc scssion lnanagem cntnctw ork proccssoralso performsthc
SimplcM ailTransferProtocol(SM TP)tixup function.Fixup functionsmodify uppcrlaycr
protocoldatatoadjtlstforNAT,
Thc third Iayerofthe architccture consists ofaPC com plex thatperfonnsa11otherfixup
ftlnctiolls.aswellasroutingand thecommand-lilleillterface(CLl).

2-18 lmplementingCiscoDataCenterNetworklnfrastructure 1(DGNI-I)72.0 @ 2008CiscoSystems.lnc.


'

FW S M F 1Ie S yste m
. The FW SM includesa 128 MB Com pactFlash card
.
Sixpadi
ti
onsonthecardare used (cf:n)
Paditi
on 't yc'. zq.
:
' J' '
-

Maintenance
Networkconfi
guration
Crashdump
cf:
4 Applicalionpartition(defaul
t)
cf'5 Application partition

cf26 Contexlconsguratlons(di
skl)

(()2008 CiscoSystem s.Inc. lm plementing FW SM fora Data CenterNetworklnfrastruclure 2-19


'

Feature C om parison'
.FW S M vs.A SA
9 k .j > . ;j ,j
!I .'y;'r ' . . '
Performance .
.
2.
''.
'''d'L.C*/*''1
-.,.. -
,.- -...
1- .6.50-
.
M-b/s..---j1
-- -0.-G.b
./s/2
.0Gb/s--.
-
Typeofinterfaces )E.....W .8N: '
I Extemalinterfaces Extemalinterfaces
VLANS IQX 2O0 100(250future)
FailoverIicensing : -q
'
u .
tt
N@ j Yes -
l Y(m
VPNfun ctionality L'2
;'. rr.t,.Nq Yes Yes
Y,ykLk5k-w-.--oyk.. - k...-.......- -
..
...... .... ............- ..... .- : ,x - -.- ..-- - . ......-- - .
-z.
!
(
u'
,.
..!.'
IE)ig!;i(;rl!ttlrt!t; )(
.J #k.
;
)
<
..!
1.il '.' .,,
ki.
,
j ,.
. . ... Af'(htl
....-.
----- ..-
hk()

Defaultpol
icy ..Ajjtae y
s fyjxj. All
owshi
gheri
evel Al
lowshigherlevel
l
(;.
- .. .... . .,
l
1toIowerI
eveltraffic toIowerleveltrafflc
- . -

Thischartliststhe key differellcesbetwcen the Catalyst6500 Serics FW SM and theCisco ASA


5580-40 Atlaptive Security Appliancc.
Catalyst6500 ScriesFW SM isablc to processmoretraftic than almostalIadaplivesecurity
appliance dcvices,cxceptthe latcstA SA 5580-20 Adaptive Security Applianceand ASA 5580-
40 Adaptivc Sectlrity Appliancc'
,howcvcr,tcrlnination ofvirtualprivatc network (VPN )
connectionstkrtratlic tlowing through tllc fircwallsenricesm odulc isnotsupported on a
Catalyst6500 Serics FW SM .The Cisco Catalyst6500 SericsSw itch providesintelligent
serviccs.stlch asintrtlsion detection.via Cisco Intrusion Detcction ServicesM odulcs(IDSM S).
and IP sccurity (IPsec)selaziceportadaptcr.
W hen designing sccurity policy fordata centers,the following isusually true:
. Therc isl1o need forIpsec V PN S.
. M any V LANSare uscd.
. H igh availability isa must.
* Powerconstlm ption isa signiticantfactor.
. Thc soltltion should scale becauscdalacentcrsevolvc.
Thus,thc Catalyst6500 SeriesFW SM isa llaturalchoicc fordata ccnterscctlrity policy;thalis.
thcnum berofVLAN intcrfacvs,failoverfunctionality,and sealability (with deploying up to
fourCatalyst6500 SericsFW SM perCatalyst6500 Series Sw itch chassis).

2-2: lmplementing Ct
sco DataCenterNetwork lnfraslructure 1(DCNI-))v2.
D (
I)2908 Cisco Systems.lnc.
FW S M lnitialC onfiguration

FW S M T raffic F Iow

N
Ou
ett
w
so
idre
k tj.
6t '
?1:)
Inside
Network
.
G>sz
Cisco Catalyst
6500 Series
FW SM

(()2008 Cisco System s.lnc. lmplementlng FW SM fora Data CenterNetworklnfrastructure 2-21


FW S M V LA N S

DMZI
DMZI
. Nebrxk

outside okdside VLAN ': lnsideVLAN Inside


Network i
( ,..Netw?fk
SM
DMZ2 DMZ2
. Network

Cisco Catalyst6500

The figure shows how a Catalyst6500 SericsSwitch containing a Catalyst6500 SeriesFW SM


conncctsto anctwork.
In tllis typicalIletwork sccnario,thc Catalyst6500 SeriesFW SM conncctsto the network usillg
tw o VLANS:one VLAN isused fora conncction to the inside network.and theotherVLAN is
uscd foracollncction to the outsidc network.Because thc Catalyst6500 Series'FW SM is
attached to VLAN S.any physicalorIogicalsw itch pol4can bc uscd as al7inside oroutsidcport
on the FW SM .

2-22 mpdementingCiscoDataCenterNetworklnfrastructure 1(DCNI-!)v2.0 @ 2008Cisco Systems lnc.


C ol1f1g ur1ng FW S M V LA N s on C 1sco IO S
C reate the necessary VLAN S
Group the VLANS into firewallVLAN groups
Assignthe VLAN groups to individualFW SMS

vlan 55-57.70-85,100

firewall vlan-group 50 55-57


firewall vlan-group 51 70-85
firewall vlan-group 52 l00

firewall module 5 vlan-group 50,52


firewall module 6 vlan-group 51,52

Router tconfig l#firewall vlan -group 50 55-57


Router tconfig l#firewall vlan -group 51 70-85
Router tconfig l#firewall vlan -group 52 100
step 3 A ttllc cnd.the tirevvalIVI-AN grotlpssllotlltlbc llssociatcd vvitl'
liI
ldividtlallircvvall
services m odtlles,tlsiI)g tllc'
lire'
wallrnodule collllp'
lalltl.1I1thisexalnple.tlle I
irew all
N'LAN grotlpsarc llssignetllo FS'
VS'
NIS il'
lslots5 and 8.
Router lconfig l#firewall module 5 vlan-group 50,52
Router lconfig l#firewall module 8 vlan-group 51,52

Note FlrewallVLAN groups can be shared by more than one Catalyst6500 Seri
es FW SM.

@ 2008 Cisco System s.Inc. Im plem enting FW SM fora Data CenkerNetwork Infrastructure 2-23
Verifying C isco IO S Setup
Router#show firewall vlan-group
Group vlans

50 55-57
51 70-85
52 l0Q

Router#ahow firewall module


Module Vlan-groupa
5 50,52
8 51,52

Thc show firewallvIan-group and show firewallm odule comm andscan be used to verify the
V LAN contigtlration.

2-24 lmplementingCiscoDataCenterNetworklnfrastructure1(DCNl-1)v2.
O (
I)2008CiscoSystems,lnc.
A ccfassing tlle FW SM
Router#
sension sloe 5 processor 1
p Connectsto the FW SM from Cisco IOS

Console> (enable)
seasion 5
p Connects to the FW SM from the Catalystoperating system

FwsMx
enable
w Enters enable m ode

7'llc t'atalyst6500 ScricsF'SVSN'Iprolnptsfora logil)passw-ord.14.11iclldelltlltsttl('i.


%L'
().After
cntcriI1g thclogi11passu'ordsyetlrccciv'c tl:c disablellpotlcprolnpt.U sc tllc enableconuuantlttn
clltcrtllc cllablc modc.Tl'
lc dcfatlltcnablc passyvord isblaltk.and itcal'lbcclltcrcd by pressillg
t11t
?1-.
JI1lcrkcy.

@ 2008 Ci
sco Systems,Inc. lmpl
ementi
ng FW SM fora Data CenlerNetwork I
ntrastructure 2-25
Configuring Basic Settings
Change the login and enable passwords
2. Configure hostand domain names

password highly lsecuregg


enable password evenB3tt#rpWordl
hostname bastion
domain-name exlmple.com

Allofthc basic scttingsareconfigurcd t'


rom the main contiguration lnode on the Catalyst6500
Scrics FW SM .
Thc login password ischanged w ith thcpassword com mand.
FWSM (config )#paaaword highly lSecureg9

Note The password comm and can also be speci


fied as passw d.

Thcenable modc password ischanged with the enable password comm and.
FWsM tconfig l#enable paasword evenB3tt#rpWord l
Both login and enablepasswordsarc casc-sensitive and can be up to l6 charactcrslong.Thc
passwordscan contain letters.ntlm bers.and spccialcllaractcrs,except1he question mark and
space.
Thchostname ofthcCatalyst6500 ScricsFW SM dcfaultsto FI ;'
StV and can be changcd w ith
111e hostnam ecolnmalld.
FWsM tconfigl#hostn-me bastion
Thcpromptchangcslo retlectthc ncw hostnam e.
Thcdomain naTnc isconligured w ith tllc dom ain-nam e com m and.
bastion tconfig l#domain-nxme exxmple .com

Caution The hostand dom ain names are used during the processthatgenerates RSA keys for
Secure Shell(SSH)and HTTPS accesstotheCatalyst6500SeriesFW SM.Thehostand
dom ain nam es shoul
d be configured before keys are generated.

2-26 ImplementingCi
scoDataCenterNetworklnfrastructure1(DCNI
-I)v2.
0 @ 2008CiscoSystems.Inc.
C onfiquring Interfaces
Routerlconfigl#interface vlan l00
Routerlconfig-ifl#nameif outside
Router tconfig -ifl#security -level 0

Routerlconfigl#interface vlan l0l


Routertionfig-ifl#nameif inside
Router tconfig-ifl#security -level 100

Routerfconffgl#ineerface vlan l02


Routerlconfig-ifl#nameif dmz
Routertconfig-tfl#security-level 50

. Specify name and securi


ty Ievelforeach interface

Beforc thc Catalyst6500 Series FW SM allowstraflic tllrough aI1illterface.thc illterl -


ace nalne
mustbc dcfined witlla rclevantscctlrity level.
The nalne istlscd in othercontigtlration statclnelltsto refcrto a spccitic intcrt-
ace,alld sllotlld
be lneaningfulto allyonc reading theconfiguratiol).The nalue can bcany textstring up to 48
charactersin lcngth,alld itisnotcase-sensitivc.
Thc security levelisanunlberfroln 0 to I00 tllatdcfinesthe secul'ity characteristicsofthe
network attached to thespccifqed interfacc.
ln thc cxalnplc.VLAN l00 isdet ined asan illterface Slan-icd (?lf?.
5't/c with a sccurity Ievclof
zero.V LAN l0lisdctincd asan interfaccnalzled il'sidelvitlla sectlrily lcvelof I00,while
VLAN 102 istletined asa11illterface nalncd dnlz willla sectlrity levelof50.

(()2008 Cisco Systems,Inc, (mplementingFWSM foraDataCenferNetwork Infrastructure 2-27


U nderstanding Security Levels

insi
de to o side

0 30 70 100
outsideto ide

Each intcrfacchasasecurity levelthatisrcpresentcd byantlmberbetwecn0(lowest)and l00


(lligllcst).The Ggure showstherelationsllips implied by thcavailable security lcvcls. Outside
lheoutcr(daslled)circlcissecurity lcvel0.Tllet'
icldbctweentheoutcr(dashed)circleandthc
lniddle(ftlIl)circle representssecurity level30.Security level70 liesbetwecn the m iddle(full)
circlc alld thc inner(dotted)circle,and security lcvelI00 istllc illtcriorofthc inner(dotled)
circlc.
(ioing from a lowersecurity levelto a highersccurity leveltakesyou inside, while going from
a highcrto a lowersecurity leveltakesyou outsidc.W hel)dcalingw ith a firewallwith m ultiple
interraces.and each with diffcrentsecurity lcvels.this inside and outsidc directionality
dctcrlninesthe security andN AT policicsthatareapplied.

2-28 ImplementingCiscoDataCenterNetworklntrastructure 1(DCNI-!)72.


9 @ 2008CiscoSystems. lnc.
M u Itip Ie Intorf'act7
.s w ith
the S arne S ectlrity Leve.I

-4':-.: W eb server
%.71f:
1 ovz1
1 192 168 10/24
1 , ..
j '

Intecnet A-
%' ' # #
Xthw W-#tv
outside Network .
198 133 219 :/24 I rau-zn l'ns'de Network
securitytevel0 I
1
1921
..
GC
'
(1()r24
..
10000/24
secuntyLevell0a
I
,,
.:
.. Apprlcatpon
-7n
t7 sewer

(()2008 Cisco Systems.inc Im plementing FW SM fora Data CenterNetwork Infrastructure 2-29


Intra-lnterface Firew allServices

rp1

192 16iI.1.0724
Inslde '
192.168 255 0/24
'
'
At)()
ti
rI
t'
.
'I
(?b'
f'
lI'1I r e'e-.
% l'

192 168.3 0/24


192 168 2 0/24

5%

Tllc Catalyst6500 ScriesFW SM can becontigured asa Ssfirewallon a stickf'to controltraftic


among hostsattached to one ofthe interfaccs.
Tlle sam e-security-trarnc perm itintra-interfacecolnm and isused to allow trafficto tlow .
ACLSare cont igured to controltllc type oftrafficthatisallowcd to tlow .Thc routcrcol
m ecting
the subnetsalso nccdsto be configurcd to send alltraftic to tllcCatalyst6500 ScricsFW SM for
proccssing.

2-30 lmplementing CiscoData CenterNetworklnfrastructure 1(DCNI-I)v2.O @ 2(28 Cisco Systems,lnc,


Note The supervisorengine ofthe Cisco Catal
ys!6500 Seri
es Switch and Cisco 7600 Series
Routermustrun Ci
sco IOS Software Release 12.2(18)SXForIater- a specialmessage is
used to com m uni
cate the PVLAN m apping to Catal
yst6500 Series FW SV

@ 2008 Ci
sco Syslems.1nc I
m pl
ementing FW SM fora Dala CenterNetworkInfrastructure 2-31
* Promiscuous
Can comlnunicatc with hostson m apped com munity and isolated ports
Listcn to sccondary V LAN
Send traftic using primary VLAN

Note TheCatalyst6500SeriesFW SM can takethe roleofPVLAN router.

2-32 kmplementingCiscoDataCenterNetworklnfrastructure1(DCNI-h)v2.
0 @ 2098CiscoSystems. Inc.
F SM in PVLA N Environm ent
@TheFW SM regulates MsFc V e-'C ,: ipIocal-proxy-arp
com m unication between the ,
',
s 10J(
).1o.1
outside world''and hosts
i' VLAN1001t '
f-oodocpiz144
)0
si
ttingin aPVLAN $*
vc
Ho
01t
su
min
nt
ha
i
cet
PV
e Lt
beA
wNeecn
an F
nWS
Tr
us
o
pd
a
e
rMntVl
e '
z
'
iil' 10.
10'
10'
50
themselves orwith tiae ..h.
' pomaryvtA,k
'2vuAs ,ooo
Outside world via the MSFC ::
as permitted by the FW SM cisco
Ca
6t
aly
500sty'
e:
'
..
) .'$ f
,,
e*
''
VLAN50j. . j. seVcIANndaslryloVLAN
X p
z , ,
.....
.
l
r !
r -

t-
-.
lsofateclPods ,-2.-.
HostA '..#' x#'
.
? HostB
z' K
1Q.10.10.100 '!0.10.10.10f
00t)0aaaa0:00 0000 72000000

Frlam tlle perspeclivc t)fan FMTSM .there isntptllillg particlllarabou!tlleconfiguratiollsllown i))


the figtlre.Froln tllc perspective ofa rotltcr,llle Catalyst6500 ScriesFW SM issitting on a
prom isctlousportalld seesalltraflic to and froln the PVLAN .
HostA antlhostB are on isolated portsinsidc tllc secolldal'
y VLAN 500.No comm unication
can take place bclwecn tllcll'witlloutinvolving a routcr.Bolh hostsarcconfigured lo usethe
M tlltilayerSwitch Fcaturc Card (M SFC)astheirdcfatlltgateway.TlleCatalyst6500 Scrics
FW SM isinscned between them andtlte M SFC.Tlle prinzary VLAN ofthePVLAN is 1000
and istnlnked ovcrto the Catalyst6500 SericsFSVSM .The M SFC llas I 1o knowledgeofthe
PVLAN atlcastfroln a rotlting pcrspectivc,lncalling interfacc VLAN l00lisa regtllarVLAN
interface.
I-ltlstB sclldsal1AddressRestalution Protocol(ARP)reqllestft)rIPaddress 10.l0.10.l00 of
hostA,buttlpc PVLAN doesnotlctthe ARP rcquestreach hostA dircctly.Illstead.itis
directcd on to tlle primary VLAN and hitsthcCatalyst6500 Series FW SM .whicl)bridgesit
olpto thcM SFC.Tllc M SFC isconligtlrcd with local-proxy-ARp.Itrcplicsto hoslB with its
own M Ac-addrcss,thcn sendsan ARP reqtlestforIP address l0.l0.I0.l()()ofllostA.and
rotltesstlbseqtlcntpackctsfi 'ollll0.I0.l0.I0lto I0.!0.l0.I00.
TlleCatalyst6500 SericsF' W SM is providing intcr-isolated pol'tsccurity.lfilltcr-isolated porl
conll
ntlllication isreqtlired,thc Catalyst6500 ScricsFSVSM callcnable rotltillg back otltthc
san'
leillterrace.Usillg tllisfeattlrei1)conjtlnctionwitl)PVLAN intcgration,a1lcolnlntlnications
to,froln,alld within a PVLAN can beconlrolled by tlle Catalyst6500 ScricsFSVSM .
Colnlntlllicatitln between isolatcd ports isprcvented.sincctllc Catalyst6500 ScricsFSVSM svill
notretlle packctsback otltthc interfacc tl3cy calne in froln.
Hostsin the PVLAN are protccted frol
'n each otherand f'
rotn tllcotltside world by theCatalyst
6500 ScriesFSVSM .

()2008 Cisco Systems,Inc. Implementing FW SM fora Data CenterNetworklnfrastructure 2-33


W hen to Use PV LA N?
A scctlrity policy inthcdatacctlteristypically created bysegregatingdevices(namcly servers)
into diffcrelltgroupsaccording to the sectlrity requirementsand type, which m eansthata
previotlsly singlc IP subnetshotlld be splitinto separatc IP subnets.
Sincesplitting ofan IP stlbnctinto two orm orc IP subnetsrequiresnotonly reconfiguration of
nctwork cquipmcnt,butalso scrverswhcrc ccrtain applicationsmightdepend on static IP
address(alld thusthiswould rcquirealso application reconfigtlration), such a solution is
typically tmdesirablc.
In such cascs.PVLANScan bc uscd to segrcgatc servcrsinto scparate scgmentswithout
changing thcircontiguration.

2-34 ImplemenllngCiscoDataCenterNetworkI
nfrastructure1(DCNI-I)v2.0 @ 2008Ci
scoSystems, Inc.
Firew all M odes
'I-l'
l1stop1c

F 1rew aIIM o d es
r
1 I
I
InsideNetwerk C outsi
deNelwork
VLAN 20 I VLAN 40
r 1 l 1
L i-- --l .
* 1-------I 1
'
#E
/
' 10001 198133.219.100 .
%'
10 00 83 j
1 !98 133 219 25

E' rransparentMode i
E !
! Layer2 ;
t
nst
desetwork '''' i outs,
deNetwork
VLAN 20 l VLAN 40
t il000 ol241
! ; 141
. :1ooo.c/
24'
' ' '
............... 1 !................
: (
- #/ -:#
10 0.0.83 10.0 O 100 10 00 25

R outed M ode

Transparent M ode

C)2008Clsco Systems,Inc. Impl


ementtng FW SM fora Data CenterNetwork I
nfrastructure 2-35
N ctwork probcssdenialofsel w ice (DoS)tloodss and S'firewalking''attacks(thatdetennine
firewallfltering policiesand revealprivate addressesbehind an address- lranslatingGrewall)
arcrcndered im potentwith transparentfirewalls. Thisprevcntsfnalicioususersfrom scoping
the network to dcrive com ponentand nctwork infonnation. making networksresilientto
attacks.

Using Transparentvs.Routed M ode


Transparentl'irewallsare mosttlsefulin colnplcx environmentsthatrequire imm ediatc ornew
tirew alldeployments.Enterprise routing networksthatconsistofmultiplcrouting protocols.
stlch asOSPF.BGP,and high availability (HSRP, VirtualRouterRcdtlndancy Protocol
(VRRPI.andGateway Load Balancing Protocol(GLBPI)can levtragethestcalthsecurity
provided by transparcntfirewalls.
Trallsparentfircwallsare invisible to routing updatcsand can be safcly insertcd in cxisting
networksw ith 11o mandatory reutcchangcs.

xt

2-36 Implementing Ci
sco DataCenterNetworkInfrastructure 1(DCNI-I)$/2.0 (D2008 Cisco Systems.Inc.
C onfig(1ring F-
1rew aIIM odes
rwsMlconftgl#
firewall transparent

* Specises transparentm ode

FwsM lconfigl#
no firewall transparent

Specifies routed mode

7'11cdel'
atlltlnodc I
k'rthc Catalyst6500 SericsFW'SM isroutcd nlotle.
Thctirewalltransparentconllllal'
ld isuscd to placc tlle C'atalyst6500 ScricsFW SM i1,
trallsparelltlntldc

Note Firewal
lmode is setpercontext

onfigllring IP ddremses in ollted ode


Thcip addressclll'l 'llllal'
1d istlsed il1rotltetll'
ll()tlc to colltigtlrc 1.
11)IP atldl'ess(111apartictllar
illtcrfacc.The paralllctersspccil- y tl'
lc IP addrcssal' ld stlbnctnlask lo bc tlscd 1brthe illterl- acc.
Bollltlltladdressalld lnask tlsc tl' ledottcd dccilnalnotatiol' t.'
kvllilc tlle standby kcyw'ord alltl
addressistlsed l'brf'tliIover.

(()2008 Ci
sco Systems.lnc. lnlpl
ementing FW SM fora Data CeoterNetwork lnfraslructure 2-37
Configuring IP A ddresses
in R outed M ode
FWsMlconftql#intqrfac. vlan 1O;
FWsMlconfig-ifl#nameif outaide
PWsMlconflg-lfl#necurfty-levet 0
FWsMtcontig-ifl#tp lddress 19%.133.219.15 255.255.255.1
w Specifies an IP addressforeach interface

'
u
b
kot websewer
.

DMz
192.166.10/24

lnternet p
Outsida Network
w
'e
:p
198 133.219.0/24 Inside Network
100 0 0/24

ln thisexalnplesthe outsidc interfaceparam etersarc contigurcd in VLAN 100.

2-38 ImplementingCi
scoDataCenterNetworkInfrastructure1(DCNI
- I)v20 Q 2008Clsco Systems. Inc.
C ol)f1g u rin g IP A d d resses
-
111 T ra nspa rer1t M od ()
FWsMlconflgl#interface vlan l00
FWsMtconfiq-ifl#bridge-qroup l
FWsM tconfig-tfl#namef inside
FWsM lconflg.ifl#securiey-level 1O0
FWsMtconflg.ifl#exit
FWsMteonflgl#tnterface bv# l
FWsMlconfig-tjl#ip address 10.0.0.100 255.255.255.0 standby 10.9.0.101

* Speci fies a m anagementIP address foreach pairofbridge-group


interfaces

Outsi
de %
* ##,
... .
.

Outside Nelwork
k -e'j
'W
10000/24 InsldeNelWork
10 0 00/24

@ 2008 Cisco Systems.Inc. Implementing FW SM fora Data CenterNetwork Infrastructure 2-39


Transparent M ode Design
Considerations
. Known as a Layer2 tirewallor''steaIth firewall'
. 250 transparentsecuritycontexts
w Up to eightpairs ofinterfaces pertransparentfirewall
* Layer2 ACLS
.AddressResolution Protocol(ARP)inspection
. Multi
castpass-through
* No outsi
de shared VLAN
. One managementI P address pertransparentfirewallcontext
. The same subnetbutdi fferentVLANS on the inside and outside

Thc listmentionsthe lim itationsand design considerationsforthe transparentmode. N

2-40 ImplementingCi
scoDataCenterNetworklnfrastructblre1(DCNI-I)v2.0 (()2008 Cisco Systems,Inc.
C onfiguring the Translation
'
7*11istopic idclltiticsthe Fb%'S5.
1 N AT and PAT tlu!1slation.

N etw ork A ddress Translation


Term inoloqy
1
1
1
1
Inside Network OutsideNetwork
'x
.v x

Z
p; LocalAddresses I GlobalAddresses
xF.
''
.
I
I
I
I
kk; >..
' % 't ''':.m' .7&'. ' * s.'' '..
'
Ins,cseuocal outsrdet-ocal ' I p lnslcieosoual . outs'deGloilal
I
z#d k.
. 31... .;1*..' 1 :'2: vS X..'J''. e

l Otdsl
e Local . Insr
.. .
d eLocal.
... I p
..Out
sldeGl
obal.C l
nsi
deGi
oba..l.
I

@ 2008 Cisco System s,Inc. Im plem entirlgFW SM foraDataCenterNetwork Infrastructtlre 2-41


%

Thisexam plcnctwork hasan inside network of l0.0.0.0/24 and an otltside nctwork of


I98.133.2l9.0/24.
Nctwork trallslation istlsed to allow a system on a privatc network to comm tlnicatc with aweb M #
serverthatison lhe public Intcrnet.To perform thisfunction.the network translation onthc
tircwallisconfigured to translatethe IP addrcssofthe inside systcln toa valid addrcsson thc
outside nctwork.An addresswith thcsam e Iastoctethasbeen allocated forthispumose.

2.
.
42 lmplementingClscoDataCenterNetworklnfrastructure1(DCNI-!)v2.
D Q 2008ClscoSystems, lnc.
Q 2008Cisco Systems.Inc. lmplemeoting FW SM fora DataCenterNetworkInfrastructure 2-43
Port A ddress T ranslation
Mt ' #z z: * ' #&' 7 *

( lot
)o83.
2418 .
j19:.13:$219.2s.
80l ,' l198133.21925:24181,98.133.
219.25:
*0)
I
1
1
'..-.
10.0.0 83 I
j
Y
- y4 lnsldeNetwork Outside Network
12.
0.00/24 1981332190/24 (
-
A
y#
1
'
1o.o.().s4
I
1
198.133.
21925
'' 1
I
1
. .. :z. . . I . :, . z. z .
i ,()
'()0
84.24:8 t198133219.2s:so1
.
Ilai
s.lz:$2192s.2419k1981aa.
2!9.7sim1
l

PAT addsportntllnbcrsto thc translation tablc.


A typicaluse ofPAT isto provide network accessfora largc insidc network, while conserving
addresseson the oulside network.In tlliscxam plc, one address in the outside network isuscd to
prosride acccssforan inside network with a classC network ofhosts. Thc exam plc packcts
show'two diffcrentsystcm sgenerating requcststo a web scrver. Each system istlsing thesame
TCP portto send the reqtlcst.Notice thatthe insideglobaladdrcss forcach requestisthc same
IP addrcss.butthe PAT function ol)tllc firewallhas allocatcd differentportsforthe reqtlests.

2-44 ImplementingCiscoDataCenterNetworkI
nfrastructure 1(DCNI-I)v2.0 l 2008 Ci
sco Systems. lnc.
C o nf'
1g u rin('
J N A T C o ntro I
. NAT controlrequires thatpackets traversing from an inside interface to
an outside interface match a NAT rule
. NAT controlisdisabled by default
FwsM (config)#
nat-control
* Enables NAT control
R'
k.t
: websecver
DMZ
192.168 10/24
NAT 1
* #
Internet R1 i i
'
Otltslde Retwork
NM x'#
198 133219 0/24 lnspde Network
10 0 0 0/.
24
NAT 1

@ 2008 Cssco Systems,I


nc. ImplementingFW SM foraDataCenterNetworkInfrastructure 2-45
C onfiguring Dynam ic NA T and PAT
FWsMtconfigl#nat (inside) l 10.1.2.0 255.255.255.9
FWsM tconfigl#nat (dmz) 1 10.1.1.0 255.255.255.0
FWsM tconfigl#global (outstde) 1 209.165.201.3-209.165.201.10

p Identifies the realaddressesfortransl


ation

72:7. w ebsen/er
*.
1
DMZ
IQ 1.l0/24
NAT 1

Intemet # !
Outspde Nelwork +
''
209 165 201.3-209.165.201.10 Inside Network
Gpobal1 10 12.0/24
NAT 1

Dyllam ic NAT translatesagroup ofrcaladdressesto a poolofmapped addrcssesthatare


routable on the destination nctwork.TheCatalyst6500 ScriesFW SM assignsan IP addressto
the hostyotlwantto translate whcn accessing thedestination nctwork from a mapped pool.
Thisonly happcnswhcn the realhostinitiatesthe connection. The translation relnainsin placc
only tbrthcduration ofthc connection. Afterthc conncction tim csout, thataddress isrcleased
forotherhoststo use.
The porttranslation rcmainsin place forthe duration oftheconncctions butcxpiresaftcr30
secolldsofinactivity.Thistim eoutisnotuserconfigurable.
Remote hostscan initiatc connectionsto atranslated hostifperm ittcd by the ACL, butaftcrthe
translation hasbccn tim ed out,the rem ote connectionsare droppcd. regardlessofthe ACL
statem cnt.
Dynam icN AT can beused when protocolscannotuse PAT (such asG RE vcrsion 0). or
applicatiollswith adata stream and controlpath on diftkrcntportsand are notopcn standard
(such as multimcdiaapplicatiotls).
ln theexam plc.tllc natcomm and idcntificswhich interfaceshave hoststo be trallslated whcn
traversing the Grewallto an interface configtlred w ith theglobalcotnmand. >

Note Use differenlNAT IDswhen i


dentifylng differentsetsofrealaddressestohavedifferent
m appedaddresses.

2-46 lmptementingCiscoDataGenterNetworkInfrastructure 1(DCNI-I)v2.O (I)2008 CiscoSystem sl lnc.


I11atlditiol'
l.static PAT pfzrl'
l'
li(satll
ni11istratorsto providc a sillglcadtlressto rclnotc tlscrtbr
acccssi11g F'I-P,Il-l'TI>.and SN4TP scrvcrs.cvelltllougl)tllesescrv'crs lllightbc diftbrclltstrvcrs
on thercallletwork.Forcxalllplc:
FWsM tconfigl#static (inside ,outside) tcp 209 .155.201 .3 ftp
10.1.2.27 ftp netmask 255.255.255.255
FWsMlconfigl#static (insideyoutside) tcp 209.165.201.3 http
10.1.2.28 http netmask 255.255.255 .255
FWsM tconfiglkatatic (inside,outsidej tcp 209.165.201.3 smtp
10.1.2.29 smtp netmask 255 .255.255.255

Note Overlapping stati


c configurati
ons were allowed in initialvecsionsofCatalyst6500 Series
FW SM (version .x)butwere(aterdisallowed.In Catalyst6500 Seri
es FW SM k'
ersilm ,
3.1.
overlapping configuralionsare supported again.

(t
J)2008 Cl
sco SystemsfInc. Impl
ementing FW SM foraDataCenterNetworklnfrastructure 2-47
ypassing N w hen
N T ontrolis Enabled
FWsMlconfigl#nae (inside) Q lQ.1.l.Q 255.255.255.9
FWsllconfkgl#static (instde,out,ide) 10.1.1.3 lQ.l.l.3 nekwask 255.255.255.255
FWsKlconfigl#erceel-liat EXEMPT permt ip l0.1.2.Q 255.255.255.0 any
FwBxlconfigl#nat (inaida) Q accesy-lt:t 'XKMPT

* Bypasses NAT

''XQ':- w eb server
tzk.
t
DMZ
10 1 2.0/24

Intemet 1
'
g x.
w.z.'' '
Outslde Network ''
209 165.2010/24 Inslde Network
1Q.1.1.Q/24

In solne cases,forcxamplc,to use applicationsthatdo notsupportN AT, yotldo notwantto


perforln NAT translation forcertain llostswhcn NAT controlis enablcd.
lfyou do notwantto perform NAT translation fbrcertain hostswhen NAT controlisenablcd
you can colpfigtlre traf'
lic to bypassNAT in one ofthree w'ays:
Identity NAT (nat0 com lnand)
StaticidentityNAT (staticcommand)
NAT excmption (nat0 access-listcom mand)
Identity NAT
*=
Idcntity NAT issim ilarto dynam ic NAT in thatyou do notlim ittranslation fora hoston
specificintcrfaces.ldentity NAT.whcn cnabled. m ustbc used forconllectionsthrough all
ilpterfaccs.You cannotchoose to perfonn norm altranslation on realaddrcssesol1onc intcrface.
whilc tlsing identity N AT on another. l'lowever.rcgulardynam icNAT lctsyou specify a
particularinterface on which to translate the addresses. W hen using idcntity N AT, ensurcthe
rcaladdrcssesare routable on a1llletworksaccording to ACLS.
Thiscxalnplc tlses idcntity NAT forthe insidc 10. l.l.0/24 network.
FWSM (config)#nat (inside) 0 10.l .l .0 255. 2 55 .255 .0

Static ldentity NAT


Static identity NAT Ictsyotlspccify the illtcrfacc on w'hich to allow thc realaddrcsscsto
appcar.Youcalluseidcntity NAT w hen acccssing oneinterfacc, w hilc using regulartranslation
whcn accessing another. Static idcntity NAT permitsthe use ofpolicy NAT. which identifcs
the rcaland destination addressesw hcl)deterlnining thc realaddresscsto translatc. For
cxam ple,tlsc static identity N AT fbran insidc addrcsswhen accessing an outsidc intcrface witll
a dustination serverA bu1use norm allranslation whcn acccssing outsidcServerB .

2-48 lmplementingCi
scoDataCenterNetworklnfrastructure 1(DCNI
-I)v2.0 @ 2008 Cisco Systems. Inc,
'f'hisexalnple tlscsstatic idclltity NAT f-
tlr:11'
1illsidc IP addrcss(l0 1.I.3)'
. kvl'
)ellaccesscd by tllc
otltsidc.
FWsM tconfiglkstatic (insideyoutside) 10.1 .1.3 10 .1.1.3 netmask
255 .255 .255.255
'1'
11iscxalllple tlsesslatic itlelltity NAT fbr:111otltsidcatldress(209.l65,2()l.I5)uzl'
Ictlacccsst!d
by thtrillsidc.
FWsMtconfigl#static (outside,inside) 209.165.201.15
209 .165.201.15 netmask
'1'1)iscxalllplc statically lnapsan clltirc subnct.
FWsMtconfigl#static (insidezdmz) 10.1.2.0 10.1.2.0 netmask
255 .255.255.0

FWsM lconfigl#access-list NETI permit ip host 10 .1.2 .27


209.165.201.0 255.255.255.224
FWsM tconfigl#access-list NeT2 permit ip host 10.1.2 .27
209.165.200.224 255.255.255.224
FWsMlconfigl#static (inside,outside) 10.1.2.27 access-list
NETI
FWsM tconfigl#static (insidezoutaide) 209.165.202.130 access-
list NET2

Thiscxalnplccxelltptsal)il:sitlc I'
lcturork B'hcn acccssing any dcstillatiol7addrcss.
FWsM lconfigl#access-list EXEMPT permit ip 10.1 .2.0
255.255.255 .0 any
FWsM tconfigl#nat (insidel 0 access-list EXEMPT
'l'lliscxalllple usesdynalnicotltsitlcN AT fora I
'
IN'IZ nctubork'alld exenptsallotherDN'
IZ
llctNvork
FWsM lconfigl#nat (dmz) l 10.1.2.0 255.255.255.0 outside dns
FWsMtconfigl#global (inside) l 10.:.1.45
FWsM tconfigl#access-list EXEMPT permit ip 10.1.3.0
255.255 .255.0 any
FWsM tconfigl#nat (dmz) 0 access-liat EXEMPT
1'11iscxamplcexcnnptsan insidc atldrcss,
$5llt?n accessing tvo tliftkrenttlcstinatiolladdresscs.
FWsM tconfigl#access-list NETI perm it ip 10.1.2.0 255.255.255.0
209.165.201.0 255.255.255 .224
FWsM tconfigl#accesa-list NETI permit 10 .1 .2.0 255.255.255.0
209.165 .200.224 255.255.255.224
FWsM tconfigl#nat (inaide) O access-list NETI

(D 2008 Cisco System s,lnc. lmplem entingFW SM fora Data CenterNetwork Infrastructure 2-49
O rder of P rocessing and M axim um
N um ber of N A T S tatem ents
Realaddresses are matched to NAT com mands in a
specific order:
1 NAT exemption(natt)access-list)
2 StaticNAT andstaticPAT (regularand policy)(static)
:
'$PolicydynamicNAT (nataccess-list)
RegulardynamicNAT (nat)

The natcommand 2Q90


The globalcommand 4000
Thestatlccommand 2000
PollcyNAT forslnglemode 7942accesscontrolentries
PolicyNA'r formultlple mode 7272 accessconlrolentries

The Catalyst6500 SeriesFW SM m atchesrcaladdrcssesto NAT comm andsin a spccific ordcr,


tlnti1thc firstl
natch is found:
N,&T exem ption (nat0 access-listvom m and):In ordcr. unlilthe tirstm atch isfound.
Idcntity NAT isnolincltldcd in tlliscategory's itisincludcd in tlle rcgularstatic NAT or
rcgularNAT catcgory.Including ovcrlapping addresses inN AT exemption statcmcntsis
notrccom nlendcd.dtle to potentialtlnexpected restllts.
NtaticNAT and statlePAT.regularand policy(staticcom mand):lnordcr. untilthe first
match isfotlnd.Staticidentity NAT isincludcd in thiscategory. In thc case ofovcrlapping
addresscsin static statemcnts, awarning isdisplaycd.bu!thcy are supportcd.
Poliey dynam ic NAT (nataccess-listcom m and):In ordcr, untilthe tirstm atch isfound.
O verlapping addressesare allowed.
RegulardynamicNAT (natcommand):Bestmatch Rcgularidentity N AT isincludcd in
.
tlliscatcgory.ThcordcrofthcN AT comm andsdoesnotmatter' .thcNAT statclnentthat
bcstlnatchesthe realaddrcss is uscd, Forcxampleea gencralstatementisdefined to
translatcalIaddrcsses(0.0.0.0)on an interfacc. A sccond statemcntisdefincd to translatc a
subsctof-tllenetwork (I0.l.I.1)to a dif-
fcrcntaddrcss. W hen 10.I.I lm akesa connectioll.
.

the specitic Matem entfor l0.1.l.lisused because itbcslm atchcsthe realaddrcss.


Incltlding overlapping statcmentsisnotrccom mcnded. due to incrcased mem ory
rcquiremelltsand processing ovcrhead on thc Catalyst6500 SericsF' W SM .

2-50 lmplementingCl
scoDataCenterNetworkInfrastructure1(DCNI-I)72.0 @ 2008 Cisco Systems, lnc.
M axim um N um berof NAT Statem ents
3-lle t'atalyslt$5i)0 Serics F-NVSM stlpponstltefolltlw illg ntllnbersol
-nat. glebal,alld static
ckllnluandsdivided betsvettn al1colptexts, ori1a siIlglc lllotlc:
. 'i-ilcnatcolnlnalld:24)00(2k)
K Tllcglobalcolnllland:40()0 (4k)
w Tllcstaticcolnllpantl:200()(2k)

Note ln addi
tion,the Catalyst6500 Series FW SM supporls up to 3942 access controlentries in
ACLS used forpolicy NAT single mode,and 7272 access controlentri esformultiple mode.

L
(42008 Cisco Systems,Inc. Implementing FW SM fora Data CenterNetworkInfrastrtlcture 2-51
A dvanced N A T :M ultiple N A T ID s

nat (tnaide) 1 11.0.1.0 255.255.255.:


nat (lnatde) 2 10.0.2,: 255.255.255.0 2N
-
r #
nat (
nat (lnaide)3
inside) 410.0.3
10.0. .02
4.0 55.2
255. 55.255.0
255.255.0 2 +
a
10 0.2 0/24

lntem et Lc.
-
.r .1 .2>
w , .z p. .r 1
' .

. outside Inside ' '


192.168.1.0Q4 10.0.1 0/24
10.0.3.0/24
global (outside) 1 192.166.1.11 4 .
global (outslde) : 192.168.1.12 '
global (outa#de) 3 l92.l68.1.1.3
Q->- !' #jj
lobal (outs1de) 4 :
t92.166.l.14 #
12.0.4.0/24

M ultiple NAT IDscan be uscd to provide separate translated addressesforvarioussegmentsof


thc il3sidc nctwork.This isaccomplishcd by using multiple NAT IDs in the natand global
comm ands.lnsideaddresses thatare covered by thc IP addressand the Inask ofa spccific nat
comm and use thetranslated addressesin theglobaicom m and with tlle sam eNAT ID .
Forexample,thc network slpown in the figurc usesfotlraddresseson thecxtenlalnetwork.
Eaclladdrcss isuscd to provide accessforaparticularsubnetofthcinside nctwork. +

2-52 ImplementingCiscoDataCenterNetworklnfrastructure1(DCNI-I)v2.0 @ 2008Ci


sco Systems. lnc.
P o I1cy T
accesg-list partnerA permtt ip host lD n 0 10 172 16 l 100
access-1lst partnerB permlt ip hoat 10.0. 0 10o 172 16 2 100
static (inetde outsidel I?2 16 0 201 access-list partnerA
static (instde outside) 172 16 0 202 accegs-11st partnerB

Extranet <
h I #+
Out/ide Network h
N '
x/
$
'
172 16 00/16 Zslde Network
100.0.0/24
access-l1st partnerA permtt tp hogt 10.0.0.100 172.16.1.100
accesp-lls: partnerB permlt tp bost 10.0.0.100 172.16.2.100
nat llnalde) 20l access-ltst partnerA
nat (inslde) 202 access-l1st partnerB
global toueslde) 201 172.16.0.201
global (outaide) 202 172.16.0.292

Policy NAT is tlsed to sclctrtthc trallslaled addrcssto bc uscd based f)l1thc critcria cxpressed iI1
a!)cxtclldcd A('L.AI1exttllldctlA(. 'L allowrs policy NAT to iIpcltlde tllcsotlrcc alld dcstillatiol)
atldresscs alld pklrtsin tlledecision-lnaking proccss.

Note ACLSm uststillbe configured to allow tbe traffic flow enabled by the policy NAT
confi
guration.

('
D2008Cisco Systems,Inc. lmplementlng FW SM foraDataCenterNetworklnfrastructure 2-53
Identity N T

lntemet t
.- #
+ #.
Outside Network ''
198.133 219.0/24 lnsideNetwork
12@.107.224.0/24

nat (ineidm) Q 128.107.224.0 255.255.255.0

OR
Btatlc (inalde.outslde) 128.107.224.0 129.107.224.0 netmask 215.255.255.0

ldcntity N AT allow'san inside addressto beused on the outsidcnetwork.


Identity NAT isoften used when resourcesw ith publicly routcd addresscslnustbcprotected by
a tirewall,ldcntity N AT can becontigured with a statlc com m and ora natcomm alld w ith a
NAT ID of0.ldcntity NAT colpfigured with thcstaticcomm and allowsconllcclionsto be
initialed from eithersideofthe fircwall,while the nat0 com mand allowsconnectionsto bc
initiated only from within the insidc network.

Note ACLS m uststillbe configured to all


ow the traffic flow enabled by the identi
ty NAT
confi
guration.

2-54 ImpiementingCi
scoDataCenterNetworklnfrastructure1(DCNI
-I)v2.0 @ 2008 Cisco Systemsl Inc.
N T E xem p t1o r'1
acceas-list to-daz permit 10.0.0.0 255 155 255 0 10 l 0 255 255 255 0
acceas-lst to-dmz permlt 10.0.0.0 255.255.255 0 10 0 2 0 255 255 255 0
nat (tnsde) 0 aeceas-ltnt to-dmz

)'
r.
t.. ykebSeaer
...

DMZ1
10.O 10/24

Intem et *
h ! +
yz
'
- y
w .'
Outslde Network ''
198 133 219 0/24 DMZ2 loslde Network
10 0 20/24 10 0 0.0/24

7n9
..
:
ApspeII
ca1p
on
w er

Note ACLSm uststillbeconfigured to allow the trafficflow enabled bythe NAT exem ption
configurati
on.

Note Though ituses the natcom mand NAT exemption creates a two-way translation allowing
traffic tclbe initialad from tlithersi
de ofthe srtlwall.Tbis is the only bidirectionaluse ofthe
natcom mand.

@)2008 Cisco Systems,lnc. ImplementingFW SM foraDataCenterNetwork Infrastrblcture 2-55


Layer2 N AT/PA T
. NAT PAT.andstaticstatementswiltum onfunctionali ty.
. Tr ansparentsrewallbridge pai
rcansupm rtboth NAT and non-NAT traffic.
, Firewallwillresr ndtoARP requestforthe globaland static addressesinthe
same subnet.
* ManagementIP cannotbe partofthegl obalorstatlc pool.
w lnspectionswillbehave asin routed mode.
R1 s .t
10 1t0/24
(lutsi
de A1
E1 '
-/
z/ lo,1'
I
oo 'j
' Fwsv :
,0'.':
' 'o11'
$ 10''
s
1c11z so117 : Ct D1
B1 'Inside wy/ ' -#d

L'
L.
''
e- R2 TransparentFirewap
l
with NAT/PAT
t0 1'11f)
.

Tllc Catalyst6500 SericsFW SM can also perforln NAT in transparentm odc from software
versiol,3.4 ollwards.
Tllcse contiguration considcrations apply lo Laycr2 NAT/PAT deployment:
* Intcrface optionsforNAT.PAT,and statitarenotsupported.
* Routes(static)are needed on FW SM foraddresscsusing NAT thatarenotpartofthc same
subnetas FW SM bridge group.
* Rotltes(static)arencedetlonadjacentroutersforglobalandstaticpoolsthatarenotpartof
thc sam e subllctasFW SM bridge group.
* Tllc aliascom mand is notsupported.

2-56 ImplementingCiscoDataCenterNetworkInfrastructure1(DCNI-I)v2.0 @ 2008 Cj


sco Systems. lnc.
S um m ary

S ulnm ary
* The Cisco Catalyst6500 Series FW SM analyzesand modifies
fields in the IP,UDP,and TCP headers.
> The Catalyst6500 Series FW SM uses statefulpacketfil tering to
controltraffic between tw o orm ore netw orks.
w NAT and PAT modi fy IP addresses and UDP/TCP ports as traffic
passes through the Catalyst6500 Series FW SM .
* The Catalyst6500 Series FW SM is a fabric-enabled card that
connects to the Catalyst6500 Series Sw itch through a 6-pod
Etherchannel,
* The Catalyst6500 Series FW SM offers scalability to 20 G b/s in a
single chassis.
. The Cat alyst6500 Series FW SM uses VLANS to connectto the
restofthe network.

@ 2008 Ci
sco Systems.Inc. (mpl
ementl
ng FW SM fora Data CenterNe
w ork lnfrastrucure 2-57
2-58 Implementing Ci
sco Data CenterNetworkInfrastructure 1(DCNI-I)v2.0 (()2008 Cisco Systems. Inc.
Lesson2I

Im plem enting M anagem ent


A ccess

O verview

Objectives
C onfiguring M anagem ent A ccess
Thistopic describcsthc variousmanagclnentaccessoptionson the Catalyst6500 Serics
FW SM .how thcy areconfigured and when thcy areuscd.

M anagem ent A ccess


Managementaccess interfaces:
Console
. Remote access
Gul-basedmanagement

Out-of-bant management
g'
'
t?
,
.
'
- -. ,- -.. -. .-.
'- E: .-z.
*'
-4.-
.-.
4.
. -.
. .Q...
..
m -.
.CX. .w
-.-- .-!
.n, /...
. .-
?.
.w-.-
t.
d-
n.
!.
o.
kJz
; @. .-.. .. .. .= .... ... ....- .. -
. .u
.) $
'z I

. ! I

Thc Catalyst6500 SericsFW SM can bem anaged usillg variousmethods:


* Accessthrough console collnection froln thc Cisco Catalyst6500 ScriesSwitch M ultilaycr
Switch Feature Card (M SFC)
K Using thcrcm ote acccss, stl
ch asTcllletorSccurcShcll(SSH)with in-band managcmcnt
* UsillgthcGul-basedCisco AdaptivcSecurity DeviceM anager(ASDM )
* Dcploying out-of-band m anagelnentto rcstrictm anagcmenttraffsc to specitic intcrfacc

2-60 ImpsementingCiscoDataCenterNetworkInfrastructure1(DCNI-I)v2.0 @ 2008Cisco Systems, Inc.


onsole ccess
msfc#
session slot moduie n er processor 1
. Accesses FW SM from MSFC through console
mafc#session sloe e provessor l
The defeulk eseape character is Ctrlv' then x
You Cao also type 'extl at ehe remoee prompe to end the sesslon
Trytng 127.Q.0.81 ... Ppen

User Accesa Verification


Paaaword:
Type help or 1?1 for ltse of avRtlable ccpmands
fwsny enable
Password:
fwsm#confivure termlnal
fwsmlconftgl#exit
fwsm#extt
Logoff ..

tconnecton to 127.0.0.81 closed by foreign hoebl

TllcCatltlyst65()()Series FWTSM doesllotlpave any extcrnalportsoracollsole port.Tllcreforc.


tlpc ollly'optiollto accessSllc (-'ataIyst(7500 SeriesFNVSM initially istlll'
otlgh tlle M SFI-by .

sessionilpg lo theCatalyst650()ScricsIJSVSN1.

Note Form ultipl


e contextmode,whenyousession into theCatalyst6500 SeriesFW SM you
access the system confi
guralion.

Logging through the C onsole

Note Keep in mind thatthe exitcomm and m ightneed to be entered m ul


tiple limes ifin a
configuration mode.

@ 2008Cisco Systems,Inc. lmpl


ementing FW SM fora Data CenterNetworklnfrastnacture 2-61
Privileged EXEC M ode
To changc thccontiguration.you mustcntertheprivilcged EX EC modc by using theenable
colnm and.Upon entering thc privilcged EX EC comlnand,you mustentcrthe privileged
password.which by defatlltisblank;thcreforc,pressthe Enterkey to contintlc,
Froln thismodc.the globalconfiguration m odccanbc acccsscd.Thc globalconfiguration lnode
doesnotrcquirc any password to be entcrcd.
Tlle contiguration mode isentered with the conflgureterm inalcom mand.
To cxitprivileged EXEC mode.cnterthc disable colnmand.You can also entcrthe exitorlhe
quitcom mandsto cxitthccurrentaccessmode (privileged EXEC lnode.globalcontiguration
lnodc,etc.).

M anaging A ccess Passw ords


The login password isuscd forscssionsfrom thc switch,asw'ellasTelnetand SSII
conllcctions.
Ollcc Ioggcd in.thcdefaultlogin password can fand should)be changed w ith the password
command.
To cllangcthcenablcd password,use thc enable passw ord command.The comm and changcs
the password forthc highcstprivilcgclevel. lflocalcom mand authorization iscontigured. the
privilcgcd passwordsforeach privilcgc levclfrom 0 to 15 can be sct.

Note The password is a case-sensitive string ofup to 16 alphanum eric and speci
a!characters.
You can use any characterin the password excepta question m ark ora space.

To restorc the password to thc defaultsctting,usc theno form ofthc comm and.
Thc passwordsarcsavcd in the contiguration in encrypted fonn,

2-62 Impl
ementlngCiscoDataCenterNetworklnfrastructure1(DCNI
-I):2.0 @ 2008Clsco Systems. lnc.
T elnet R em ote A ccess
fwsmtconftgl#
telnet source IP address mask source in terface

* Allows Telnetthrough interface from source IP addresses


fwsm lconfigl#
telnet tim eout mnutes

. Sets the Telnettim eout

v Cleartextaccess -'- '


- '-''
--- '
-
. Only serverside is im plem ented
.yyLss
telnet 0.0.0.0 0.0.0.0 tnside '

Note Only the adm i


n contextcan have up to 15 Tel
netsessions concurrently

Note Iftwo ormore concurrentTelnetsessionsare opened and one ofthe sessions i s atthe
M ore prorrlpt,the othersessions may hang untilthe &ore promptis dismissed.To di
sable
the More prom ptand avoid this situation entertlle pagerlines 0 com mand

W'l1cl)acctzssil'
lg tl'
lc Catalysl(,50()Scrics F'
W'Sh.
1tlsillg Tcllletthedcfatlltl'asssvord is('
i.
b4.
o.

@ 2008 Ci
sco Systems,lnc. I
m pf
ementing FW SM fora Data CenterNetworkInfrastructure 2-63
Configuring TelnetA ccess
To configure Telnetacccssto the Catalyst6500 SeriesFW SM ,use the comm andslisted in thc
tablc.

Configuring TelnetAccess Com m ands

Com m and Descrlptlon


telnet Identises the IP addresses and interfaces from which the FW SM
source IP address mask accepts connections,Ifthere is only one interface present,Telnet
source-n-ferface
- can beconfiguredtoaccessthatinte#ace.aslong asthe
intedace has a security Ievelof100.
telnet timeout mnutes (Opti
onal)Setsthe Telnetsession i
dletime before the FW SM
disconnectsthesession.Thevalue canbe between 1and 1440
minuteslwith the defaudtbeing 5 m inutes.

Note Tesnetaccess cannotbe configured on the lowestsecurily interface.

M ind thatFW SM should beconfigured w ith interfaces, IP addresses,and properrouting to


allow rem otcaccess.
Thisexamplc shows the configuration thatallowsTelnctfrom any source IP addresscoming
from tlle inside segnlcnt.Thc tim eoutis setto m axilnum .
fwsm (config)#telnet 0.().0.0 0.0 .0 .() inside
fwsm (config)#telnet timeout l440
Thiscxam ple pcrm itsahoston the inside interface with an addressof 192. 168.I.2 to accessthe
Catalyst6500 SericsFW SM .and allowsTelnctto be idle form axim um of30 lninules.
fwsm (config)#telnet l92 .168.l.2 255.255.255 .255 inaide
fwsm (config )#telnet timeout 30

2-64 ImpsementingCiscoDataCenterNetworkInfrastructure 1(DCNI


-I)v2.0 (I)2008 Cisco System sl Inc,
S S 81 R elnote A ccess
fwsm tconfigl#
ssh source IP addres, Dask source interface
. Allows SSH through inlerface from source IP addresses
fwsm tconfigl#
ssh tmeout mnuees
. Sets the SSH timeout
@ Configurati
on steps:
- Generate RSA key '- '
-- ''''--- '
-Configure SSH
1
crFpto keF generlte raa ooduAus 1024
wriee memory
! L: '
seh 0.0.0.0 0.0.0.Q inside #'' .
ssh eiaeout 5

Note Onl
y lhe adm in contextcan have up to 15 SSH sessions concurrently.

Note lftwo ofmgre concurrenlSSH sessitms are Opened and one ofthe sessitms is atlhe M ore
prompt.the othersessions may hang untilthe M ore prom ptis dismissed.To disabl
e the
M ore prom ptand avoid this si
tuati
on.enterthe pagerIines 0 com mand.

Note W hen starting anSSH session adot(.)di


splaysontheCatal
yst6500SeriesFWSM
console before the SSH userauthentication prom ptappears.This does notaffectthe
functionalily ofSSH'itappears atthe console when generating a serverkey,orwhen
decrypling a message using privatekeysduring SSH keyexchange before user
authentication occurs.These tasks can take up to two minutesorIonger.The dotis a
prtygress indicatorthatverifies lhatthe FW SM is busy and hasnothung.

@ 2008 CiscoSystems.Inc. Implementing FW SM fora DalaCenlerNetworkInfrastructure 2-65


Configuring SS H A ccess
To confgtlre SSH accessto the Catalyst6500 Serics FW SM ,usc the comm andsin thc order
specified in thc table.

Configuring SSH Access Procedure


Step Actlon Notes
1' crw to key generate rsa Generates an RSA key pairrequired for
modulus modu.
lus- size SSH.The modulus is 512-,768-,1024-,or
2048-bitsl ong.The largerthe keymodul us
size.the Iongerittakes to generate an RSA
key.The recomm ended size is atleast1024.
2 write memory Saves the RSA keysto persislentflash
mem ory.
3 ssh source JP address mask Identi
fies the IP addresses and i nterfaces
source- n terface from which the FW SM accepts connections.
SSH access can be configured on the I owest
security interfaoe in contrastto Telnet.
4. ssh timeout mnutes (Optional)Setsthe SSH sessionidletime
before the FW SM disconnectsthe session.
Value can be between 1 and 60 minutes.
defaultbeing 5 m i
nutes,
5. ssh version (1 l 2) (Optional)Restri
ctstheversionofSSH
accepted by the FW SM .Bydefault. the
FWSM acceptsbothversi
ons (SSHVIand
SSHv2).

Note The SSHVZ requiresa3DES li


censetowork. The cryptographic algorithm s used by SSHv2
are Iimited to3DES and AES.Onl ySecure HashAlgorithm (SHA)and Message Digest5
(MD5)are availableforthe integrity.

Kcep in m ind thatthe Catalyst6500 ScriesFW SM should bcconfigured with interfaccs. IP


addresses.properrouting,FW SM namc, and domain name to allow rem otcaccess. lfdolnain
name islotspccitied.thedqhlltlt.domain.j??:w/J isgeneratctl.
Note The userauthentication attem ptlimitis setto three and is notconfigurable.

Verifying SSH C onfiguration


To verify the SSH configuratiollusc thc colnlnandslisled il)thelablc.

Verifying SSH Configuration Com m ands


com mand Descrlptlon
show ssh sessiona Exam ines the SSH sessi
ons.
c.
len t ip
show debug ssh debug Veri
fies the SSH wi
th debugging
J.evre.l

2-66 Impl
ementingCiscoDataCenterNetworkInfrastructure1(DCNI
-I)v2.0 (
D 2008Cisco Systems. lnc.
Thiscxalnplc sllowrstllc col)tigtlratiol)tllataIlou'sSSIIfroln :1:13,sourcc IP adtlresscolllillg
fioll'
ltllc illsidc scglnent.Thc tilucotltissctto 5 111intlttls.
fwsm tconfigl#crypto key generate rsa modulus 1024
fwsm tconfigl#write memory
fwsm lconfigl#ssh 0.0.0.0 0.0.0.0 inside
fwsm lconfiglgssh timeout 5
'I'llc sizc tbrthe RSA key bcillg gencratctlis l024.
Tlliscxalnplcpcnnitsa hllstol'
ltl'lc illsitlc interlbce'w ith al1address01-l92.l68.I.2 to access thc
FSVSN.1-al'
ld allovvsSSlIto bc idlc forl' naxilpltlln of3()n' iillutcs.
fwsm lconfigl#ssh 192.168.1.2 255 .255 .255.255 inside
fwsm tconfigl#ssh timeout 30

Q 2008Cisco Systems.Inc. lmplementing FW SM fora DataCenterNetworkInfrastructure 2-67


G tll-Based Rem ote Access
* Adapti
ve SecurityDevice Manager(ASDM)isfree
. Prerequisites:
Javascri ptorJava m ustbe enabled -. ..
lz.
1Q.1 t -i
SupportforSSL mustbeenabl
ed y& -
. - ..- ... I
Pop-up bl
ockersm ustbe di
sabled I= ''' -
J.j!'57
-. r - .
yr'r ''
fwsm (config)# '
.
- 'r .... , ,.z..1 - ;I
..-

http aource ZP addrea, malk aource neerface .w --


Http aerver enable
* All
ows HU PS through interface from source
IP addresses and enables HTTPS .-c-.
.g.,.
..,,5.

http l0.Q.1.0 255.255.255.0 innide


http server enabl. 2

To uscCisco ASDM ,the HTTP overSSL (HTTPS)servcrmustbe cnablcd so thatHTTPS


connectionsare allowcd to thc Catalyst6500 SericsFW SM .
A maxim um offive conctlrrentCisco ASDM instancespcrcontcxtare available, with a
maximum ()f80 Cisco ASDM instanccsdivided between a1lcontcxts. Thcnum berofCisco
ASDM sessionsallowcd pcrcontextiscontrolled using resourcc classes.
The m inilnuln Cisco ASDM and Catalyst6500 SeriesFW SM software compatibility version is
ASDM 5.0(lIF and FW SM 3,l.
Cisco ASDM can be run asthc following:
m A Iocalappliation thatrcquircsthe illstallation ofCisco ASDM on the clientworkstation.
The localapplication connectsto FW SM from th=workstation via Sccurc StwketLaycr
(SSL).The advantagesare:
Upgradesofthc localapplication arc pcrformed automatically.
Cisco ASDM can be invokcd from desktop shortcuts. No browscrisrequircd.
Oncdcsktop shortcutallowsyou to conncctto m ultiplc sccurity appliances, notonly
to the Catalyst6500 ScriesFW SM .
m A Java appletthatisdynalnically downloaded from thc device to which you connect.

Cisco A SD M Prerequisites
The workstation used fbrCisco ASDM accessmustlnccttheseprerequisites:
w Ithasto bcinstallcd w ith supported Java vcrsions l.4.2 and 5.0 (also known as l.5).
K Itm ustbc cquippcd with web browser:
Enablcd w ith Javascrip!and Java
SSL supportm ustbe enabled
Pop-up blockersm ustbcdisablcd since they may prcventCisco ASDM from
starting(CiscoASDM willllotitk you)
2-68 ImplementingCiscoDataCenterNetworkInfrastructure 1(DCNI-I)v2.0 Q 2008 Cisco Systems, lnc.
Configuring Cisco A SDM A ccess
To tlsc C'isco ASDN1.HTTPS scry' erIlasto bcenabled alld IITTPS collncctiollsto the (-'atalyst
65()0 ScricsFNVSM 111t.
1stbealloqved.To configtlre IITTPS acccssto tllc('atalyst6500 Serics
.

F'
$VSN1tkscsthccollllllalltlslistcd i1)tllclablc.

HTTPS A ccess to the FW SM Com m ands


Comm and Description
http source TP addz-ess ldentifies the IP addresses and interfacesfrom whi
ch the FW SM
mask souvce--in-qerface acceptsconnecti
ons.
http server enable Enables the HTTPS service on FW SM.

Tllisexalnple sllowstl 'leconfiguration witllyvl'


litlllIITTPS isallow-ed tkoll'
ll0.().4.0/24 llctyvork
colllil'
lg froln thc illside scglncllt.
http 10.0.4 .0 255.255.255.0 inside
http server enable

@ 2008 Ci
sco Systems,Inc. I
m pl
ementi
ng FW SM fora Data CenterNetworkInfraslfucture 2-69
P N -B ased em ote ccess
Ipsec VPN form anagementpurpose: .-,
-....----.-
'.. f r
z. ..w .
.. . .u 1''v'
.. .'
* Routed'
.site-to-site VPN client '
-'-1
.
--'
-
* Transparent:site-to-site Only l

i:akmp poltey l Auth.ntsrptioa


iekmp poliey l .neryption 34** WRAR
ieakmp poliey l group 2
ilakmp policy l hash $hh
iaakmp enble outsid.
crypto ipmac tran,form.eet vpn ewp-3iea llp-mha-hole
isakmp key PRSHRKY addreea 209.165.200.223
accesa.lile TUNN?L ext*ndad parmit ip hoz:
209.165.200.225 209.165.201.0 255.255.255.2:4
crypto map teln*t Tlnnel 2 ipsec-ialkmp -
crypto =ap telnle bunnet l aatch addre/. TCNNZL '
crypto map Lelnet-tunn/l l 5et p**r 209.165.202.129
crrpto map telnet-tunn*l l et trlnsform-set vpn
crypto map telo*t-tunnel interfac. outgide

* Sam ple site-to-site VPN confi


guration

TheCatalyst6500 ScriesFW SM alsosupportsIP sectlrity(1Psec)fbrmanagcmentacccsswith


which trafliccan safely travclovcrinsccure networks.such asthe Internet. The Catalyst6500
SeriesFW SM can conncctto anotherV PN concentrator. such asa Cisco PIX tircwallora
(--isco 1OS router,tlsing asitc-to-site tullnel.You spccify thcpcernetworksthatcan
com lnunicateoverthetunnel.ln thc case ofthc Catalyst6500 SericsFW SM . the only addrcss
availablc on thc Catatyst6500 SeriesFW SM etld oftlw tunnelisthe interfaceitsclf.
The routed modecan atso akxeptconnectionsfrom VPN clients. eithzrhostsrunning the Ciseo
VPN clicnt.orV PN concentrators,such as the Cisco PIX GrewallorCisco IOS router, running
the Easy VPN clicnt.1l)thiscasc tlle IP address ofthe clientisnotknown;instead. the VPN
tunnclsettlp rclieson clientauthentication.
Transparentfirewallmode docsnotsupportrelnote clicnts. only Sitc-to-site tunnels.
A maximtlm offive concurrcntIpsecconnectionspercontcxtareavailable, with a maximum of
ten concurrentconncctionsdivided bctween al1contcxts. The num bcrofIpscc scssionsallowed
percontcxtiscontrolled using resourccclasses.
TheVPN-bascd relnote acccssm ightbcuscd in disasterRecovcc centerorbackup ccnterto
scctlrely acccss the Catalyst6500 SericsFW SM from the primary data center.

Configuring VPN A ccess


To configurebasic Ipsec VPN acccssparametersthcstepslisted in the tablc have to be
accom plished.

Configuring Basic Ipsec VPN Access Param eters Procedure


Step Actlon Notes

1. isakmp policy priorit:ye Setsthe lnternetKeyExchange (lKE)


encryption (des I 3des) encrypti
onalgorithm.Multipl
elKEpolici
es
can exist.The priority is a value between 1
and 65.534,with 1 being the hi ghestpriority.

2-70 lmplementing Cisco Data CenterNetwork Infrastructure 1(DCN1


-1)72.0 @ 2008Cisco Systems, Inc.
Step Action Notes

2. isakmp policy prioz-rye group Sets the Diffie-Hel


lm an group used forkey
(l 1 2J exchange Group1is768bits.whileGroup2
i
s 1024 bilsand thus.m ore secure.
3. isakmp policy pz'cnrry' hash Sets lhe authentication algorithm .
(md5 I sha)
4. isakmp yolicy pz'ioril
:;z SetsthetKEauthenticationmelhodasa
authentlcation pre -share shared key. Alternati
vely.certifi
cates can be
used instead ofa shared key by specifying
tbe rsa-sig option.Consultthe FW SM
documentation form ore information about
this method.
5 isakmp enable in tez-face name Enables 1KE on the tunneli
nterface.
6' crypto ipsec transf0rm -set Sets the authentication and encryption
rransfchz-m name (esp-mds-hmac I melhodsusedforlpsectunnelsina
esp-sha-hiiacl (esp-aes-256 I transform set.
esp-aes-192 I esp-aes I esp-
des 1 esp-3des)

Configuring the VPN Client lpsec Access Procedure


Step Action Notes
1 crypto dynamic -map Specifies 1he transform sets allowed for
dynaic map name priority set clienttunnels.
trans fo-
r= -s'
e
-t trans foz'
m setl
(transform set21 (...) -
2 crypto map crrpto map name Assignsthe dynam iccfypto maptoa static
prlorry ipsec-isakmp dynamic tunnel.
dynamc map name
3' crypto map cvyp to map zvalrle Speciriesthe irlterfaceatw'
l
nicn l:e client
inter face iJ2t7erfa-
ce n-anle tunnel
s term inate.
4' ip local pool pooz name Specifiesthe range ofIP addressesto be
fl-st ip address- - used forVPN remote access tunnels
last 7p address Emask rlas.
e)
5' access -list acl. name Specises the tunneltraffi
c destined forthe
(extendedl permlt (pz-orocoi) FwsM
host fw' sm ntrerface address
.D
oo J.- a JJr-esses mask-
6' tunnel -group name general- Assigns the VPN address poolto a tunnel
attributes address -pool group
pool zzanle
7 group -policy name attributes Specify thatonly trar
fic desti
ned forthe
. yw su ks tunneled
and
split -tunnel-policy tunnelall
8 group -policy group zrarne Sels the VPN group password
external server -group
Sel'ver g2'ouF3 rlanle pasaword
sezvez passurord

Q 2008CiscoSystems,lnc. Implementing FW SV fora DataCenterNetworklnffastruclure 2-F1


Note Only one crypto m ap name can be assigned to an interface.Ifboth site-to-site tunnetand
VPN clients should be terminated on the same interface use the sam e crypto map name.

To ftlrtherconfigure the site-to-site lpsecaccess,thc stepslisted in the table have to bc


accom plished.

C onfbguring the Site-to-site Ipsec Access Procedure


Step Actlon Notes
isakmp key keyscrng addresa Sets the shared key used by both peers.
peer-address
a' access-list ac1 name ldenti
fiesthetrafficallowed togo ovefthe
Iextendedl (den-
y k permit) tunnel.
(prorocoz) host
fwrsm interface addvess
des t- addres s m-ask
3 crypto map cryp t:o map name Creates an Ipsec tunne!
priortry
. ipsec -is akmp

4. crypto map crypto map name AssignstheaccesscontrolIist(ACL)tothe


priorit:;z match adzres-
a tunnel.
a cJ. na me
s. crypto map cryp to map name Specifiesthe remote peeronwhichthe
priorit:yr set peer-p '
a
-ddress tunnelterminates.
6, crypto mlp crym t:o map name Speciqes the transform sets forthis tunnel.
F?rorit:y aet tran-
sform
- -se t
transfor' m setl
Itransform
- set21 (...)
crypto mlp crqrp to map name Specifies the interface where 1he tunnel
in terface r2t:erfa-
ce n-
ame terminates.
8. http source IP address mask Identifi
esthe IP addressesandinterfaces
source nte-
rfa-
ce from whichthe FW SM acceptsconnections.
9. http server enable Enables the HTTPS sewice on FW SM .

2-72 ImplementingCiscoDataCenterNetworkjnfrastructure 1(DCNI-I)v2.0 Q 2008 CiscoSystems, Inc.


IC M P on FW S M
w ICM P form anagem entpurpose
fwsm tconfigl#
icmp (permit l deny) (host ip address ( jp addresa mask 1 any)
(:cmp typel interface name
> Allows ICMP ofcertain type to and from an intedace

'#
'j
:
>.
,
.'1
#'
.
- f ,. ,
/ .
'x
--
Otl
tsideNetworknlrl'
10
kQ
'
.
--'
Insi
deNetwork
',h- 10.0.0.0/2zs
-
'
-
/6
,
1
.0.0.0/24 -

icmp deny any outside


icmp permit any tnside

ICM P can bepennittcd ordclpied to reacl)aCatalysl(A50()SericsFSVSNIilplerf' accw itl1IC'N'


SP
eitllutrli'ollla hostto llle Q'atalyst6500 Scries FNVSM orf'
roln tllcCatalyst650()Sel'iesFTVSM
t()a llostmw'llicllretluircslhe ICM P reply to bc allowetlbtck.

Note Ifonly ping is reguired from the Catalyst6500 Series FW SM to a host--onl


y echo reply back
tothe intel
-face should be all owed- usethe ICMP i nspection engine i
nstead ofthe icm p
comm and.

(I)2008Cpsco Systems.fnc. fm plem ening FW SM fora DataCenterNetwchck lnrrastructure 2-73


O ut-of-B and M anagem ent
w Disable pass-through trafficthrough the managementinterface
. Routed mode only

fwsm tconfig-tfl#
management-only r
w Dedicates the intedace for I
T
managementpurpose '
1 z

Outside 4 lnsi
de
X . .. . ...ty .
. G .

interface vlanlo
managament-only

An interface on a Catalyst6500 Serics FW SM can be dedicated forthe m anagem cntpurpose.


O n such an interfacepthc trafficcannotpass through the C'atalyst6500 ScriesFW SM .
Uscthc m anagem ent-only com mand on the interfaceto achievethat.
Otlt-of-band m anagementisavailablc only in routcd m odc (in transparcntlnodethisisthc
dcfaultbchaviorfortheBridge-Group VirtuallnterfaceEBVIJintcrface).

2-74 lmplementingCiscoDataCenterNetworklnfrastructure 1(DCN1-1)v2.0 @ 2008Ci


scoSystems. Inc.
C onfiguring A A A Services

U nderstand ing A A A
. AAA servi ces:
-
Authentication'.W ho are you?
Authorization:W hatare youallowed to do?
-Accounting' .W hatdid you do?
. Discrete percontext
. AAA database' .
LOCal V'14
..s. t
,.,. ot
1R
ide
0 0N
0e
0t
/wori
24
- sew er-based:
.IRADIUS #
2i.,u ,.>' t
'
j'j
/
.TACACS+ L'l
k Qx - - - -u--a- '
--#.
#
s
AAA 'if' '
e
AAA Server
1O 0 0 1!0

Q 2008CiscoSystems.Inc. Imptementlng FA'


SM fora Data CenterNetworklnfrastructure 2-:5
A A A Services D escription
Alllheltliczltion controlsthcaccessby validating usercrcdentials.typically a uscrname and
password.Thc Catalyst6500 SeriesFW SM can authcnticatc a1ladlninistrativc connectionsto
tllcFW SM.includingTelnet,SSII,consolesASDM (using HTTPS),VPN managcmentaccess,
privilcged EXEC lnode,and network access.
Allthol.ization controlsaccessperuscraftcra useraulhenticatcs,and can authorize managem cnt
comm ands.nctwork acccsssarkd V PN acccssformanagcm cntconncctions.lfauthorization is
notenabled.authcntication providesthe same acccssto serviccsforallauthenticated users.

Note I
fcommand authori zation isturned on,the TFTP sewercom mands are checked by the AAA
serverforauthorization which could resul
tin delays in case manyACLS are confi
gured.

Al'coltlltil'g isused to track traftic passing throtlgh the Catalyst6500 SericsFW SM , thus
enabling tlscractivity to be rccorded.Accounting ofthe trafticcan be doncperuser, if
authcntication is used.Othcnvise.trat- fic isaccountcd pcrIP address.Accounting information
includcs sessionsstartand stop tim e.uscl-nalne.num berofbytespassed forthc scssion, 1hc
scrvice uscd.and thc duratiollofeach session.

Note lnm ul
tiple contextmode you cannotconfigure anyAAA com mands i n thesystem
confi
guration.However i fyou configure Telnetauthenti
cati
on in the admin context. then
authentication also appliestosessionsfrom the switchtotheCatal yst6500Series FW SM
(whichentersthesystem execution space).

2-76 ImplementingCi
scoDataCenterNetworkInfrastructure1(DCNI
-I)v2.
0 @ 2098CiscoSyslems,Inc.
C ontrolling A ccess to tlle FW SM
fwsm tconfigl.
aaa authentication (telnet I ssh 1 http) console (LOCAL I
eerver group (LoCALJ)
. AAA authentication fordifferentaccess methods

fwsm tconfigl#
aaa authentication enable console (LOCAL 1 server group
tLocALl)
. AAA authorization forprivileged EXEC Ievel

fwsmlconfigl#
aaa accounting enable (privilege zeve:l server-group
/kAA accounting forprivileged EXEC Ievel

M anagclllentaccessto tlleC'atalyst6500 ScricsFW SM can bccolltrollctlusillg AAA .

A uthentication

Note The LOCAL param eteris case sensitve

A uthorization

Caution The userID associated wi


th 1he I
ogin sessi
on is lostifthe system-wi
de enabse password is
used to authenticate.

@ 2008CpscoSystems.Inc. Implementing FWSM fora Data CenterNetwork Infrastructure 2-77


Tllccomm and structurc oftheCatalyst6500 SeriesFW SM can also be assigned to different
pris'ilegc lcvclsw'ith thcprivilegecomm and contiguration statelncnt.
privilege gshow IclearIconfigurejlevelIebvlgmode fenable1conligure)1command
('
t)??,???t???:/

privilege Param eters

Param eter Descrlptlon

show 1 clear I (Opti


onal)Thesekeywordsal
low youtosettheprivilegeonl
yfor
configure the show clear orconflgure form ofthe comm and.The
conflgure form ofthe com mand istypically the form thatcauses
a configuration change,ei
theras the unmodified com mand
(withoutthe show orclearprefi
x) oras the no form.Ifyoudo
notuse one ofthese keywords.al1form s ofthe comm and are
affected.
level .
ieve.
l A levelbetween 0 and 15.
mode (enable J (Optional)Ifacommandcanbeenteredinunprivi
legedor
configure) privil
egedmode,aswellasinconfi
gurationmode,andthe
com mand performs di#erentactions in each mode you can set
the privil
ege levelforthese modes separately.The enable
parameterspeci fiesbothunprivileged modeandprivileged mode,
while the conflgure parameterspeci ses configuration m ode
which is accessed using the conflgure term inalcommand.
command command This parameterrefers to the com mand thatyou are confi
guring.
Youcanonlyconfi guretheprivilege levelofthe maincommand.
Forexam ple.you can confi gure the IevelofaIIaaa comm ands
butnotthe Ievelofthe aaa authentication comm and and the
aaa authorlzation com mand separately.Also.you cannot
confi
gure the pri
vilege Ievelofsubcom mands separatel y from the
main com mand.Com mand authorization m ustbe enabled ifyou
specify nondefaultcomm and privilege Ievels.Thi
s is
accomplishedwiththeaaa authorlzatlon com m and LOCAL
com mand.

Accounting
An accotlllting rcqtlestisgeneratcd w hclltlscrlogsinto and logs outofthc Catalyst6500 Series
FNVSM throtlgh Tclnet.SSH.orlITTP.
Comm and accounting issupported formanagem entsessions. Ifcom m and accounting is
cnablcd comlnandsentcred by thc userare scntto AAA serverasaccounting requests. Only
TACACS #issupportcd.

Troubleshooting A A A Services
Nvllcn trotlblcshooting AA A scrvices.the debug com lnands listcd in thc tablc can bc used .

Troubleshooting AAA Services Com m ands


com mand Descrlptlon
debug p ix uauth Shows pix uauth debug messages.
debug radius Shows debug messages forAAA.
debug tacacs Di
splays TACACS+ debug inform ation.

2-78 ImplementingCi
scoDataCenterNetworkInfrastructure1(DCNI
-I)v2.
0 @ 2008CiscoSystems,Inc.
C ontrolling A ccess to the F SM
Exam ple

e .#
.'.
*:m
I
nsl
deNetwork
. ev !()0 0.0/24
K $ *#' i
'.
$?y$
j
. p ' p
. .. p- f.
.
:*Sr
,...'
- - - . . .
uwj z
d
y: yk
7
z.; ..
.. /$$ss .
'
z.
a,..

f, ..t ''.;.,.r,.1 .)7.7.?rts;er..:',w
t#t!. phslk/tk:5()rA/f,r
j()(j(jjj(;

aaa authentication ssh console my-acs LOCAL


aaa authentication http console my-acs LOCAL
aaa authentication enable console my-acs LOCAL
username security-admin password p8ssworD

ln tlle exalnple.AA A scrvicesare tlsed to authellticatethe SSII,A SDM ,and privileged EXEC
mode acccssusing tlle localdatabasc.

@ 2008 Ci
sco Systems,Inc. Impl
ementi
rlg FW SM fora DataCenterNelwork I
nfrastructure 2-79
Controlling A ccess Through the F SM
> Authenticate HTTP and SMTP traffic
aaa-aerver AuTHout protocol tacacs+
1
aaa-server AuTHout (inside) host 10.0.0.1
key AhAuauthKey
I
access-liet MAIL AUTH extended permit tcp any Rny eq smtp
access-ltst KKIL-KUTH extended permit tcp any any eq www
aaa authenticati-
on match MAIL AUTH inside AuTHout

01 FITTPsu'?p
, 3 xs
.s we
tt 1()bSer
ver
e #
. .'
<;
e' .
J.' o,
.
().
2nc j,
Outsi
deNetwork 2 ,.,#. . .
:
198.133.2190/24 '*'
l............kj Insi
A
deNetwork
AAA S 10.0.0.0/24
erver

Traftictlow through tlw Catalyst6500 SeriesFW SM can be controlled w ith AAA . +

To check the crcdentialsofa clientaccessing the W eb server,the AAA m echanism scan be


used.The following orderhappens:
step 1 Clientistrying to open HTTP orSM TP session.
m ep2 PackethitstheCatalyst6500 SeriesFW SM ,which authenticatesuserin cooperation
with AAA server.
step 3 lfthe userprovided correctcredentials,thetrafficdcstined to HTTP orSM TP server
isallowed,otherwise the traflic isdropped.

A uthentication
Userscan beprom pted to aulhenticate thcmselvesto the Catalyst6500 SeriesFW SM before
gaining accessto network resources.ForFTP,HTTP, and Telncttraflic thatrcquiresuscr
authentication,the FW SM firstauthenticatesthc userand thcn passesthe traft'
ic to the
requested destination.Otherprotocolscan be configured to require userauthentication that
musttirstbeperfornwd via FTP,HTTP.orTelnetto theFW SM . This can be doneby aceessing
anetwork resource through a connection lhatrequircsauthentication orby connecting to a
virttlalservercontigured on theFW SM thatprovidesauthentication.
Virtualscrverson the FW SM can becreated using thcvirtualhttp orvirtualTelnet
comm ands.
Traftic flowsthatrequire authentication are specificd by creating an extended ACL. The A CL
is then specified in thc aaa authentication m atch com mand. A lternativcly,you can uscthc
aaa authentication include com mand,which identitiestraftic w ithin the com lnand. However,
you cannotuse both m ethodsin the samc contiguration.
Localdatabase can supportcut-through proxy authentication.ltcan bepopulated using the
usernam epassword comm and.Theconfiguration ofthclocaldatabase can be donc by adding
the Iocalparalneterto the aaa authentication comm and.

2-K lmplementkngCiscoDataCenterNetworklnfrastructure1(DCNI-I)v2.O @ 2008CiscoSystems, Inc.


A uthorization

Tral'lic flow'sthatarc cllccked foratltllorizetlaccessby aTAI--AC'S 1scl -vcrarc spccilictlby


clvkttiI1g an cxtendcd AC L..Tl' le ACL is tllclltlscd in thc aaa allthorization m atch collllllal 'ld.
A Itenltttively,you callusc tllc aaa authorization include conllualltl.Tl' le bcginnillg ofcacll
traI 'lic tlosv catlscsa qtlcl'y to besentto tlle T/NC'ACS Iscrqr eruritlltl'
lcparalnctersofll' lc traftic
114
.1'
$5.,.'Fl'
lf
2TACACS Iserv'crrettlrnsa#(*?wlj?()r(1L. ,13'indicatiol).

Note Details on configuri


ng the TACACS+ and RADIUS servers forconnection authorization can
be found in the FW SM Configuration Guide.

A ccounting

Troubleshooting A A A Services
!V1)t?11troublcsllootillg AAA servicesathc dellug colnlnandslisted i11tllc table cal'
lbc tlsed.

Troubleshooting AAA Services Com m ands


Com m and Description

show uauth Di
splaysoneoraI1currentl
yauthenticatedusers (exceptfor
managementsessions)the hostIP to whichtheyare bound.and
any cached IP and portauthorizali
on information,
show np Displ
ays informati
on aboutthe network processors.
debug pix uauth Shows pix uauth debug messages

(iI)2008CiscoSystems,lnc lmplem enting FW SM fora Data CenterNetwork lnfrastructure 2-81


C reating ServerG roups

aaa-server AUTHIn protocol tacacs+


max-failed-attempta 2
1
aal-server AUTHIn (insidej host 10.0.0.2
key AAAuauthKey

- += @ ..
h: .' xt.
r websewer
e '*6
S#
, L. .
--x 19'90'
2Q0 I
6
.
1 #
outsi
deNetwork .
-. .#
.' * 19813a2,90/24 ;.
)K-. .
-
.#
.
%<<> Inslde Network
10 0 0.0/24
AAA Server

Thc aaa-servercomm and isused to identify the AAA serversbeing tlscd forauthentication.
whilethc aaa authentication m atch colnm and identitics thc sourcc and destination addrcsses
oftraftic thatnccdsto bc authcnticatcd.
Idcntify the AAA servers tirstby crcating the scn'ergroup, using the aaa-servercom m and.
aaa-server vver'el.u qrol
lpprotocol(kerberosjldapInt1radius1sdi1tacacs+l
aaa-serverParam eters

Param eter Descrlptlon


server group Specifiesa nam e given lo the servergroup.
kerberos p ldap I nt I Speci
fiesthesewertype.
radius t sdi ( tacacs+
Each scrvcrgrotlp islim ited to onc scrvertypc. TheCatalyst6500 SeriesFW SM contactstlle
lirstscrverin thc group.and ifitistlnavailable, ittricscontacting the rclnaining servers in
order.Ifa1iserversarc unavailable.the Catalyst6500 SeriesFW SM attcmptsto use thclocal
database,ifthc loeatdatabase isconfigurcd as afallback m cthod ofaulhenticalion.
Al-
teryou entcrthe aaa-servercolnm and.the Catalyst6500 Series FW SM takesyou to scrvcr
grotlp configuration modc whcrc additionalparamctcrs, such asm ax-failed-attem pts,can bc
sct.

Next.tlse theaaa-serverhestcom mand to definc thc serverand the servergroup to which it


belongs.
aaa-server s'el'b'e?'...gl
'llltp p'n/tata
/k
'
7cf? name)host.
%el.b'
e''J7g/ft7l'qgtimeoutseconds?

2-82 lmplementingCiscoDataCenterNetworkl
nfrastructure 1(DCNI-I):2.0 (D2008Ci
scoSystems, Inc.
aaa-serverhostParam eters

Param eter Description


server- group Specifi
esthe name ofthe AM serv'
ergroup as defi ned by the
aaa-servercomm and Each sen/ergroup is specific to one lype
ofserverzKerberos.LDAP.NT.RADIUS,SDI.orTACACS+.
(ntrea'face- name) Specifiesthe networkinlerface wherethe authentication server
resides.The parentheses are required in this param eter.
server ip Specifies the IP address ofthe AAA sewer.
key (Optional)A case-sensitive,al
phanumerickeywordofup to 127
characters.Spaces are no1perm itted in the key,butotherspeciaj
characters are perm i
tted.The key is used between the FW SM
and serverforencrypting data between them.
timeout seconds (Optional)Speci
fiesthe timeoutintervalforthe request.Thi
sis
the tim e afterwhich the FW SM gives up on the requestto the
primary AAA server.Ifthere i s a standby AAA server.the FW SM
sends the requestto the backup sew er You can m odifythe
timeou!intervalusing the tim eoutcom mand in hostmoda.

FtlllosviI'
lg tllisconlll3and.lllc FW SN'
1takcsyotllo hostI'ntlultzNvhereyotlcolltigtlrcadditiollal
Ilostlnodc paraluctcrs.stlch astlle accotlntillg portand atltlpcllticatiol'
tportto bc tlsctl.
Tlli.
rsalnplc llcturork sllow 11il:ll'
lc ligtlre hasol'
lc TACAC'S#scr:cr.

(t)2008CiscoSystems,lnc. lmptem enting FW SM fora Data CenterNetworklnfrastructure 2-83


S um m ary
Tlistopic stll
nlnarizesthc key pointsthatwcrc discussed in thislesson.

S um m ary
. The CiscoCatal yst6500 SeriesFW SM does nothave aphysicalconsole
port.
. SSH provides secure remote terminalaccess
* The ASDM GUIusesHU PS toaccessthe Catalyst6500SeriesFW SM .
. VpN- based access can be used to encryptthe managementtraffic.
ICVP toandfrom theCatalyst6500 SeriesFW SM hastobe expli citl
y
enabled,
* An interface can be dedi
cated form anagementaccess only.
> '
Access methods can be combined with M A services.
w M A can be used to authenticate users accessing servers through
FW SM ,
. AM canusea Iocaldatabase orand externalRADIUS orTACACS+
server.

2-8,
4 SmpfementingCi
scoDataCenteNetworkSnfrastructure1(DCNI-I):2.
Q (
l)2008CiscoSystems. lnc.
uesson3I

Im plem enting A C LS

O verview

Objectives
Upol)clllllpleting tllislessol).yotlu'
iIIbcablcto dcscribc al
ttlcollfigtlre ACLS011tllcCisco
tl'aralysl6500ScrieqFlk.
sM .Thfsability illcludt?sbeingabletf.
7l'
ncc!lllesctlbjectivbes.
'
K Dcscribc tllc Laycr2 liltcringoptiolls011tllc C'atalyst(A5()()SeriesF'SVSM
w Describe tllc stcpsrcqtlircd to collfigtlre M A(-addrcsslablc Inalliptlltltion
* Dcscribe the stcpsrcqtlirctlto colltigtlrc AddrcssResoltltiol)Prolocol(ARP)iIlspectioll
* Describethcstepsrcqtlircd to deploy cthertypc fi1ters
K Describcliltcring svitl!AC'LsoI)tlpc FSVSNI
w Dcscribetllttstcpsusedtocontigtlrcandvcril(y'ACL collt
igtlratiollalld opcratioll
C onfiguring Layer 2 Filtering
Thistopic cxplaillsthe nced forLayer2 filtering options,and dcscribeslyow to configurc M AC
addresstable manipulation,ARP inspcction,and ethertypeliltering.

T raffic Filtering on Layer 2


. Layer2 traffic is passed between the FW SM interfaces
Transparentm ode onl y
w Methods:
Static MAC address table entries
.
ARP inspection
Ethertype ACLS

MAc A
MAC B ' MAC A
MAC (; MAC D '

7. ARP
,
.4 ,
.s
,
-#
z
lr#
= za.
t,.;
.
:' Outstde Network
. Inslde Network
lpx-
.kl
.zww
,j.
'

-':
10 00.0/24 10.0.0.0/24

Ullauthorizcd accessto resourcesand information.diverting thc traffic to diffcrentdcstination,


andcompromising theresourcesavailabilitywith denialofsclwice(DoS)aresomeofthe
attacksthatcan also be triggcred on Laycr2.Spooting ofM AC addresscs. i
njectingruscBridge
ProtocolDataUnits(BPDUS),andpoisoningARP aresomeoftheexamples.
To protectand guard againstsuch attacksLayer2 tiltering isuscd. Laycr2 Gltering is
pcrformed upon Layer2 inform ation.such asM AC address, protocoltype.orM AC to IP
lllapping.

FW SM and Layer2 Security


Laycr2 attackspcrtain to thc Catalyst6500 SeriesFW SM i1)transparentmode ofopcration.
TllcCatalyst6500 Series FW SM offcrssecurity to bc implelncntcd on Laycr2 also with thesc
m cchanism s:
w Conliguring static M AC addresstable cntrics
K Deploying ARP inspection
. Usillg elhertypcACLS

2-86 ImpsementngCiscoDataCenterNetworklnfrastructure1(DCNI-I)42.9 (()22*8CiscoSystems, lnc.


C tlsto 1z11z1ng t1)e M A C A dtlress Ta b Ie
To guard againstMAC address spoofing:
. Add static MA(;entry
. Lowerthe MAC tabteagingtim er
. Disable MAC addressIeaming on untrusted interr
aces

0009 Tcbe 2100


l
< /# ooogx
zcbe.
zlaa Pw
k'w ! #
.. ,p.
-
z.
.- . xy
'
00097cbe2100
Outsl
deNetwoA C ' InsfdeNelwork
10000/24 :ZQ.
Z
005056c00001 -.
. n .
g#<f . 1
.0.000/24
lArm$
,
0016.76db c084

mac.address-table statfc outaide 00097cbe.210O


mac.addreas-eab le stavic outside 0050.56c0.0001
mac-address-tab le static outside 0nl6.76db .c0%t
mac-learn outside dtsable

Note Thisoperation pertainsonlytothe Catal


yst6500Serles FW SM operatinginthe transparent
mode.

@ 2008Cisco Systems.Inc. lmplementlng FWSM fora Data CenterNetworkInfrastructure 2-87


M A C A ddress Table Attack and Rem edy
M AC addressspoofing isused by attackcrs to divcrtthctraftic on Layer2. To assistin
guarding againstM AC spooting,these functionalitiescan be used:
* Adding a static M AC addrcssesto the M A C addresstable
* Controllillg thetim e a M AC address rem ailpsin thc M AC addrcsstablc by configuring thc
aging timcr
* Disabling M AC address learning on thc intcrfacesthatare nottrusted
W ith static M AC entricsconfigurcdsin casca clicntw ith tlle sam eM AC addressasa static
entry attem ptsto send trafticto an intcrface thatdoesnotmatch the static entry,theCatalyst
6500 ScriesFW SM dropsthe traffic and gcneratesa systcm m essage.

C onfiguring M A C A ddress Table Custom ization


The com m ands listed in the tablcare uscd to coniigurc thcpreviously lnentioncd
ftlylctionalities.

Configuring MA C Address Table C ustom ization Com m ands


*'
com m and Description
mac -addresa -table Adds a static MAC address to the table,I fa clientwith the same
atatic zctyerface name MAC address as a static entry attem pts to send traffic to an
mac- address - interface thatdoes notmatch the static entry.the FW SV drops
the traffi
cand generates asystem I og message.
mac-addreas-table Definesthetimeoutvaluefordynam icVAC addresstableentri
es,
aging-time The defaul
tis5veminutes and canbe setbetween5and 720 (12
t7meout
: va.
lue hours)minutes.
mac-learn Disabl es the dynamiclearningofthe MAC addressesofentering
interface- name disable traffic. lfdisabled.static enlries mustbe configured,otherwise the
FW SM oes notallow trafficto pass through.

Note Thesecom mandsare onlyavailablewhenthe Catal


yst6500Seri
es FW SM orcontexti
s
+
operating intransparentmode.

ln thecxalnplc,tlle figurc static M AC entriesarc configured in thc table fortlpe outside


intcrfaccto preventspooting ofthose M AC addrcsses.Additionally. dynam ic M AC lcarning is
disablcd to furtherstrengthen M AC address table sccurity.

2-1
% lmplementing CiscoDala CenlerNetwork lnfrastructure 1(DCNI-I)v2.O @ 2008 Cisco Systems, Inc.
E 11ab I1ng A R P Inspe ction
ARP spoofing preventi
on:
. controlARP packetsflow
* Compare MACIIP and soufce intefface tO staticenlry
e Perm ltordenythe packet

ARP Request
. w f ARPReqtlesl
.- KK
.j ' #/
yP ' '' wg
' okl
ts lnsrde Nelwork '
(r
)de()N0e/t wo4rk k
.
0
l0o0s9
t ()z
sc
6bexzl()() . 1 () 2 ..
mG$s
c$).()Ix 1 ,.:v....,..::.'u ....1
.,... 0.0
,.k .
0.
0/24
0016 76db (:084

arP outside 10.0.0.1 00:9.7cbe.2l00


arp-inspection outssde enable flood

Note ARP inspection settings apply to aI1bri


dge groups withi
n a context

@ 2008Ci
sco Syslems,Inc. Impl
emepti
ng FW SM fora DataCenlerNetwork I
nfrastructure 2-89
C onfiguring A R P lnspection
Thccomm alldsIisted in thc table are used forARP inspcction.

Configuring ARP Inspection Com m ands

com m and Descrlptlon


arp interface name Addsa stati
c ARP entry.
ip addres s ma-
c address

arp-inspection EnablesARP inspection.Theflood option (which isthedefault)


n terface name enable makes FW SM forward nonmatching ARP packets outaII
flood 1 no-
'- floodl interfacesasopposedtono-flood,whi
chresultsinthosepackets
beingdropped.

Note ln transparentm ode,the Catalyst6500 Series FW SM usesdynam ic ARP entries in the ARP
tabl e fortraffic to and from the FW SM ,such as managementtraf
fi
c.

To vcrify and cxam ine thc ARP inspection operation use thc show arp-inspection com mand.
Tlleoutputoftlliscomm and rorthe exalnple in thc figurc showsthatARP inspection isenabled
tbrthe outsidc ilpterface.and nonmatching ARP packctsarctlooded outallinterfaces.
fwsm#show arp-inspection
interface arp-inspection miss

outside enabled flood


inside disabled

2-99 lmplementingCiscoDataCenterNetworklntrastrtlcture1(DCNI-I)v2,0 @ 20()8CiscoSystems. lnc.


Eitl1ertype A C L
w Controlnon-lp and ARP Layer2 traffic perethertype
* Connectionless m ustbe applied to both interfaces

! t) BPDU
,... .p?
#*
x
* ;
.
..< .
#
#.
./' $ '' x/
x
.
-x- ...-. ARP(0xo806) ;'
t
.1pu -.-'--.'
fby.
..
Jm
t. otl
tsp key.
deNetwoi
' ;p'
r ,...2. :v.
'sz,lnsldeNetwork . kw
v't.f
x
q.l
i
10 0 0 0/24 100 0 0/24
access-list ETHER ethertrpe deny bpdu
accesa-list ETHER ethertype permit 0X0BQ6
I
accesa-group ETHER in inLerfaee inslde
access-group ETHER in lnterface outside

Note Ifyou use failover.you m ustallow BPDUS on both interfaces with an ethertype ACL to avoid
bridging l
oops.

()2008Cisco Systems.lnc. lm ptementing FW SM fora DataCenterNetwork Infrastructure 2-91


C onfiguring Ethertype Filtering
Enabling cthertype t'
iltcring isa lwo-step process:
Step 1 Contsgurc thcethcrtypeACL.
Step 2 Apply the contigtlred ACL to theinterfaces.
Thcaccess-listethertypecom mand configures an ACL thatcontrolstrafficbased on its
ethcrtypc.Thc /?(?x-???/???/?t??'paralncteris a 16-bjthcxadecimalnum bergreaterthan orequalto
0x600.RcfcrtotheAssigned NumberssectionofRF(.'176)4)(http://tools.ietf.org/lltlnl/rfcl700)
fora listofcthertypcs.
Thc access-group comlnand isused to apply thc ACL to an intert- ace in cithcringressoregrcss
direction.Traffic thatentersthc Catalyst6500 ScriesFW SM iscontrolled by an inbound ACL
on tllc sourcc interfacc.Traft-ic tl:atcxitsthe Catalyst6500 SeriesFW SM iscontrollcd by an
outbotllld AC L on thcdcstination intcrface.
In any case.to allow any traffic to enterthe Catalyst6500 SeriesFW SM , an inbound ACL
m ustbeattachcd to an intcrfacc;othcnvise,the FW SM autolnatically dropsa1ltrafficthat
entcrs thatinterfacc.
By dcfault,trafticcallexittheCatalyst6500 SericsFW SM on any interfaceunlessitis
rcstrictcd by an outbound ACL,which addsreslrictionsto those alrcady cont-igurcd in the
inbotllld ACL,
In thccxample in the t igure,the BPDU traftic isblockcd.whileA RPSarepennitted. The AC'L
isapplicd to both inside and otltside intcrfacesin the ingrcssdirection.
To vcrify and cxamine the ACL contiguration and operation use the show access-list
colnlnand.
fwsm#show access-list
access-list mode auto-commit
access-list cached ACL log flows : total denied O (deny-
flow-max 4096)
alert-interval
access-list ETHER; 2 elements
access-list ETHER ethertype deny bpdu (hitcount=o)
access-list ETHER ethertype permit 0x0806 (hitcount=4l4)

Note Formore information on ethertype values referto RFC 1700.

2-92 lmplementingCiscoDataCenterNetworklnfrastructure1(DCNI-!):2.0 (I)2008CiscoSystems. Inc.


C onfiguring A C LS

S tandard A C L
a ldentifytraffic perdestination address only
* Cannotbe applied to interfaces fortraffic control
* Used to controlredistribution ofOSPF routes

fwsm lconfigl#
access-list acceas ist name standard (deny Ipermit)
(any I ip address iaskl-
. Configures a standard ACL

accesa.list OSPF standard penmit 192.168.1.0 255.255.255.0

Note The ACL takes mask param eterinstead orwirdcards as on Cisco lOS routers

@ 2008CiscoSystems,lnc (mpfem entfng FW SM fora Data CenferNetworklnfrastructure 2-:3


Extended A C L
* Identify lraffic wi
th an entry perprotocol sotlrce and destinati
on IP
address,source and destination port.and ICMP type
. Connection-oriented
. Firstm atch,loptobottom orderofprocessing
* Im pli
citdeny
fwsm lconfkg)4
access-list acceas ist name Iline z:ne numberl (extended)
(deny I Permtt) protocoz pource address mask (operaeor portl
dest address maaA (operator por-t I iemp eypel (inactivel
. Configures an extended ACL
fwem lconrtgh.
access-group accesa zzar name (in I out) tnterrace
fnterface name
w Applies ACL to an intedace

Extcnded ACL ismadeupofoncormorcacccsscontrolentrics(ACEs).An ACE isasingle


cntry in an ACL thatspccifiesa perm itordeny rulc,alld isapplicd to a protocol. a source and
dcstination IP addrcssornetwork,and optionally thcsource and dcstination ports,
A11added ACE foragiven A CL nam eis appcnded atthe end oftheACL.tllllcss itisspecified
sv'itl)tl
:t,liI7c 11tlrrlt)cr.
Extcndcd ACLSareconncction oriented. .therefore.they do notnced to bcapplied on both
illcolning alld outgoing interfaces.

A C L P rocessing
TllcACL isprocessed untilthe firstm atch,from top to bottom . W hen the Catalyst6500 Series
Ye
FW SM isinspccting an ACL to dccide whctherto drop orfonvard apackct. the packctistcstcd
againstthc ACESin thcorderin wllich thcy arc listed. W hen an ACE matchcsa packct.the
Catalyst6500 ScriesFW SM ccascsto tcstthc ACES.Thcreforc. theordcrofACESin an ACL
isrelcvant.
AC L5llavc an im plicitdeny atthc end ofthc list.Thereforc, tlnlesstraffic iscxplicitly
pcnnittcd,itisdroppcd.

2-94 lmplementi
ngCiscoDataCenterNetworkI
nfrastructure 1(DCNI-I)v2.0 (()2008Ci
scoSystemsl lnc.
A C L Configuration
To tlcfine alld colltigurc :11)exlcnded ACL tlse tllcaccess-listextended antlaccess-group
colnlnalds.
Tllc access-listextendefltrolllllland adtls aI1ACIE to an AUL.

Param eter Description

access 2ist name Specifiesthe name ofthe ACL.


line .
1ne- nummber Permits entries to be inserted into the ACL.lfnotmentioned,new
entries are added to the bottom ofthe ACL.
protocc?.
l Specifiesthe protocolto match (forexample IP TCP User
Datagram larotocot(UDPI lnternetControlMessageProtocot
(ICMP),EnhancedInteriorGalewayRouting Protocot(EIGRP).
Generic Route Encapsulation (GRE).OSPF.etc).
sotsrce address Specifysource(desti nation)IP networkoraddress and mask.
aesr a3dress mask
opez-atror Specifiestheoperatorusedtocomparethepod number(greater
than (gtl,IessthanIItJ,equal(eq),notequal(neq),orrange).
povt Specifies the TCP/UDP portnumber
cmp -type Specifies the ICMP m essage type when ICVP packets are
matched.
inactive MakesanACR inactive withoutremoving i tfrom the ACLitself.
To re-enable a previousl
yinaclive ACE re-enterthe comm and
wi
thoutthe inactive keyword.

'I'l:caccess-group trontlllalld appliestllc collliguretlACL to an illterfacc i!1illgressorcgrcss


dircction.

M anipulating A C LS

Note Reordering ACES mightcause a drop in perform ance.

Q 2008 Cisco Systems,1nc lm plementipg FW SM fora Data CenterNetwork Infrastruclure 2-95


ontrolI-
1ng raffic fro Inside

web/MailServer
o** >.
1 192.!158.11
)()
DMZ
192.168 1.0/24
lac sv'rp
. su'rp .
Ir
verrlet .
Y '
jp jcup .
Outsrd. ...- 4.Network
1*8.1:
30.
219.0/
21 $0.
4.1.
:/24

lre*ss-lflo corp lin@ 5 lxtlnd*d deny tcp any any lq trc


acc*ss-lilt corp lin@ l lxtended permit tcp any ho/t 192.16:.1.1: eq mxtp
acceas-ltat covp liw* 15 extended deny tcp lny any eq mhtp
access-ltst corp lin. 20 extended p*rmit ip Rny &ny
acceal-li8t rorp lin. :0 extended perptt lrmp lny any
I
aeceza.group Qorp in tnterfaee inaide

In thisexam plc,thetrafficisbcing inspectcd whcn itentcrsthe insidc interfacc. ifitwas


initiatcd in thc inside segm cnt:
w A1llntcrnetRclay Chat(1RC)trafficinitiated from the insidescgmentfrom anysourccto
any destinatiollisdroppctl.
. Simplc M ailTransfcrProtocol(SM TP)trafticdestined to the web/mailscrverat
192.168.l.l00 on the dem ilitarizcd zone (DM Z)froln any source ispcrmitted.
w A1IothcrSM TP traffic isdropped.
. Allthc IP and ICM P traffic ispcrmitted.
Sincc extendcd ACLSareconnection-oricnted thc rcturn SM TP traflicfrom the wcb/lnail
serNrerin thc DM Z.aswellasal1othcrIP traffic from DM Z and outside segm entsarc also
pcrm itted.

2-96 lmpl
emenlingCiscoDataCenterNetworklnfrastructure1(DCNI-I)v2.D ()2D08CiscoSystems,lnc.
ontro II-
1ng T raff-
1c fron) th e
vz... W eb/MallServer
..QX j92 168 j100
DMZ Inc ottwrlp
192 168 10/24

p '
lntemet ' ' f
t:,. IcMP .. '
..

Outside
b
''...' -'lrtide Network
. p
198.133.219.0/24 10 0 0.D/24

acceaa.list server llne 5 eptended eny tcp &ny any eq irc


aeceaa.list sevver line :0 extended permit tcmp any any
I
access.group aerver n interflce dmz

()2008Cisco Systems.lnc. Implementing FWSM fora Dala CenterNetworklnffastructure 2-97


Controlling Traffic from utside

XQ' wewvarlserver
< 1:21s8.!.1oo
DMZ
192 168.1.0224
SMTP Www
,CMP .
.eh Intemet ''
',
k I /
R ..>..8J n' .
Outsrde ''. eNetwork
1* .133,219.0/24 10.0.0.:/24

accesa-kie: public linq 5 extend@d plrmit tep any homt 1:8.133.:19.25 eq www
aecesp-liy: public linl 10 axt*nded pqrait tcp lny hoat 19:.133.219.:5 lq lmtp
acceay-list public line 15 @xt@nded permit teap ahy wny
acceas.group public tn interflc. outsid.

ln thisexam ple,the traffic isbeing inspected when itentcrsthe outsidc interface,ifitwas


initiatcd in thc outsidc segmcnt:
. HTTP traffic destined to the web/mailservcrin thc DM Z ispennittcd.Thc servcris
translated into thc public IP address l98.133.2l9.25 towardsthe Internct.
* AI1ICM P traftic ispcrm itted.
* AllothcrIP traffic initiated by the clientsin thc Internetis dropped dueto implicitdcny.
*

2-98 lmplementingCiscoDataCenterNetworkInfrastructure1(DCNI-I)v2.0 @ 2008Ci


scoSystems.Inc.
E IR1)anc 1ng E xte nded A C Ls
. Tim e-based Acl-s--use time range to controlACL usage
* Controlling ACL Iogging with Iog opti
on
fwsmlconfig)#
time-range name
fwsm tconfig-time-rangel#
periodic days-of-the-week eme to ldays-of-rAe--eek) tme
absolute start tme date (end eme datel
. Configuresa time range
fwsm tconfig)#
access-list access zst name (extendedl (deny 1 permitl...tlog
(lieveil (tnterval-pecs-l I disable I defaultll Itime-range name)
@ Enables logging ortime range perentry

Tim e-B ased A C LS


A tilnc rallgc cal)beapplied to tlle AC E to sclledule llc A(.'E to bcactivatcd atspecific lilnesof
tllctlay alltlvctlk.M tlltiplc lilncl'
:tllgescan bf
cdetilled.
Thccol
nlnandslistetli!)the tablc aretlsetlto tleploy tilne-bascd AC'I.
-S,

Tim e-Based A CLS Com m ands

Com m and Description


time-range name Speci
fiestherecurringtime range perweekday (Monday through
periodic days-of-frhe- Sunday.dail
y,weekdays,weekend)and timeoftheday.
wreek trjme to (dayes-of-
the-w'eek) rme
time -range name Specl
fies an absokute startand end tim e.
absolute start rime
date (end tzme date)
access-list Appli
esthe confi gured time range when an ACE is created The
access J.s tr name speci
fied time-range option on ACL describes the allowed access
Iextenzed) '
tdeny i time.
permit)...(time-range
nanlel

Note lfa time-range com mand has both an absolute and periodic values specified.the periodic
option is evaluated only after!he absolute slar'
ttime is reached and is notevaluated any
fudherafterthe absolute end lim e is reached

(
l)2008Cisco Systems.lnc. Implementl
ng FW SM fora Dala CenterNetwork Infraslructure 2-99
A C L Logging
By defaultthcCatalyst6500 SericsFW SM generatesthe systcm log lncssagc 106023 forcach
packetdenicd by the extended ACE exceptforthe implicitdcny atthe end.
tXXX-l06O23 : Deny protocol src
(interface name:source address/source- port) dst
interface -
name:dest ad-
dress/dest port (type (string), code
(codel) by access-group acl-id
lfthc Catalyst6500 SericsFW SM isunderattack,thc numberofsuch system log mcssagesfor
dellicd packctscan be vcry large.To rclievc the Catalyst6500 ScriesFW SM from that
ovcrhcad burdcn.the Iogging ofsystcm mcssage I06loo- which providesstatisticsforeach
AcE--cotlld be cnabled,and lim itthcnumbcroflnessagcsproduced.
%XXX-n-106l00: access-list ac1 id (permitted I denied)
protocol interface name/source addresslsource- port) ->
interface name/des-
t addresslde-
st port) hit-cnt number (tfirst
hit p numier-second-intervall) -
Altcnlatively,logging can be disabled.This isachieved by the Iog optionsofthe extended
access-listcomm and.
access-listaccess /J'
.
5'/ ?;t???7cgextendedl1deny jpermit#...Elog gg/cTv/q(interval'
tx.
.)j
disablejdefaultllgtime-rangename?
Tllctable tlcscribcsthe logging parametersofthe access-listcom mand.

access-listextended Iog Param eters


Param eter Descrlptlon
2evel
. Defines the Iogging Ievelfrom 0 to 7,6 being the default.
knterval secs Specihes 1he time inlew albelween successive 1og messages,
from 1 to 600 with 300 being the defaul
t.
disable Di
sablesaIlIogging.
default Enables logging to messages 106023. The sam e i s achieved
withoutspecifying any Iogging option fora parli
cularACE.

Note W hen using tim erange and Iogging optionsinthe sameACE,thelog keyword should be
configared before tlm e-range keyword.Ifyou disable the ACE using the lnactlve keyword,
use the inactlve keyword as the Iastparameter.

Forftlrtherinfonnatiollaboulthe logging optionsfbrACLSreferto thc FW SM conf-


iguration
doctllnentation.
Tllcse behaviorscan bcset:
* Enable lnessagc l06I00 illstead ofm cssage I06023
K Disable a1llogging
* Rettlrn to t!
4c dcfaultlogging usilhg message 106023

2-100 lmplementingCiscoDataCenterNetworklnfrastructure 1(DCNI-I)72.0 @ 2008CiscoSystems. Inc.


1 e ange E xam ple
. % .x W eb/Mai!Server
..r
Q 192 168 1 100
DMZ
192.168 10/24


Internet ; 4.
c l #
'. #
l2ck .
-
Outslde Net 7./t4/-' rz.yJ de Network
198.133.219.0/24 10.0.0.0/24

time-rlnge weekdays
periodsc weekdays 8:00 to 17:0:
1
accesn-list outside in extended permit tcp >ny any eq www time.range weekdaya
access.group outsie tn tn tnterface outsde

@ 2008 Cisco Systems.Inc. (m plementing FW SM fora Data CenterNetwork fnfrastructure 2-101


PrlyIng
'wam#ahow @ccess-11st
Rree:s.lilt mod* auto-c --it
ecceee-list clched hCL log fowel totel 0. d*ni*d Q (deny-:lov-mlx 4Q96)
alerT.interval 300
Rccese.liat covp; 5 elemente
aceese.ltat corp ltne 1 extended deny tep any eny eq irc (hitd>tw234) ;xcf6d73fl
accees.list corp lkne 2 exTended p*rxit tcp any host 19:.16:.1.100 lq amLp
(hitcnt-lso) 0x::dal4;b
aecesy.liat corp lins 3 exeended d*ny tcp lny any eq sotp (httcnteo 0x90:9*05.
accela-tiao corp ltne 4 ext*nded permit tp @ny lay (hitcnt.34671 0x48314491
lcceas.liet corp lkne 5 ext*nded parmt: iexp any any thitcat-a3l 0x:4cbn$46

. Verifies thatACL isidentifying the traffic

fwsmtconfigl#
debug acl config
debug acl error

*Troubleshootthe AC LS

To vcrify theACL contiguration and operation use the show access-listcom m and. The
com malld showsthc dctailcd ACL inform ation cntriesalong w ith the hitcounts.
To pcrfbrm trotlblcsllooting ofthe ACL configuration.usc the debug com mands listed in the
tablcw ith caution so asnotto overwhelln thcFW SM .

Tim e-Based ACLS Com m ands

com m and Descrlption


debug ac1 con fig Showsdetailed inform ationuponan ACL bei
ng updated.
debug acl error Shows detailed i
nformation ifan erroroccurs when an ACL is
updated.

Thisoutputshowsdetailed information upon adding an acccsscontrolentry to a crop ACL.


fwsm/admin lconfigl#access-list crop extended permit tcp any
any eq 53
Hash Input : crop extended permit 6 any any eq Hash Output :
0x 5a4236 97
fwsm/adminlconfigl#
add acl style rule in tree
Source IP = 0.0.0 .0, Source Mask = Dest IP =
O.O.O.Q? Dest Mask = 0.0.0.0
Source Port l Ox0, Source Port 2 0x0 Source Port
Operand = 0
Dest Port l = 0x35, Dest Port 2 = OxO, Dest Port
Operand = 3
ACL Number = 2, Protocol = 0x6 Perm ission = l
ACL : alloc counter ; Treeld=o, Rule Type=lo; Start Index=2054;
End Index=l2686
Allocating Counter Index : 0x80b

2-192 lmplemenli
ngCiscoDataCenlerNetworkt
nfrastructure1(DCNt-!)42.9 (
I)2:()8(JscoSystems, lnc.
FW ID ED Mask = Oxfff
Source Interface Mask
oxfff
Source IP Value = 0x0, Source IP Mask = Oxffffffff
IP Value = Ox0, Dest IP Mask = Oxffffffff
Source Port 1 = 0x0, Source Port 2 = Oxffff
Dest Port 1 = 0x35, Dest Port 2 = 0x35
Acl Number Value = 0x2 , Acl Number Mask = Oxffff
Protocol Value = 0x6 Protocol Mask = Oxff
CLS Flag Value = 0x8/ CLS Flag Mask = 0x8
CLS Flagl Valtle = Ox3, CLS Flagl Mask = Ox3
CLS Cotlnter Index = 0x80b, CLS Priority = 128849031
Signalled CLS Download Thread
add acl style rule in tree : ACL Rule Added
New flag equal to o1d one
o1d = 0x0 , new = Ox0
Compilation NOT forced by 'updateRuleFlags '
Fixing ACE Index - O1d=l, Newrl
Fixing Rule Priority - 01d=128849031, N2w=128849032
ACE line number changed from 1 to 1
Rules Download Complete : Memory Utilization : 1%

@ 2008 Cisco Systems,I


oc. Implementl
ng FW SM fora Data CenterNetwork jnfrastructure 2-:03
Catalyst6500 Series F S CL peration
. Comm itted to NP afteradding entry tltilizes system resources
(can hitIim it)
fwma#aHow rqaouree rule
Default Coneigur@d Abaolute
CbS Rul. Lai; Ltmtt Max
Policy N*T 283 :%1 B33
XCL 17633 10633 19$3:
PlNer 125 42B 85O
'ixup 1117 1417 :634
Est Ctl 70 70 7:
Eat Data 70 70 70
hhA 992 992 196*
Cpnlol; 283 293 566
Total 14173 14173
partition Limt . Coneigured Limit - Kvaillbl. to *lloclt.
14173 * 14173 - 0

'wam#ahow reaourc. ulage


Reaource Current Peak Limit D*>i*d Contexe
Mec.addreamls l 2 65535 B bridg@
Telnet I l 5 0 lyatem

TheCatalyst6500 SericsFW SM activatestheA CL by comm itting itto the network processors


a shortpcriod oftilnc afteran ACE isaddcd. Ifin the processofcomlnitting thc ACL,a ncw
ACE isadded,thccurrcntproccss isaborted and at- terwardsthc ACL isrccomm itted.
Aftercom m itting the ACL sugcessfully,thc Catalyst6500 ScricsFW SM displaysa mcssagc
similarto thisonc:
Access Rules Download Complete : Memory Utilization :
LargerACLS(tbrexamplc,60K ACEs)can takeupto fourminutestocol
nmit.
AC L System Resource Utilization
ThcCatalyst6500 Serics FW SM supportsup to a maximum num bc. rofACESforthe entirc
systcln depcndillg ofthecomplexity ofACL,which is influcnced by the portrange numbcrs
and ovcrlapping IP addrcssesused (forexample,l0 0.0.0/8and I0.1.0.0/16).
.

UsinganobjcctgrouprcducesthenumberofACESinthecontiguration,butmaintainsthe
sam e numberin thc expanded ACES.which cotlntstowardsthc systcln lim it.
The nulnberofcxpanded ACEScan beobserved tlsing theshow aceess-listcom mand.
Ifa melnory Iimitation is reachcd.the Catalyst6500 SeriesFW SM producesan errorand
systcm log m cssagc (I06024).Along w ith tllat.aIltllc ACLSthatwcrc bcing com m itted to
network proccssorsare rcm ovcd.Only A CLSthatweresuccessfully comm itted in the prcvious
com m itlnentare used.Thus,pasting l00 ACESw ith only thcIastACE cxceedingthe melno:y
lilnitationresultsinall100ACESbeingrcjected.
Thedcfaultlim itforthe lpulnberofACESis74,188 forsingle contextand l0.633 pcrcontextin
lnultiplccontcxtmode.
To cllcck thcdefaultresourceallocation.use theshow resourcerule comm and. To check the
currclltresourcc tttilizatioll usctheshow resource usage com mand.

2-104 ImplementingCi
scoDataCenterNetworklnfrastructure1(DCNI
-I)v2.
0 @ 2008CiscoSystems. Inc.
om par1n g t13e L T ypc4s
. ,! #. ..; .:.;,jp.

(P trafficnelwork access I
control(routedand Exlended iAItt
perraf
mltf
ti
cdr
ed sap
by lowed
an ACLby
ondef
F-Waul
turtless
SM
lransparent) :
AM rtlles lraffic pdentlscation E/ended Idenlify traffic forAM rules
IPtrafhcnelwork access IE xten
from ded(downl
AAA oad 'Dynaml
cACLdownl oad$7eruseffrom
.serverper
controlperuser l CRADIUS serverorusage ofpreconsgured
.user) lACLc)nFWSM perqamesentfrom server
Ildentkfy bcaltfafficfortranslation per
tdenbfyaddressesforNAT Extended seurcearld destioation addressesfor
rxllpcyNAT
Modularpolicy traffic szwnaoa ;Identifytraffic irla classmap. which is
ldentlficatlon prl(rafficclass ------- 'used forfeaturesthatsupporlmodtllar
map Ethertm e pop.cyframework
Noc-lp trafficnetworkaccess 'Cofnfigure anACLthatcontrolstraffic
control(transparent) Ethedype lbasedondsethertype
ldentlfyOSPF fotlle Slandard Contrt)lthe redlstnbutltm ofOSPF rotltes''
redlstrlbutltm 'O3lydesklnatponaddresBpdentlfied

Q 2008 Ci
sco Systems,Inc. impl
ementl
ng FW SM fora Data CenterNetwork Infrastructure 2-105
S um m ary
Thistopic stlmm arizesthe key pointsthatwere disctlssed in thislesson.

S um m ary
. Layer2 filtering is used to preventMAC-and ARp-rel ated attacks.
* Layer2 filtering can be used in transparentmode only.
w ACLS are used to identifytrafficperdifferentparam eters.
w A tim e range can be applied to ACLS to controlthe activation.
. The Ci sco Catalyst6500 Series FW SM processesACLS in
hardware.

2-106 lmplementingCiscoDataCenterNetworklnfrastructtlre 1(DCNI-I)v2.O @ 2008GiscoSyslems.lnc.


Lesson41

Im plem enting C ontexts

O verview

O bjectives
FW S M V irtualization O verview
Thistopicidentitiestlw virtualization ofthe Catalyst6500 Series FW SM with contexts.

C oncept of V irtualFirew alIs


Logicalpartitioning ofa single FW SM into multiple Iogicalfirewalls
Logicalfirewall= security context
Licensed feature(defaul
ttwo contextsl:
.-
License for20,50,100,and 250 contexts

Policiesand management
IPaddressspace(canbereusedbetweencontexts) ,.
Operationalmode(routedortransparent) e ''
SetofVLAN interfaces
Resouxe usage

Virttlaltirewallsprcsentlogicalpal-titioning ofa single physicalCatalyst6500 SericsFW SM


into multiple logicalfircwalls.A Iogicalfircw alliscallcd sccurity contcxtforvirtualfircwall).
Scctlrity contextsallow adm inistratorsto separate and secure data centersiloswhile providing
casy m anagelncntusing a single system.They loweroverallmanagcmentand supportcostsby
hosting m ultiplcvil-ttlalGrew allsin a singledevice.

Security Contexts O verview


ThcCatalyst6500 SeriesFW SM callbe partitioned into multiplevirlualt irewallsknown as
sccurity contcxts.By dcfault,two sccurity contcxtscan bccreated on oncCatalyst6500 Scrics
FW SM .To deploy m orecontextsa specialliccnsc isavailable for20.50. 100,and 250
concurrentsectlrity contexts.
A systcm contiguration filecontrolsthc optionsthataffectthe entire modtllc,and detincs thc
illterfaccsthatare accessiblcfrom cacllsccurity contcxt.
Tllc systcm configtlration tilecan also beused to configure resourcc allocation param ctcrsto
controlthcalnountofsystem resotlrces thatare allocated to a conlcxt.
Controlling resotlrcesenablesm ultiplc delnilitarizcd zones(DM Zs)and scrviccdifferentiation
ctasscs(gold,silvcr.artd bronze)percotptextfordiftkrentdatacenterseglumhts.
Each individtlalscctlrity contcxthas its own security policics,interfaccs.and administrators.
Each contexthas a scparateconfiguration filethatcontainsm ostot -the dcfnition statelnents
fbund ina standalonc Catalyst6500 SeriesFW SM configuration filc, Thisconfiguration iilc
colptrolsthc policicsforthe individtlalcontext, including item ssuch asIP addressing,Nctwork
AddressTranslation(NAT)andPortAddressTrallslatiol)(PAT)definitions,atlthentication.
atltllorization,and accounting (AAA )definitions.trafticcontrolacccsscontrollists(ACLs).
and illterfacc security levels.
2-108 lmplementlngClscoDataCenterNetworkInfrastructure 1(DCNI-I)v2.O ()2008CiscoSystems,lnc.
Note Intel
-faces can be dedi
cated to a si
ngl
e conlextorshared among many contexts.

Note Keep in mind thatcertainfeatures,Iike Open ShodestPath First(OSPF)and Routing


Information Pfolocol(RIP)rouling.arenotsupported inmultiplecontextmode.

(
Q 2008Cisco Systems,lnc. fmptementing F'
W SM fora OafaCenterNetworklnfrastructure 2-109
U sing M u Itiple C ontexts
. Multiple contextswith own interfaces
. Mandatory fortransparentm ode
# c :: '
.z z

- .
i< '''' .
s':
.
,
.e .
E:
.. ..
.... I r . ' W eb l,ttm q
. Servers *'

.::. .-1 Appli


cati
onp '
cam pus .77
..-
'*' .
. .-!.
ty. <n
<.- --- . . .
'
J
sut!lt,rA/jl;
rj. .
r.
:
-
y
-
,
y
) x .
.p .
)
y..:.,, .
M Servers *
7
1<L;
7'
.
.
'

Thc figurc showsa Ilctwork with m ultiple contextsdcployed. Eachcontcxthasitsown


intcrfaces.
Tl
lisnetwork topology ism andatory whcn thcsecurity contcxtsarc operating in transparent
modc.
ln a transparentm ode,a single contextcan have up to eightintcrt-
acespaircd in differcntbridgc
groups.
M ultiple contextsallow deploymcntofactivc-active failoverfunctionality asan alternative to
cxisting active-passivc failover.

2-110 ImplementingCiscoDataCenterNetworkl
nfraslrtlcture1(DCNI-I)v2.0 @ 2008Ci
scoSystems, lnc.
'
*
d

Using M uItipIe Contexts (Cont.)

ISP A V'
SQ * -
. .. .
.->
lSP B V2 -Q * < .
- tU '
-
Extranet . 27
.-
'
:!; .
-- campus
; j w.
y
''''' *
'
,
'-
(
.
l
-
g
..
--.
y, .

j !
11jl!
..

q
.
:.#'.:yz Ar ;.:zsiy
..

@ 2008ClscoSystems,lnc. Implem enting FW SM fora Data CenterNetworklnfrastructure 2-111


Sharing an Interface A m ong Contexts
. A single interface is shared among contexts.
* Cascadi ng ofthe contextson a single physicalFW SM is not
supported.
. Only routed mode is supported. 9. z .z a
' e
jw- , Y
. 1 wo, ux :
'
o.. arv rs
? .q
Campus -1 Appjjcatjon.
N'* .

Nell rk . ..
-.
- .!ewe
'
.
rs '
., V. '
.
. l .-- Database l
we
s Ser
.
vers - >
(
k. -

Security contextscan share thcsalnc interfaceas shown in thc tigure.


Onc physicalCatalyst6500 SeriesFW SM isconnected to the cam pusnetwork alld to three
diffcrentdata ccntcrnctworks.The Catalyst6500 SericsFW SM ispartitioncd into threc
security contcxts,and each ofthe sectlrity contcxtscal)bc managed separately.
Thiskind ofconfiguration can beused inthe data centcrto conncctm ultiple separatc server
seglnelltsin a m ultitierdesign:
* Front-cnd tier,cncom passing thc web servers
K Application tier,cncompassing the application servers
* Back-end tier,encompassing thc database scrvcrs
Each sccurity context,and thus ticrshasitsown security policy.

Note This can be used only in routed mode ofoperation.

Note The Catalyst6500 SeriesFW SM doesnotsupportsharing the outsideinte/aceofone


contextwiththe inside interface ofanothercontext(knownascascadi ng contexts).Tragic
thati
soutbound from onecontext(from ahigherto a I owersecuri
tyinterface)canonlyenter
anothercontextasinbound traffic (Iowerto hi
ghersecuri
tyl'
.i
tcannotbe outbound forb0th
contexts,orinbound forbolh contexts.

2-112 lmplementingCiscoDataCenterNetworkInfrastruclure1(DCNI-S)42.0 Q 2(08CiscoSystems, lnc,


IP Packet C Iassifier
. A single interface isshared am ong contexts.
. Packetcl assification determ inesthe correctcontext.
''
p;',; 'pkl'c..

SourceVLAN e
l- *eb .
7i
,
''
-. servers
.
e
campus
Network
l*
k- Application 'l'p.
..- Servers
Destlnatlon IP . 1 xw--. oatabase ,. e
->..
e'''
( Servers 8' .:

Classifying Packets W hen Sharing the Interface

@ 2008Clsco Systems,Inc. Implem entlng FW SM fora Data CentefNetwork Infrastructure 2-113


Kcep i11lnind thatpacketclassification requircmentsm ightmake sharing intcrfaces impractical
blxause the classitierreliesot!aetive NAT sessions to elassify thedestination addressesto a
context.Thus.theclassit ierislilnited by how N AT isconfigurcd.

Note AIItrafric m ustbe classi


fied,including trapic from inside networks.

These configurations arc notused forpacketclassification:


* NAT exemption.because itdocsnotidentify the mappcd (sharcd)intcrface.
* Rotlting tablc,becausem ultiplc contextsm ighthave routcsforthe same dcstination
network poillting lo differelltncxthops.

2-114 Implementi
ngCiscoDataCenterNetworkInfrastructure 1(DCNI-I)72,0 @ 2008CiscoSystems lnc,
M 1x 1f)g F 1revqaI1M o df.
ls
* Each contextcan be in transparentorrouted m ode
> Independentofothers(FW SM 3.1onwards)
w Do notshare interfaces between transparentand routed contexts

Outslde Outside Outspde Otltslde

.;
' nugj
# DMZ1
...
'
.
' t(s '' q ouza
Inslde Inslde Insrde Inslde
rWsMtconfigl#lhow context
Context Naoe Class lnter'aces Mod. URL
*admin defau't Vlanlo Roueed dtskq/adain cfq
taternell default V1anlQ5,Vlan50 Routed disk:/tntl.cfg
ineernalz default Vlanl06,Vlan5l Trlnsparent diak:/intz.cfg

(I)2008ClscoSystems,Inc. lmplem enting FW SM fora Data CenlerNetworkInfrastructure 2-115


S ingle vs.M ultiple C ontext M ode:
Feature Lim itatio ns

AAA servers 16 4 percontext


Fai
lover
moni intedace
toring 256 256;divl
ded between alIcontexts
Filtering sewers 16 4 percontext
Security contexts N/A 100 (v2.3 based onIicensl
ng)
250 (v3.1based onIicensing)
Sysl
og servers 16 1 4 percontext
'
vtAs interfaces (
' 2s6 peroontext; '''
-
-

(
routedmode) 256 jjooodj
vi
ddqetweenaI1contexts
e
.-. . .

VL
(traAN
nspi
n
at
re
er
nfa
tcesde)
mo 8(4pairs) 1
j 8(4pairs)
I

The table dclailsthc feature Iim itsforthc Catalyst6500 ScricsFW SM in both singlc and
m ultiplccolltextm odc.
Thc mostimportantfeaturcsare:
K Upto 255sccuritycontextspcrFW SM (licensc)
K Numbcrofinterfaccs:
256intcrfaces(VLANS)pcrsccurity context
M aximum IO00 interl-
acespcrFW SM physicalm odule

2-1!6 lmplementing Clsco DataCenterNetworklnfrastruclure 1(DCNI-I)v2.0 (


l)2008CisooSystems,lnc.
S 1nC
Jle vs .M u Itip le C o ntext M o cle:
R cso urce L 1IM 1tatio ns

MAC addresses 65.


(transparentmode) 535 65,535divided amongaIIcontexts
Hos
th ts connecting 262,144 divi
ded among afI
rough FW SM 262,144 contexts
concurrently
Inspecti
on engine
connections, 10,000 10,000 di
vided among alIcontexts
persecond
Ipsec management 5 Percontext'
I
connections
concurrently 10 divided among aIIcontexts
ASDM m anagement 5 Percontext'
,
sessions
concurrently 80 divided am ong a(Icontexts
NAT translations 266,144 2661144 di vided am ong al1
contexts

(
Q 2008ClscoSystems.lnc. Implementing FWSM fora Data CenterNetworkInfrastructure 2-117
'

Single vs.M ultiple C ontextM ode:


Resource Lim itations (Cont.)
#; : ' : 7 * z '

SSHmanagement
connections
5 j 5perconteM
System messages to
FW SM term inalor 30,000 100 divided amongaIIcontexts
bufferpersecond
System messagesto 1
sy
pes
rls
oe
gcs
oenr
dver 25.000 j30,000di
vldedamongaIIcontexts
TcP .- ... y......-..
.....,

orUDP
connections between 999,900
j
I
anytwo hosts 25,000divided among aIIcontexts
1
concurrently 1
NewTCPorUDP '1
connte
any wct
ionsbetween 100,000 1 999,900di
videdamongaII
o hosts I
1 contexts
p4rsjcoqd j

Because PAT requiresa separate translation forcach collncction. tllc cffcctive lim itof
conncctionsusing PAT isthetranslation lim itof256.000,notthc higherconnection lim it. To
reach the conncction lim it,you nced to usc NAT.which allows multiplcconnectionsusing thc
sam e translation session.

2-118 lmplement
ingCiscoDataCenterNetworkInfrastructure1(DCNI-I)v2.
O C)2008CiscoSystems.lnc.
C onfiguring FW S M C ontexts
'1'1)istopictlescribesCatalyst6500 Scrics FW'SM colltcxtcrcatioll.

V 1rtua IF 1rew a1IO verv1ev4


* FW sM -wide configuration is stored in flash:/system .cfg
Context-specific configurationsare stored in flash orrem ote
storage
fwsm(configj#p contextHierarchy
changeto context n,
ame
changeto system
System ExecutionSpace;
*Switches to anothercontext 'sessionslotnumbetr
RootContext
orsystem space
.d '

! )31i'
:@' '' B
AdminCcmtext
Remote roolaccess

Securl
tyConlexts
SSFI,Telnet.lpsec.ldTTPS

Note There is no policy inheri


tance between contexts.

System Execution Space

@ 2008CiscoSystems.lnc. Implem ending FW SM fora Data CenterNetworkInfrastructure 2-119


A dm in C ontext
Theadmincontextisjustlikeany othercontcxt.exccptthatwhenauserlogsinto theadmin
colltcxtithassystem adm inistratorrightsand can accessthe systcm and allothercontexts.
Thc admin contextisnotrestricted in any way and can bcused asa rcguiarcontext. Howevcr,
bccatlse logging into thc adm in contcxtgrantsyou adm inistratorprivilcgcsoverallcontexts,
ytlum ightnccd to restrictaccess to the admin contcxtto appropriatcusers.Theadm in context
111t1strcsidc on tlash m emory.and notrelnotely.The interfaccsallocated to the adlnin context
arc tlsed by lhcCatalyst6500 SeriesFW SM forany trafficcreatcd by the FW SM . such as
syslog messages.The adm in contextcan also be used to provide rcm ote accessformanagement
orthc cntirc FW SM .
Ifyoursystcln isalready in m ultiple contextm odc.orifyou convcrtfrom singlcm ode, the
attmincontextiscreatedautomaticalty asdisb:/adtttin.fz
lk tile.Thiscontextisnamed Ssadlnin.''
If'you do notwantto useadm in,cfg asthe adlnin contcxt.you can changc the adm in context.

Note The adm in contextis a mandatory securitycontext.

A ccessing Contexts
Uscthc session colnlnand to connectfrom thc Cisco Catalyst6500 ScricsSwitch lO S Sotlw are
t()thcsystem execution space ofthc Catalyst6500 ScricsFW SM .
Uscrswho log in to the system exectltion spaccorwho log in to the adm in contextrem otely
cal)tlsc thc changeto com mand to accessany contextwithin thc Catalyst6500 SeriesFW SM .
Individtlalcontextscan also beaccesscd with thc stalldard managem entm cthodsofSecure
Shell(SSIl).Tclnet,Ipsec tunnels,and lITTPS PIX DeviccM anagcr(PDM )sessions.
W itllina sccurity context,the startup-contig file isused to referto the contiguration tile forthc
sccurity contcxt.

2-129 lmplemenli
ngClscoDataCenlerNetworklnfraslructure 1(DCNI-I)v2.O (
I)2D08Cisco Systems,lnc.
Note The ASDM does notsupportchanging m odes so you need to change m odes usi
ng the
cor
nmand-li
ne interface (CLl).

Note The m ode m ultiple com mand sets mode inform ation thatenduresthrough reboots, '
however,this m ode information is notstored in the system configurali
on file in flash
memory.

@ 2008 Cisco Systems.Inc. Impjementlr!g FW SM fora Data CenterNet


workinfrastructure 2-121
S stem Configuration
Configuration statem ents
'
lnclude,
.
w
Iodeaultipl.
Rdoi@eO/ak*xt ***:G
. Failoverconfiguration con e.x
all tltat
pc hnt
e- n fwce Vlanloo
int*r
* Resource allocation Icon'tg-urldtykT/edmin.c'g
vw ntaxt a
* Adm in contextnam e llloclte-interzac.vzanzc
llloclte-knterzac. VQlall
eonfig-url diakt/cuytl.c'g
fwsmtconftgj# -'
ldmin-context rame
wSets the contextto be admin ,

z 4 *
.
;
..
)
t.
,B.g;.
;
J
*').'

System ExecutionSpace

Tl
lcsystcln.cfg tile storesconfiguration statcmcntsthataffcctthe Catalyst6500 SeriesFW SM
asaq'holc.
Failovcrfunctionsarc notvirtualized and,thereforc,failovercollfiguration statcm entsare
colltaillcd in system .cfg.
Tllcsystem spacchascontrolovera11contextssystcm .
K Crcatesadlnin contextGrst
* Creatcsscctlrity contexts
w Assignsinterfaccsto contexts
Thtlstlle system .cfg GIe also hasconfiguration statem cjltsthatdetine the individualcontcxts,
alld allocatcsrcsourcesto them ,
Up to 250 VLANSare assigned to a contcxt'
,physicalinterfacesare controllcd by the
MtlltilaycrSwitchFcatureCard (M SFC).

A dm in Context
You can sctany contextto be the admin context.aslong asthe colltiguration tile isstored in
thc illtcrllalflash m cmory.
Tlcadlnin contextisdesignated with thc adm in-contextcom mand.
Changing the adm in contcxtterminatesany rem otc Inanagcm cntsessions. such asTelnet,SSll,
()1.lITTPS.Thcy have to be reestablished in thcncw adm in contcxt.

Note A few system comm ands identify an interface nam e thatbelongs to the admin context. lfyou
change the adm incontextandthatinterface nam edoes notexistinthe new admincontext
be sure to update any system commandsthatreferto the interface.

2-122 lmplementi
ngCiscoDataCenterNetworklnlrastructure 1(DCNI-I):2.0 @ 2008CiscoSystems.Inc.
C reating C oIltexts
To create individualcontext'
.
p Nam e the context
* Allocate interfaces
. Specify the configletUR L contextadmtn
allocate.interface Vl&nl9
cenfkg.url dak:/admin.cfg
l
fwsmfconfigl# -.
i
context name i
!
allocate -interface vlannumber E
J-vlannumberl fmapped name '
I-mapped D&me11 . '
con fig-url ur2 ik . ..'t '.i .
z.
o r .,,.a. ' 13
.createsthe context -

System ExecutionSpace

'l'
T lcconfig-urlctpllllllal'
ld is tlscd to specify tl
'je IocatiolliI1'
kvllich tllc colldiguration tilc oftl'
le
colltcxtisstorcd.

Note The contexli


s notacti
ve untilthe config-urlcommand is issued.

Caution lfthe confi


guralion file specified in the config-urlcom mand already exi sts,then aI1allocate-
interface commands shoul d be i ssued priorto issuing the config-urlcomm and.

fll2008CiscoSystem s.lnc. lmplementing FW SM fora Data CenterNetwork Infrastructure 2-123


Verifying Contexts
From thc system cxecution spacc.you can view a listofcontcxtsincluding thename.allocatcd
intcrfaccs.and configuration tilcU RL by using thc show contextcolnmand.
show contextfdetail)(??tz???E'Iadmin jcount)
show contextParam eters
Param eter Descrlptlon

detail (Optional)Displayscontextdetail
s.
name (Opti
onal)Displaysinformati
onaboutthespecifiedcontext.
admin (Opti
onal)Displaysthe administratorcontext.
count (Opti
onal)Displaysthe numberofcontextsconfigured.

fwsm#show context detail


Context ''admin t
' is ADMIN and active
Config URL: disk:/admin.cfg
Real Interfaces : Vlango, V1an9l
Mapped Interfaces : Vlan9O Vlan91
Class: default/ Flags : 0x00001857, ID: 1

Context ''bridgen is active


Config URL: disk:/bridge.cfg
Real Interfaces : V lan92, V1an93
Mapped Interfaces: V1an92, V1an93
Class: default, Flags : 0x00001855,

Context I'null'' is a system resource


Config URL : ... null
Heal Interfaces:
Mapped Interfaces:
Class : default, Flags: 0x00000809,

Context l'system n is a system resource


Config URL : flash :config
Real Interfaces:
Mapped Interfaces : EOBCO, GigabitEtherneto,
GigabitEthernetl, V lan90,
Vlangl, V1an92, V1an93
default, Flags : 0x0OOOO8l9/

Rem oving C ontexts


To rclzlove a sillglc context,use the no contextcolnlnand intlle system execution space. To
rclllovca11contcxts(including thc adm in contcxt).usctheclearcontextcomm and.

2-j24 lmplementingCiscoDataCenterNetworklnfrastructure 1(DCNI-I)v2.D @ 20()8CiscoSystems, lnc.


C hanging the Context

Note Ifyou wantto perform a merge,skip to Step 2.

FWsM#changeto context name


FWsM/name#configure terminal
FWsM/nametconfigl#clear configure all
Step2 Cllallgtzlt)111e systeln ttxtttrtltion space.
FWshl/name (config)#changeto syrst rem
i;terh3 II1tt!rt1)c c(:11tc)ktc()11ts!
ptll'
ati()1)l1A()tlc lkrtl1()c(l)lex!).
't)11&,:
ll,tt()ct1a1):4e.
FWsM tconfigl#context name
Step4 Elltcrtllc ncNv L11L.
FWSM (config)#config-url new' ur.
l

@ 2008 Clsco System s,Inc. lm plementlng FW SM fora Data CenterNetwork Infrastructure 2-125
M anag ing C ontext R esources
ThistopieexplainstheCatalyst6500 SeriesFW SM contextresource m anagem ent.
'

C lass H ierarchy
. Limits setin the defaultclassare the basis foralIotherclasses
and contexts notassigned to a class

.- Context
Gen- l

Fxecutive Class ServersClass Li


m ited Class

Context
CEO )'(
''Contez ):ftntA# Conlbxt'
t(
yvisitpe j'(
.
. natacvqjbi,
.L , To tlng,.
..

By defatllt,allsecurity contextshave unlil


nited accessto the rcsourcesofthe Catalyst6500
SeriesFW SM ,cxccptwhere maxilnuln limitspercontextarc cnfbrced. Howevcr,ifyou find
thatoneorm orc contcxtsusetoo many resources,and tbey, forcxample.causc othercontcxts
tobc dcnicd conncctions.you can configurcrcsource managcmentto limitthcuseofrcsources
percontcxt,

Configuring Resource M anagem ent


Resourcc m anagcm entdefinitionsare crcatcd by detining a class.Each classdetsnition contains
a spccitication ofthcresource Iim itsto bcapplicd to thccontextsassigned to thatclass.
A defaultclassdetsnestheresourcc lim itsthatarcapplied to contcxts thatare notassigned to
otherdefincd classes.The lilnitsin the dcfaultclassare inheritcd by othcrclasses. unlcss
specit
ically ovcrridden in the definitiolloftllc nondcfaultclass.
Each individualsecurity contextisassigned to aclass.M ultiple contcxtscan beassigned to thc
sam eclass.

Note The Calalyst6500 SeriesFW SM does notIimilthe bandwidthpercontext'


, however
,lhe
switch containing the FW SM can Iim itbandwidth perVLAN.

2-126 implemenlingCiscoDataCenterNetworkl
nfrastruclure1(DCNI-I)42.0 @ 2(08CiscoSystems, lnc.
'

V 1f'tualF -
1rew a IIR esource Lim 1ter
C lasses are defined in the system execution space'
.
. Indi
vidualcontexts are mapped to classes
* Limitsare appliedtospecificresourceswi
lhin aclass (integeror
percentage:0 means no Iimi t)
* Resources can be oversubscri
bed class assigns a maxim um of10
percentofresources btlt50 contexts are mapped to it
:4 . * ez
fwsm# . h
j... i!r.. '
4.i
show resource types -
..
;, .' . . .. 2jn

gz
r
J.-
Conos Connectlons
Hosts 1'losts
Spsec IPSeG mgmttunoels
'' z
ASDM ASOM sesslons
z r.4 * ' : 1 .;
SSH SSH sessrons
., 14> 16%
Conns CPS xj
ates XLATEobject
s
Fjxups Flxups/sec Mac-addresses VAC addresstable entoes
Syslogs Syslog/sec AII A(1fesources

@ 2008CpscoSystems,Inc fmplem entlng FA'SM rora Oaa CenterNetworklnfrastructure 2-327


Defining Resource Lim itations
Rcsource lim itationscan bcdefilped in threew ays:
* Ratc-lim ited constlm ption ofa specitied resourcespcr-second
K Absolute amountofaspecified resourceconsum ed,expresscd aseitheran absolutenum ber
orapercentagc ofsystcm maximum s
w Absoluteam ountofalIrcsourcestrackcd cxpressed aseitheran absolute numberora
PercentageOfSystem lnaxim tlm s
The tsgure showstlleresourccsthatcan be individually controllcd w ith rcsource m anagem cnt
configuration com mands.Othcrresourcesare trackcd by the rcsourcc allocation function ofthc
Catalyst6500 SeriesFSVSM operating systemabutcallnotbe controlled on an individualbasis.
Tllcsc rcsourccsare controlled by thc alIkcyword ofthcrcsourcc lilnitcom mands.
'

* -
o nflgurlng esource anage ent
fwsm tconfigl#
cllss name
limit-resource Iratel reaource name / all (numberl%l / OJ
*Creates class and allocates resources

fwsm (config-ctx )# e....- eostwxt admtn


j allocltl-inters*c. g'*n100
mel er C;aJ5 j eonfjg.urldtzkl/wdotn.cfg
1 1
. Assigns a contextto a class l
I
'
Dq'nt*xLexecuetv.s
wlloJlte.inLertacl vllnlol-vllnlo:
l $.,.. - . . . .v so:
j,,
! con:#g-urtdtek:/lx*euttvlg.cfe
QtR**X*Q*1VD----*--MI !
limit-r*lourc@ *t: lQ%
l
1 context relukpr guy* -
1 j 1 allocat.@-$.nt*rfac* vl= lQ3-v1= 104
class gol; .' . x*
1 k l disk
Iz&wtt.rlsourcoal1:Q: l I 1con'g-ur t/rlzullr-vuys.ezg
claa. gllv*r ' ' * $ ' context vi:itorl
ltmtt-reaogrce conns 500& I - allocati-lnterrwcg vlanl05-vl*n106
limitere*ourcl hoste 2QQ config-ur: diski/vlsitor:

Classesarc dcfined asslpown in thc Icftpartofthe outputin theexamplc.


First.aclassisdcfillcd with theclasscolnm and.The nalnc isa strillg up to 20 characterslong.
Tosctthelimitsforthcdcfatlltclass,enterdefallltforthcllamc.
Thc lirnit-resource com mand isthen tlsed to detinc thc individualrcsource Iim itations. The
nulnberisan integergrcatcrthan orequalto l.Zero (0swithouta perccntsign)setsthe
resotlrces to the systcm lim it.You can assign more than l00 perccntifyou w antto
oversubscribethe dcvice.
A resourcenam ecan be m ac-addresses,conns.nxups, hosts,ipsec,asdm ,orssh,etc.

Note Forthe com plete Iistofresource names wi


th mini
m um and maximum values referto lhe
Catalyst6500 Series FW SM docum entation.

Thcrightside oftheotllptltin thc example showshow individualsecurity contexts arc dcfincd.


Contcxtsareassigned to arcsourcc classwith thc rnem ber com lnand.

2-128 ImplementingCiscoDataCenterNetworkInfrastructure1(DCNI-I)72.0 @ 2008CiscoSystems. Inc.


C o nf1g u r1I1c
q M e ln o ry Pa rt1t1o n s
fwsm (config1#
resource acl-partition ntzmber of partit:.ions
. Sets the num berofpartitions

fwsm tconfig-ctxl#
allocate-acl-partition partron number
w Assigns contextto m em orypartition

context test
allocate-interrace vlanlo; intl
allocate-interface vlan102 int2
allocate-interface v1an1l0-vlanll5 int3-int6
config-url ftp://userllpassword@lo.l.l.l/configlets/test.cfg
member gold
allocate-acl-partition 0

Note Rules are used up on a hrst-come srst-served basis so one contextmightuse m ore rutes
than anothercontext.

Yotlckll)luanually assiglla colltcxtto a partitioll.

Note Cbanging lhe numberofpadilions reqpires 9ou ttl'eload 1bt?Calalys!6500 Series FW SM .

@ 2006Cisco Systems.lnc fm ptem entlng FW SM fora OaaCenterNetwork lnfrastructtlre 2-129


Configuring M em ory Partitions
To changcthe numberofmelnor.y partitionsuse thcresourceacl-partition com m and in thc
system exccution space and reload theCatalyst6500 ScriesFW SM .
Ifyou are tlsing failover,waita fcw secondsbeforereloadillg the Standby tlnitaswcll.
'thc
standby unitdoesnotrcload autom atically.and thc mcmory partitionsmtlstlnatch on both
tlnits.

Caulion Traffic oss can occurbecause both units are down allhe sam e tim e.

You can assign an individualcontextto particularm emory partition with the allocate-acl-
partition comm and undertllc contextconfiguration modc.

Note Ifyou assi gna contexttoa padi tion thepaditi


on num beringstartswith0.So ifyouhave 12
partitions,the parti
tion numbersare 0through 11.

Verifying M em ory Pad itions


To verify llpe Inelnory partition contigtlration use theshow resource acl-partition com mand in
tllc systcln cxccution spacc.
fwsm lconfigl#show resource acl-partition
Total number of configured partitions = 2
Partition #0
Mode :exclusive
List of Contexts :bandn / borders
Number of contexts :2(RefCount:2)
Number of rules )D (Max :53087)
Partition #1
Mode :non-exclusive
List of Contexts Cadmin momandpopA , momandpopB , momandpopc
momandpopD
Number of contexts :5(RefCount:5)
Number of rules :6(Max :53O87)

2-130 lmplementingCiscoDataCenterNetworklnfrastructure 1(DCNI-I)v2.0 @ 2008Ci


scoSystems. Inc,
itl2008Cisco Systems,Inc. lm plem enting FW SM (ora Data CenterNetworkInfrastructure 2-131
S um m ary
Thistopic sulnm arizesthc key points thatwerc discussed in thislesson.

Sum m ary
. Vidualfirewallsare im plemented with multiple security contexts.
. Contexts are created within the system configuration and defined
in individualconfigurati
on files.
* Resource managementcontrols the Cisco Catalyst6500 Series
FW SM resources allocated to each security context.

2-132 lmpiemeningCiscoDataCenterNetworklnfTastructure1(DCNI-!)v2.
9 @ 2D98CiscoSystems. lnc.
uessonsI

Im plem enting R puting

O verview
DeployillgthcCisco Catalyst6500 SeriesFircwallScrvicesModtlle(F'
SVSM )in arotltcd l
node
rcqtlircscithcrstaticordynam ic IP rotltillg.Thislesson describesalld explainsllow to
conligtlrc thcCatalyst6500 ScriesF' W SM routing capabilitiesaincltldillg static routing,
dynalnicrotlting,and rotlteIlealtllinjcctioll(RHl).
Objectives
U pol)colnpleting tllislesson,yotlwillbe ablcto dcploy rotltillg on a Catalyst6500 Serics
FW SM .Thisability illcltldesbeingableto meetthcscobjcctives:
* Explain thc nced forstatic rotlting on thc Catalyst6500 SeriesFW SM
* Dcscribcthc stepsneeded to configtlrc static rotltcs
* Explain the need j
-ordynam ic routing on the Catalyst6500 Serics FW SM
w Dcscribc the availablcdyllalnicroutillg protocolsoI1the Catalyst6500 ScricsFW SM
* Explain thc need tbrR1.II
w Explain the nced forasym metric rotlting
w Explain the restrictionsofdynam ic rotlting
K Describc thc slepsnecded to configurcvariotlsdynanlicrouting protocols
C onfiguring Static R outing
Thistopicexplainsstaticrouting on thc Catalyst6500 ScriesFW SM .

U nderstanding R outes
W here to forward the traffic?
@ Through which interface?
. W hati
s the IP address ofthe nexthop?
el ez
Intecnet (F.'
.
o 1 2 '. 1 .
2 IF..Q. '
. outside '.'' Inssde .
19216810/24 y, ,

! 100.
10/24 7#
.
..,

10.0 2 0/24
. . ;. .. : ... :$
.

lo(,2(
)/J4 esi lcc,12 Jy.-''
- '
10(1.3.@24
.
<) lth.
0d.
3 +. .##
1(1()10/24 e:l - ..e
#92 16810/24 t'l - 10.0.3 0/24
:)0()0/0 el 19216811

How to Determ ine W here to Forw ard the Traffic


In a routcd lnodc.thcCatalyst6500 ScricsFW SM behavessim ilarly to roulerswhen ithas to
forward a packctbctwecn thc interfaces.M ultiple interfacesmean m ultiple IP subnets,and
thtls.tlyc Catalyst6500 SericsFW SM has to dcterm ine how to tbrward an IP packettoward its
dcstination to routc the packct.
Thcrcaretwo tllingsaFW SM (orrotltcr.rcspcctively)hasto determine:
w W hatistlleoutgoing intcrface throttgh wllich a packctistransm itted?
K W hatisan IP addressofthe nexthop routcrto receivc the packet?
Since lnostIp-bascd comm unicationsarebidirectional,routesthathandlc thctraftic in both
dircctionshave to be colltigurcd.Routcsarc storcd in therouting table and are acquired by the
lneansot'a routing protocol(cithcrstatic ordynam ic),

How FW SM M akes Forw arding Decisions


Rotlters.by dcfault,m ake routing dccisiollswith regardsto thc routing table only.
In contrastto rotlters.thc Catalyst6500 Scries FW SM m akesrouting decisionsw ith rcgardsto
therotltingtablcandtrallslation tablc(whellNctworkAddressTranslationENAT)isnot
disablcd):
. Iftlle destination orstatic IP tralpslationalrcady cxists,thc cgressinterface istheone in the
translation tablc.notthc routing table.Thcrouting table isthen consulted forthe IP addrcss
ortlc ncxthop.
. lfthc dcstillation orstatic IP translationdoesnotexist.llle IP routing table isconsulted for
tllcnexlhop IP atldrcssand cgrcssintcrfacc.

2-134 lmplementingCi
sccDataCenterNetworklnfrastructure1(DCNI
-I):2.
0 @ 2008CiscoSystems!lnc.
C onfiguring Routes
fwsm tconfigl#
route if nnme dest ip masx Fa:evay ip (dstance)
n Adds a static route through specified interface
route outside 0 0 192.168.1.1
route inside 10.0.2.: 255.255.255.0 10.e.1.2
route inside 10.0.3.0 255.255.255.: 10.:.1.3

elk.m eo '
Intemet ;7'cc'
1 Q .1 2*'m .1 .2 '
QL.
Q '
. . d,
. -,r..;,
jy j
s,
ssj
t
j
e
t.,.-. ...
,
.
,.
' .
:. y.
--499
,
p'
4 , f...sx' ' ,J.i:..?' Iz>.t r;4
10.0.2.0/24
10020/24 E0 10012 3
. .
.q7'ZP
1
10
0.

03
1.
0
0?
/2
24
4 E
e0
o 1(
).
(
).
-$.t
i. @ ,yr##
,.x .
< :F

10 0.3.0/24
O.000/O e1 19216811

BesidcsBorderGateway Protocol(BGP),statc routesarctile only way to enablcIP routillg to


tllc networksin tlle multiple colltextI
nodc thatarc notdirectly collnccted.
Rotltcsare conl
igtlrcd on the Catalyst6500 Serics FW SM usilpg thc routecolnlnand.
r()11tt,4*
/'1?4???1:7t/(?.
$'/ il),,1:7.
:J'kf(1lc7;$'(7!'i;lg(lis'tclll'
lf1
route Param eters

Parameter Description
if- name Specifies the interface to be used to transmittraffic toward the
desti
nation specified bythe route com mand.
dest
r ip-
Togetherwith the m as/fparam eter,determinestherange of
destinati
on IP addresses covered by the route command.
t
nask Togetherwilhthe deslip parameter,determinesthe range of
destination IP address-
es covered by the route com mand.

gateuza.yr ip Specifiesthe IP address ofthe nexthop router.


distance (Optional)Hopcountto be associated wi
ththe route.Ifmulti
ple
routes to a particulardestination exist the route with the lower
m etric is preferred.The defaultmetric is 1.FW SM supports up to
lhree equal
-costroutes to the same destination perinterface for
Ioad baiancing.Equal
-costmultipath (ECMP)Ioad shari
ng isnot
supported.

D efault R oute
A rotltcconI
igtlrcd with a (F(?.
s'J ip alld l??t'
7.
# of0.0.0.0 isea11cd a dcfatlltroute.Packcts tllatarc
notcovercd by ally otherrotlte arehandlcd by tllc dcfaultroutc.

Note The defaultroute can be abbreviated as 0 in the route cem mand.

@ 2008 Cisco System s,lnc. lmplementing FW SM fora Data GenterNetwork lnfrastructure 2-135
Static Route Convergence
Static routc isrcm ovcd froln therotlting tablconly ifthc interface goesdown.Ifthe spccified
gateway bccomesunavailable,the static route isnotrclnoved.

Note Staticroutes arealso used inthetransparentmodetosendthe traffi


cori
ginated inthe
Catalyst6500 SeriesFW SM to nondirecttyconnectednetworks(forexample,management
trafficIike syslog.authentication authorization and accounting(AAAJ orW ebsense).

Configuration Exam ple


Tllcfirstroute isa defaultrotlte thatisused forany traffic to the otltside network.The
rclnaining two rotlteshandle trafticto the two intcrnalnetw orksand cach ofthem hasa router
bctwccn thcnetwork and theCatalyst6500 Serics FW SM .

2-136 lmplementi
ngCiscoDataCenterNetworkI
nfrastructure 1(DCNI-I)72.0 @ 2008Ci
scoSystemslI
nc.
C onfiguring D ynam ic R outing
TI1istopic cxplaillsdynalnic routing tll t
'lpc Catalyst6500 SericsFNVSM .

D yna ,711c R ou ting P rotocolS u ppo rt

DM 2 .
10 1 20/24 2 '' >- '
. I :
R1P >V e.
10 02 0/24
. M - 1 . X PM
1rlt(!rrlf)t '-'
zt:i
' ''.1 (28tItF;It1(, ., --. .
, If7s;Icl(: a-;--: .'
jjjjjl
. s'
? q
. 1
..
-. jjy
o1,12
192.1681.0/24 10130/24 wt'
!0 0.3 0/24
e O SPF
. RlP (passiveand defaultroute)
BGP stub(onlyadvertise)

(:)2008 Cisco Systems,Inc. lmplementi


ng FW SM fora Data CenterNetwork Infrastructure 2-137
O S PF R outing Protocol
. Supported OSPF features include:
-
Metric istransm ission cost
- OSPF authentication
- Two OSPF pr ocesses
.-
OSPF Iink-state advedisement(LSA)flooding
-
Areas:
.
Intra-area,interarea,and external(type Iandtype II)routes
*Stub areasand not-so-stubby-areas(NSSAS)
. VidualIinks
-
Redistribution ofstatic,connected routes,and between
Y
processes
. Notsupported in the m ultiple contextmode

A Catalyst6500 SericsFW SM can be configurcd with OSPF routing protocolto dynam ically
lcan:and advcllise thc routes.
OSPF usesDijkstra'sshortestpall)t5rst(SPF)algorithm tocalculatethebcstpathto the
dcstination.Thc inputinfonnation fortheSPF algoritllm consistsofIink-state advertisemcnts
(LSAS)kcptinthcIink-statedatabase(LSDB).
Thc Catalyst6500 ScricsFW SM maintainsafullLSDB.
M ostoftheO SPF features supportcd on aCisco rotltcrarc supported on tlle Catalyst6500
Scries FW SM aswell.

O S PF Lim itations
Two OSPF processcscan be run on a differentsctofintcrfaces.

Note OSPF in notsuppofted i


n the m ultiple contextmode.

Furtherinformati
onaboutOSPF i
s avail
able in the Catalyst6500 Seri
es FW SM
docum entation.

2-138 ImpsementingCi
scoDataCenterNetworklnfrastructure1(DCNI
-I)v2.
O @ 2008CiscoSystems.lnc.
E nab I1ng O S P F
fwsmtconftgl#
router ospf process -id
. Configures OSPF process
fwsmtconfig-routerl#
network ip address mask area area d
* D efines IP addresses on w hich OSPF runs,and area ID
ose:
-.
V Q
-
'
.
r'
okptslde --' ,.tc ww- lnslcle
-- .-.. y#
19216810Q4 io1.
3.0/24 w.
#
10 0 3 0/24
router oapf 2
network 10.9.0.0 255.0.0.0 area O

()SI'F isellablcd by contigtlrillg routilpg proccssesusillg tllc router (lspfconlnlal


ld:
router ospf process -id

routerospf Param eter

Parameter Description
pzm
ocess -J An identifierused internally by the FW SM to trackseparate OSPF
processes.i fmore than one is confi gured.The FW SM supports
two OSPF processes.

A ftcrtlleO SPF proccss isctllltigtlrcd.tlle Iletu'


orksthatparticipalc i11lhc rotltiI1g proccssarc
tlcI
illcd Nvitl'
ltllc netAvork arca colunAalltl'
.
network ip address mask area area id

network area Param eters

Parameter Description
ip- address Any inlerface wi
lh an address in the range defi
ned by thi
s and the
mask parameleri s used bythe OSPF routing process
mask Any interface wi
th an address in the range defined by the
i
p address and thi s parameteris esed bythe OSPF r/uting
process.

Note The mask used is a slandard mask ratherthan the


wildcard maskused when configuring OSPF on a
Cisco Io s-based router.

@ 2008Cisco Systems.lnc. lmplementing FWSM fora Data CenterNetworklnfrastructure 2-139


Param eter Descrlptlon
area- id Placeseachinterface in anOSPFarea. OSPF areas are used to
sub-divide a network thatis using OSPF as the routing protocol.
The area speci fied on the FW SM mustmatch the area IDs
configured i
n the OSPF routers to which the FW SM is attached,

Verifying O SPF O peration


To vcrify and troublesllootOSPF operation,thc sam esetofcomm andsisused ason Cisco IOS
rotlters.

Y F
Note Furtherinform ationaboutO SPF com mandsisavailable i
n the Catalyst6500 SeriesFW SM
documentation.

2-140 lmplementing Cp
sco Data CenterNetwork lnfrastructure 1(DCNI-I)v2.O ()2008 Cisco Systems, lnc.
R IP R o utiI'Ig P ro toco l
. Features ofRIP supportinclude:
Metricis hop count
.

Each routercontains a nexthop database


Version 1(default)andversion2
Cleartextand M D5 authentication forRlPv2
w RIP operation modes:
Passive R 1P
Defaultroute updates
w Notsupported in the m ultiple contextmode

l'llc C'atalyst6500 Series FVSM stlpportsbotllR IP version l(RlPv I)and version 2 (RIPN'2).
tllc lirstolle bcillg tlledcl'
atllt,

Note R1P isnotsupported inthe m ultipiecontextm ode

Furtherinform ation aboutRIP i


s available in the Catalyst6500 Series FW SM
docum entation

@ 2008 Cisco Systems,Inc. lmplementi


ngFW SM foraData CenterNetwork Infrastructure 2.141
*
E nab I1n g R lP
fwsmtconfigh#
rip it name passive (veraion (1 ; 2 Iluthentication (text '
.
md5) k-
ez #ey d1))
. Enables passive RlP with optionalauthentication forversion 2
fwsm tconfigl#
rip it name default (version (1 1 2 (authentication (text I
mds) k-
ey key :d))1
* Enables sending ofdefaultroute
R1p
,r Q.Q l '#
192O1ut
.
slde
.
68.1.
. .. ... ..
Inslde
r;. a, ,a,(
)x4 .g.
#
10.0.3 0/24
r1p lnalde default vereion 2
rip insid. paaatve version 2

Passive RIP iscont-igured w ith the rip passive com mand:


rip ke
key f-
yname passive (version (1
d1J1 (authentication (text pmd5)

rip passive Param eters

Param eter Descrlptlon


if- name The interface where RIP should Iistentothe RlP updatesfrom
neighboring routers.
version 1 ( (Optional)TheversionoftheRlPprotocol:RIPv1orRIPv2 lfnot ,
specified RlPv1 is used.
authentication (Optional)FnablesRlP version 2authenti
cati
on .

text UsescleartextforRIP messageauthentication (not


recommended).
md5 UsesM D5forRIP m essageaulhenticalion.
keyr Key and to authenti
cate RIP updates.
key d Key identiscation value'valid values range from 1 to 255.

Dcfatlltrotlte update isconfigurcd withthc rip defaultconunand:


k p .
ri trname default Iversion (1 1 (authentication (text Imd5)
ey'a
ke-
y id1)1
rip defaultParam eters
Parameter Descriptlon
if- name The interfacewhere RIP should Ii
stentothe RlP updatesfrom
neighboring routers.
version l I 2 (Optional)Theversi
onoftheRlPprotocol:RIPv1orRlPv2 Ifnot .
specifi
ed R1Pv1isused.

2-142 lmplementingCi
scoDataCenterNetworkInfrastructure1(DCN1-1)v2.0 @ 2008 Cisco Systems. Inc.
Param eter Description
authentication (Optional)EnabpesRIP version2 authentication .

text UsescleartextforRIP message authenlicalion (not


recommendedl.
md5 Uses MD5 forRIP m essage authenti
cali
on.
Aey Keyand to authenticate RIP updates.
key j.d Key ientifi
cation vasoe'valid val
ues range from 1 lo 255.

Note Furtherinformati
on aboutRlP commands i
s available in the Catalyst6500 Series FW SM
documentation

Note RIP cannolbe used by the Catalyst6500 Series FW SM to advedfse i


ndivfdualnetworks.

(()2008 CiscoSystems.1nc. lmpl


ementing FW SM fora Data CenterNetworklnfrastructure 2-143
BG P Stub Routing
w Features ofBGP supportinclude advertisementofstaticand
directlyconnected routesto neighbors
. Limitations:
-
Onerouting process(in multiplecontextmodealso)
-
One BGP neighbor(inmultiple contextmode also)
- iBG P on1y
.- No redistribution
m Suppoded i nthe multiple contextm ode
. Requires a license

BG P stub routing processisused only to advertise theconfigured static and directly connectcd
routesto BGP neighbors.
BGP docsnotproccssthcaccepted routcsadvertiscd by the BGP peerand sim ply dropsthcm . >

Note A li
censeisrequired to deployBG P stub routing.

BG P Lim itations
BGP Stub routing islim ited to one process, oneBGP ncighbor.andonl
y intenpalBGP (iBGP),
cven ifdcploycd in m ultiple contextmodc.
Rcdistribution ofany routcsinto BGP isnotsupported.

Note Furtherinform ati


onaboutBGP isavail
ablein the Catalyst6500 SeriesFW SM
docum entation.

2-144 ImplementingCi
scoDataCepterNetworkInfrastructure1(DCNI-!):2.0 @ 2008 Cisco Syslems. lnc.
E nab I-
1ng B G P
fwsm tconfigl#
router bgp as-number
* Confi
gures BGP stub routing process
fwsm lconfig-routerl#
neighbor ip-address remote-as as-n e er
. Defines the neighborto whi
ch updatesare sent
fwam tconftg-routerl#
network ip-address mask mask
. Specifiesthe network which are advedised by BG P
Inslde uop
10.0 3.0/24 . -
fk .
..

router bgp 65000


. .j Outsl
de
192 !68 10/24
.
w
neghbor 192.168.1.2 remote-as 65000
netvork 10.0.3.0 mask 255.255.255.0

BGP stklb rotltillg iscllabltld by collfigtlrillg rotlting proccssesw itlltllc router bgp colnlnalld:
router bgp as-nuni er

routerbgp Param eter


Parameter Description
as-ntimber Theautonomoussystem (AS)numberthatidenlifiestheFW SM
to otherBG P routersandhastobethe same ason neighboring
device since only iBGP is supported.

7'o starttllktBGP session svitl


'ltllc Iteigllbor.tlse thc neighbor relnote-ascolnllland'
.
neighbor ip -address remote-as as -number

neighborrem ote-as Pararneters


Param eter Description
ip -address The IP adress ofthe nei
ghboring iBGP router.
as .
-nunl
b ez' The AS rltfmberthatidentifies the FW SM to etherBGP rc/t
-lters
an has to be the same as on neighboring device since only
i
B GP is supported.

Q 2008Cisco Systems,Inc. Implementing FW SM foraDataCenterNetworkInfrastructure 2-145


O ptionalB G P C om m ands
BGP on tlpeCatalyst6500 ScriesFW SM also supportsthecomlnands listcd in thetablc.

O ptionalBG P Com m ands


Com m and Descrlptlon
bgp router-id id Defines a BG P router1D.
neighbor ip -address Desnesa password used toauthenticate the BGP message to
password Ernode) theneighbor.
password

Note In more com plex iBGP depl


oyments,the BGP neighborhas to be enabled with the route
reflectorfunctional
ity.

To vcrify and troubleshootBG P operation.the salne setofcom mandsisuscd ason Cisco IOS
routers.

Note Furtherinformati
onaboutBG P comm ands isavailable inthe Catalyst6500Series FW SV
docum entation.

2-146 ImplementingCi
scoDataCenterNetworklnfrastructure1(DCNI-I)v20 @)2008CiscoSystems, lnc.
d
X
'
*

Route l-leaIth Injection


* Available since FW SM 4.0 cisco catatyst6500
* Leverage RHIto support SeriesSwitch
routing protocols natively
suppoded by Cisco Catalyst . -. ., . -. ..
6500 Series sw itch ' ' '' ' 57=* ' ''' '
S ,. . !
,l
njectroutesdirectlyinto
MSFC: E
2
El
Valt
LAla
N3o
zz
p ,
vt
lA1(
u l)
q,
a(
)a
)!
sti
Eoutsl
je w
raltslde j
.. Elirll(ltly()()r)r)(,(ltf,(jrllt.t6,s t.............. .. ..............J
.,
ur g
,
Static routes 101O302 ' 1010402
vqIs Na3o
r1slcf
vl.Ax 3ac
NAT poolinform ation .. .. - 1 sl
% cl6.
-tDcz . j. -.
<.. :q..1
)..
..
j,I
III
j;
C
j
k..
,-
L
,k
.
L
6
k
,'
' '
, Per-contextRHl o.. p' .1,
,F
,o!o301 -35h( -,4'r!

Using RHIto InjectTranslated IP Addresses

D 2008C lscoSystem s,Inc.


( Impiementlng FW SM fora DataCenlerNetwork Snfrastructure 2-14-1
Asym m etric Routing Suppod
w Challenge:Return traffic fora session routed through different
interface isdropped
* Putinterfaces in the asym metric routing group
* Acti on upon packetwith no session inform ation on interface:
-
Layer2 headerrewri tten
.-Failoverscenario:packetis redirected to the otherunit
Differentinterface:packetreinjectedintothe system
m FailoverlStatefulm ustbe enabled
* Supported in the multiple contextm ode

Norlnally the Catalyst6500 ScriesFW SM ,likcany otherfircwalling devicc, doesnotallow


asym metric routing, 'thatis,in casc returlltrafric forasession isrouted through a diflkrcnt
ilytcrface than itoriginated from ,thetrafticis dropped, sincethere isno connection information
forthattraft ic.
11)failoverconfigurations.return traffic fora connection thatoriginated on one unitmay return
through thc peerunit.
Stlch dcploymentsarc com mon wllen two interfaceson a single Catalyst6500 SeriesFW SM ,
ortwo Catalyst6500 SeriesFW SM S in a failovcrpair, are connected to diffcrentScn/icc
providersand the otltboulld conncction docsnotusea NAT address.

Using A sym m etric R outing G roups to A llow Asym m etric


Routing
To prcventthc Catalyst6500 SericsFW SM from dropping such traffic, asym metric routing
grotlpscan bedcploycd on the intcrfaccs whercthisislikcly to occur. W hen an interfacc
contigured w ith thcasym metric routing group rectivesa packetforwhich ithasno svssion
infbrmation,itchecksthc scssion inform ation forthc othcrinterfaccsthatare in the sam e
grotlp,lfa packctforsuch session isreceived thcsc actionsoccuriflllatch isfound:
* Ifthe incom ing traffic originated oI:a pecrtlnitin a failoverconfiguration a partorthc
cntire Laycr2 headcrisrew ritten and the packctisredirectcd to the otherunit. This
rcdirection continuesaslong asthe session isactive.
* Ifthe incom ing trafticoriginated on a differcntintcrface on the salncunit, apartorthc
cntireLaycr2headcrisrewrittenandthepacketisreinjectcd into thestrealn .

Note In failoverconfigurations a statefulfailoverhas to be enabled forsession informati


on to be
passed from the standby unilorfailovergroup to the active unitorfai lovergroup.
>

2-148 Implementi
ng Cisco Data CenterNetwork l
nfrastructure 1(DCNI-I)12.0 @ 2008 Ci
sco Systems, Inc.
'

-
13a I-
1n s l'
n ln etr1c o ut-
1n
fwsm tconftg-ifl#
asr-group n er
. Addsan interface to an asym metric routing group
lnternet
Context A. B ASR configuration f.m '
JQ i
# .. -. !
.
i.
1
7terfaptlon
descrice V1an1
INSIDE .'.(- ': FW SM 1
aBr-group 1 f - W r a-- - - 3 1 -.,
'' <
1nter!!ace Vlan2 Ig ti ''. : : . !; l'.z
descrlption OUTSIDE I1 yje
p- : 4.a.1a.#w.@eww-.,'..
:1:1:-I17t;k
l1) 2 I!
. .' ee t* *.@**@@*e : 1
I5 .q r
'
.O
'.
v. ,.:. $F'
.
...A
''
1: FW SM 2
knsltle(DtyA 1'Xi.rffG* IrlGldeCly.B
Inside

'
asr-group Param eter
Param eter Description
ntznl A value ranging from 1to 32.Up to 32 asym melric rouling groups
can be created each group having m axim um of8 interfaces.

Tl'
lt.
tc('111lnalltllastt)be clttercd fllrcacl)illlcrl
-acetlq
tals.
villparticipal
. lllleasyllltnetric
e il'
rotllillg grotlp.

Using A sym m etric Routing G roups w ith Asym m etric Routing in


Failoverw ith M ultiple C ontexts

Note ln the exam pl


e .statefulfailoveris deppoyed forasym metric routing to work properly.

@ 2008C'
sco Systems.Inc. ImplementingFW SM foraData CenterNelwork Infrastructure 2-149
S um m ary
Tlpistopic sum lnarizcsthe key pointsthatwerediscussed in thisIcsson.

S um m ary
. IP routing isneeded in routed mode toforward packets between
interfaces.
@ Static routes provide the m inim um CPU overhead.
. OSPF and RlP are notsuppol-ted in m ultiple contextmode.
. BGP stub routing announcesonl y static and connected routes.
m
RHlisusedto injectconnectedroutes,staticroutes,and NAT
poolinform ation into the MSFC.
. Asymm etric routing is used to all
ow the return traffic through a
di
fferentintedace than outgoing traffic.

2-150 ImptementingCi
sco DataCenterNetworkInfrastructure1(DCNI-I)v2.
0 (
I)2008CiscoSystems, lnc.
Lesson6I

Im plem enting Failover

O verview

Objectives
Failover O verview
Thistopicexplainsthe failoverfunctionality on the Catalyst6500 ScricsFW SM .

Redundant C atalyst 6500 Series FW SM Pair


+

RedundantFW SM high-availability options:


* Active-standbyforaIIcontexts
. Active-active
Actlve

#.. & .
z

Campus !
e#.
w,
o .
x
z
Outsrde Network I Inside Network
I
;j
'y
Standby

Tlle failoverconfiguratiol)rcquirestwo idcnticalCatalyst6500 Series FW SM Sconllected to


cach otllertllrough atledicatcd failover link alld, optionally.a statc link.
Thetwotlnitsinafailovercontigurationmusthavethesamemajor(firstnulnbcr)andminor
tsecondnumbcr)softwarevcrsion.l' Iowcvcr,you canusediffcrentversionsofthesoftwarc
dtlring a!:upgradeprocess;forexample. yotlcanupgradeoneunitfrom vcrsion 3.I(1)to
version 3.1(2)and have failovcrremain active.

Note ltisrecom mended to upgrade both unitstothesame versionto ensure Iong-term


com patibi
ti
ty.

Both unitsm usthave the sam e Iicense.

A ctive-stand by Failover
ThcCatalysl6500 ScriesFW SM provideshigh availability tirewallscrvicesthrough an active-
standby redtlndancy modcl. Tllc standby Catalyst6500 SericsFW SM monitorsthe health ofthe
active FW SM and takcsoverproviding f irewallscrvicesifitdetectsa failurc ofthe activ
FW SM . e
Each ofthc two C'atalyst6500 Serics FW SM Sin a rcdtlndantpairmustbe configur cd
w ith aceessto the sam ecollection ofnetw orks.
Activc-standby failoverisavailable on unitsnlnning in cithcrsingle orm ultiple contextm ode.

2-152 lmplementingCi
scoDataCenterNetworkInfrastructure1(DCNI-I)v2.0 @ 2008 Cisco Systems, Inc.
Active-A ctive Failover

Note 80thfaiioverconfigurationssuppod statefulorstateless(regular)failover

Q 2008ClscoSystems Inc. Implementing FWSM fora Data CenterNetwork t


nfrastructure 2-153
C atalyst6500 Series FW SM Failover Link
* Dedicatedfailoverlink(VLAN)
. Used to determine the operating statusofeach uni t
w Multiple context- resides in system execution space
Actlve

:.. r. z

I .
campus IF
u:kI
over ''..
#
- .-.
- i
! r-:#
Outsi
deNetwork i
. .!
) jnsjd: Nejwork
ILL

Standby

Thc failovercontiguration requirestw o identicalCatalyst6500 Scrics FW SM Sconnccted to


cacl)othcrthrough a dedicated failovcrlink.
Thctwo Catalyst6500 ScriesFW SM Sin a failoverpairconstantly com municate overa failover
link to dctcrm inc the operating statusofcacllunit. Thisinfonnation iscom municated ovcrthe
faiIoverlink:
* Theunitstate(activeorstandby)
w l-lcllo messages (kecpalives)
. Network link status
K M AC addresscxchallge
. Cont
iguration rcplication and synchronization

Caution AIIinform ati


onsentoverthe failoverandstatefulfailoverIinks i
ssentincleartext, unless
you securethe com m unl
cationwi th afailoverkey.

Failover Link R equirem ents


Thc failoverIink tlsesa spccialVLAN intcrface thatyotldo notconfigure asa norm al
networking intcrface',rathcr,itexistsonly forfailovercommunications. ThisVLAN should
onlybeuscd forthcfailovcrlink (andoptionallyforthestatelink). Sharing thc failoverlink
VLAN witllany otherVLANScan cause interlnittenttraffic problem s. as wcllasping and
AddressRcsolution ProtocolIARPIfailurcs.Forinter-chassisfailover, tlscdedicated intcrfaces
on the switch forthe failoverIink.
In lntlltiplccontcxtmodc,thc failoverlink residcsin thc system contcxt. Thisintcrface and thc
state link,ifuscd,are the only interfaces contigtlred in the systeln context. A llotherintcrfaces
arcallocatcd to sccurity contcxtsand configurcd from within sccurity contcxts.

2-154 ImplementingCiscoDataCenterNetworklnfrastructure1(DCNI-I)v2.0 @ 2008 Cisco System s. Inc,


C atalyst 6r
a00 S eries F'W S M S tatc Link
* Dedicatedfailoverlink(VLAN)
e Used to determine the operating status ofeach unit
* Multiple context- resides in system execution space
Actrve

Y '22 D'1'1
I!
l .
Cam slalel:ar
lover '
pus tl
nkjjonk 1.,/.
../#
Ii n#
outslde Nelwork !
) 'nslde setwork
f
I f'
'f
Slandby

State Link

Note The IP address and MAC address forthe state Iink do notchange atfailover.

@ 2008 CiscoSystems,Inc. lmpl


ementing FW SM fora Data CenterNetworkIlfrastructure 2-155
Catalyst6500 Series FW SM A ctive-standby
Failover
w Standby FW SM assum es IP and MAC address

Falled

# .; . c :;
>

campus l #
w. m,..
,
g... 7e
Outside Network Inside Network

Actlve

W hen a failure occurs.the stalldby Catalyst6500 ScriesFW SM becomcsactive. The


prcviously standby Catalyst6500 SeriesFW SM takesoverthe activc modtllc IP addrcsscsand
M AC addressand begins to processtraffic.
No cllangesare neccssary to the ARP orIP addressing infonnation used by any otherdevice in
thc network:however.the switching cnginc in thcCisco Catalyst6500 SericsSwitch mustbe
informed tllatthe M AC address tbrtheactive Catalyst6500 SericsFW SM is now owned by a
diffcrcntmodtlle.ThcCatalyst6500 SeriesFW SM scndsgratuitousARPS outon alIofits
VLAN intcrfacestoupdatethcCiscoClcanAcccssM anager(CAM )tablcsintheCatalyst6500
SericsSwilch.

2-155 SmplementingCiscoDataGenterNetworklnfraslructure1(DCNS-I)v2. Q 20()8 Csco Systems. lnc.


C atalyst 6500 Series FW SM A ctive-A ctive
Fa iIover
* Standby FW SM assum es IP and MAC address

Actlve- FalloverGrotlp 1
Stafndby- FarloverGroup 2

k 1.
1kj ':?'z:

Campus I #
' '
< .#
L J x#
Oulslde Network losldeNetwork
% --

Actlve.-FalloverGrotlp 2
Standby- FailoverGroup 1

Failoverisprcclnptivc ifcontigured to beso--sllotlld tllcotherf-'alalyst65()0 SeriesFWFSM


advertiSca lligllcrpriol'ity lbra givel)failovergrotlpstllc FSVSM lvitlltlle lowerpriority can
givc tlp itsactivc role.

Note No speciatlicense i
s necessary forfai
iover

Failover Eventw ith A ctive-A ctive

Note The failure ofa failovergroup on a unitdoes notm ean thatthe unithas fail
ed'another
failovergroup mightslii lbe passing traffi
c through thatunit

t
o 2008Clsco Systems,Inc. lmplementing FW SM fora DataCenterNetwork lnfrastructure 2-157
Intra-chassis Redundancy
Cisco Catal yst6500
Series Switch
r' ' !
! Active i
E !
! !
! E
i !
i i 'Z'
; : ''
:
! 1
II i
! ,
.
' Ii i ' ..
,
Campus '
s j( ' I . h
. . ..
j .j j -:# ,
:
i 1! ! Z
OutsideNetwork E ')! E Inslde Network
E
2 .'./ !
2
5
E ' J'
h 'l
i
!
E !
j standby

A rcdtlndantpairofCatalyst6500 Scries FW SM Scan be hosted in a singlcCatalyst6500


ScricsSw itcl!chassis.
Thisapproach providesrcdtlndancy in the casc ofam odulefailure. A1loftllc Catalyst6500
ScricsFW SM iltterfaces.including the failovcralld statelinks. are VLANSw ithin the hosting
Catalyst6500 Serics Switch.EachCatalyst6500 SericsFW SM isattached to thc samc V LANS.

Note The backup Catalyst6500SeriesFW SM doesnotneeda fail


overcable.

2-158 Implementlr!g CiscoDataCenterNetworkInfrastructure 1 (DCNI-I)v2.0 @ 2008Cisco Systems, lnc.


lnter-c hassis R edurldan cy
. Configure spanning tree to blockpor
'
ts on the second Cisco
Catalyst6500 Series Sw itch

cl
scocatalyst65()0l 1
serl
esswllch1j Acti
ve E
i
! - !
i
5 h E
i 2
5 yj,s . yyo .:,
s

. Ej
: '
,C
.'
.
Campus . t ./ $i'
.-p /
.
. I!j v..
OutsldeNetwork i ! :'l i
2 IrasideNetwork
E
i
, f!!.
E
*
E
2 tf !
ClscoCatalyst6500 j !
Serl
tasSwitch25 Standby

Note The Catalyst6500 Series Switch chassis hosting the redundantCatalyst6500 Series FW SM
isconfigured so thatthechassiscontaining the prim ary FW SM isactivelyswitching traffic
urldernorm alconditions.

Q 2008 Ci
sco Systems,Inc. Impl
ementing FW SM fora Dala CenterNetwork lnfrastructure 2-159
Failover O peration
Thistopicdcscribesthc failoveroperation.

M odule H eaIth M onitoring


. Hellos on fail
overIink determine m odule health
. ARP requests are senton aIIinterfaces ifhellos are notreceived

Active

@& c v. z
I!
Ij .'
campus SJz
ll,
1:
ju
Fi
a
ojover k
1E 7
I!
Outstde Network .'
! I
nsl
deNel
work

Standby

The Catalyst6500 SeriesFW SM detcrlninesthc health ofthcotherunitby m onitoring the


failov'erlink.W hcn a unitdoesnotreccivetthello''lncssagcson thc failovcrlink thcunitscnds
an ARP requcston allinterfaces,including the failoverintcrface. The Catalyst6500 Series
FW SM retriesauser-coniigurablcnumbcroftimcs. Thc action thcCatalyst6500 ScricsF' W SM
takesdcpendson the rcsponse from theotherunit. Possiblcactionsincltlde:
* Iftlle Catalyst6500 SeriesFW SM receivesa rcsponse on any interfacc. itdoesnotfail
+>
K lfthe Catalyst6500 SeriesFW SM docsnotreceive a rcsponse on any intcrfaccv the standby
unitsw itchesto active mode and classifiesthcotherunitasfailcd.
. Ifthe Catalyst6500 ScriesFW SM doesnotrlxeivv aresponseon the failovcrlink only,the
tlnitdocs llotfailovcr,Thcfailoverlink ismarked asfailcd. You should rcstorc thc failover
link assoon as possible becausctlle unitcannotfailoverto thestandby w hilc tlpe failovcr
1ink isdow n.

2-16* lmplementingCiscoDataCenterNetworklnfrastructure1(DCNl-1)v2.0 @ 2008 Cisco Systems. Inc.


P art-
1alS w -
1tc13 Fa 1
-Iure

Clsco
sCatalyst6500 i Acll
ve !
enesswptch1 ! g
E h
: : !
: , - z .>.. Cr'
! .
2 % i
E '1: '
I
.li'j '.j
j
Campus . .
li
1--
y
jw,
.#'
-

OlltsideNetwork

!
aj!t.......,...,:
.!, q jnsjde Network
l
i ' ''1 2
.
! I jf'
(
. :
2
clscocatalyst6500 E '
serlesswltch2 stafzdby 2

@ 2008 Ci
sco Systems,Inc. lmpl
ementi
ng FW SM fora Data CenlerNetworkInfrastructure 2-161
'

PadialSw itch Failure (Cont.)

Ci
sco
Ser
Ca taly
ies st6
Swi 500j
tch 1 Acji
ve j
@
:
i
:

i I V- Z 2 :
1
I .1:
.. j
@1
Inten7et ' 1 -1*
x
: #
g Nit..........1 z
Outsi
eNetwork !
:
.
''I
'
f d InsideNelwork
.
:
l.
y :
( .
;y
j
.
t .
j
Glscs
oCatalyst6500j Standby j
eriesSwptch2j j

Thc diagraln showsa partialswitch failtlre thathasdowned theportscollnccting Catalyst6500


ScriesSwitch lto both thc insidc and otltside networks.ThcCatalyst6500 SericsFW SM in
Catalyst6500 Series Switch 1 isstillactive howcver,so traftic lnusttransitthe inter-switch
trunk twicezfirstasa packeton the outside VLAN,and again asa packeton the inside VLAN .

2-162 lmplementingCtscoDataCenterNetworkl
nfrastrudure 1(DCNI-I)v2.0 Q 2008Ci
scoSystems. Inc,
'

Illterface M onitoring

ci
scocatalysl6500 j
f 1
senesswi tc:1 standby j
@ , 2
i # h
i I !
1
! .
j k'7
'f
1: .t !2 .
@ .Ii,, i
Internet I'
.1i
.l. !. jjj
.l
:
p.
.
f ,
.Ij
#iI.............! .
#
.
.
OulsldeNet
work i ! InskdeNetwork
; w 3
! i
clscoCatalyst6500 E Acll
ve j
Serl
esSwp tch2 j k

@ 2008CiscoSystems.Inc. Implemeoting FWSM fora Data CenterNetworkInfrastructure 2-163


w Broadcastping test:The ping testsendsouta broadcastping rcquest.Them odulecounts
allreceived packelsforup to tive seconds.lfany packetsarereccived atany tim eduring
thisintcrval,tlle intcrface isconsidercd operationaland testing stops.
lfaIInctwork testsfailfbran nterface,butthe interface on the otherm odulc continuesto
stlccessfully passtraftic,tlle intcrfacc hasfailed,Ifthc thrcshold forfailed interfacesismet,a
failoverocctlrs.Ifthe othcrmodule intcrface also failsalIthc nctwork tests.both interfacesgo
illto thc unklpown state and do notcounttoward the t- ailovcrlim it.
An interfaccbccom csopcrationalagain ifitrcceivcstraftic.A failcd Catalyst6500 Scries
FW SM rcturnsto standby m odc ifthe intcrface failurethreshold isno longerm ct.

Note An interface canbe marked asfailed (auto state down)when there are noIongerany
physicalports belonging to a VLAN thatis configured on the swi
tch forthe Catalyst6500
Seri
es FW SM .

Rapid Link Failure D etection w ith C isco lO S A utostate


Dctccting and responding to a failovercondition can take up to 45 seconds.Howcver,ifyotlare
tlsingCisco lOS SoftwarcRelcase I2.2418)SXF5orlaterontheswitch,yotlcanusctlle
autostatc fcaturc to bypassthc interface testing phase and providcsubsecond failovcrtim esfor
interfacefailurcs.W ith atltostate enabled.thesupervisorengine sendsautostate messagesto the
C'atalyst6500 SericsFW SM aboutthe statusofphysicalinterfacesassociatcd with FW SM
VLANS.

2-164 lmplementingCi
scoDataCenterNetworklnfrastructure1(DCNI-I)v2,
0 ()2008CiscoSystems, lnc.
C onfiguring Failover
T11is topic describcstllcstepsreqtlired to collfsgure failovcr.

C onfiguration O verview
w The prim arymodule is active ifbooted sim ultaneously
. The prim aryM AC address is used ifpossible
. Configuration is synchronized from acti
ve to standbyr
copy running-config startup-config
w rite standby
failoversuspend-config-sync

Pnmary

> .1
f
h
k $
Active Standby

Prim ary and Secondary Roles

Note Because 1he configurati


on is the same on both modules the hostnames usernam es and
passwords are also the sam e

tl 2006 Cisco Syslems.fnc. lmpdementl


ng FWSM fora Dala CenterNetwork Infrastructt/re 2-165
Tllc active m odule sendsthe configuration in running m clnory to the standby module.On thc
standby m opule.(he configuration exists only il1running m clnory.You can optionally save the
contigtlration to tlash m emory.so thatwhen yotlrcbootthe standby modulc whcn thc activc
modtllc isunavailablc.the standby m odulc can becomc theactive module.To save the
contiguration to flash m cmory aftcrreplication,use thecopy runnlng-conflg startup-config
com m and on thc activc module.ln multiplecontextmode,thiscom mand should bc used in thc
systcm cxcctltion space,aswcllas within cach contextw hich configuration isstorcd in tlash.
W hcn tlle stalldby modulccom pletcs its initialstartup.itclcars its running configuration,
cxceptforthcfailover com mandsthatmtlstbepre-configured and are Ilotreplicatcd.and the
active Inodule scnds itscntire configuration to the standby module.Ascomm andsare cntercd
on tlle activem odtllc,thcy aresentacrossthcfailoverlink to thc standby m odulc.
Thc writestandby com lnand can be used on the activc modulcto causc thestandby modulcto
clcaritsrtlnning contiguration.aerwhich the active m odule replicatesthcentire
configuratiol).Entcring thew rite standby col
nlnalld in the system execution spacecausesall
contexts to bcrcplicated.
Contigurationrcplication can be suspended using the failover suspend-conig-sync com mand.

2-1156 lmplementingCiscoDataCenterNetworslnfrastructure 1(DCNI-I)v2.O @ 2008Ci


scoSystems, Inc.
Active-standby:Defining the Configuration on the Prim ary FW SM Procedure

step Action Notes


1' failover lan interface Designates the failoverinterface The
n terface- nanle vlan vlan exam pi e uses 'V LAN 100'
'forthe failover
interface.This VLAN should notbe used for
any otherpurpose except optionally,the
stale Iink,orbe assiqned to any switch ports.
This Q' LAN does need to be assigned to the
FW SM bythe swi tch,and this interface does
notneed an accessconlrollist(ACL),as
failovertraffic is allowed automatically and
othertraffic is deni ed
failover interface ip Assigns IP addresses to the failoverinterface
faiJ.over n terface Jlp address on each FW SM Both the primary and
nlas.
k sta-
n dby ip- addre-ss secondary IP address m ustbe in the same
nelwork,as defined by lhe subnetmask.

@ 2008 Cisco Systems,l


nc. lmplementi
ng F'WSM fora Data CenterNetwork lnfrastcudure 2-167
Step Actlon Notes
3' Eailover link n terface name Defines the state interface forstatefut
(vlan v'
J.an) - failoveroperations. ThisVLAN should notbe
used forany otherpurpose except
optionally,the fai
loverIink orbe assi gned to
any switchports.Ifthi s intedace isusing the
sam eVLAN asthefailoverIinklthe vlan
parameterdoes notneed to be specified.
The state VLAN needs to be assi gned to the
FW SM bythe switch,and thisinterfacedoes
notneed an ACL as connection state traffic
is allowed automatically and othertraffic is
denied.
4' failover interface ip As with the failoverinterface, assigns an IP
sta te j.n terface ip address address to the state interface.
mask 'standby .ip adRress
-

s' failover replication http (Optional)Directstheactive FW SM to


repl icate state information forHTT' P
connections.W itboutthi s statement, HTTP
connections are disconnected in case ofa
failover.HTTP connecti ons are briefand
frequent,and the slate inform ation although
updated Gonstantly,mightnotincludethe
IatestHTTP statesatfailover.Forthis
reason,you m ightwantto di sable HTTP
replication to reduce the amountoftraffi c on
the state Iink.
6 failover lan unit primary Designates this FW SM as the primafy

Note Thiscommand is the only


confi guration statementthat
differsbetween the primafy and
the secondary FW SM.

7 failover Enables fail


overoperati
ons.
' ip address ip address (mask) AddsastandbyIP addresslo any i
nterfaces
(standby ip azdress) withan IP address.

2-168 ImppementingCl
scoDataCenterNetworkInfrastructure1(DCNI
-I)72.0 @ 2008CiscoSystems Inc.
Active-standby:Defining the Configuration on the Secondary FW SM Procedure

step Action Notes


1' failover lan interface Designates the fail
overinterface.The
an herfa ce- name vlan v2an exam pl e uses KVLAN 100'.forthe failover
i
nterface.This VLAN should notbe used for
any otherpurpose except optionally,lhe
state Iink orbe assigned to any switch ports.
This VLAN does need to be assi gned to the
FW SM bylhe switch and this interface does
no1need an ACL.as failoverlraffic is allowed
automatically and othertraff
ic is denied
2' failover interface ip Assigns IP addresses to the failoverinterface
fa.
f.ioleez- 2:rerface ip address on each FW SM.Both the prlm ary and
mask sta- ndby ip- addre-ss secondary IP address mustbe in the sam e
network.as defined bythe subnetm ask.

@ 2008 Cisco System s,Inc. Implem enting FW SM fora Data CenterNetwork Infrastructure 2-169
Step Actlon Notes
3 failover lan unit secondary DesignatesthisFW SM asthesecondary
FW SM .

Note This comm and i s the only


confi guration statem entthat
differs between the primary and
the secondal '
y FW SM.

4 failover Enabl
es failoveroperations.

2-179 ImplemenlingCiscoDataCente!Networklnlrastqldure1(DC.Nl-1)v2.
() @ 2008CiscoSystems, lnc.
Active-Active:Defining the Configuration on the Prim ary FW SM Procedure

Step Action Notes


1 failover 1an unit primary Designates the uni
tasa prim ary unit.
2' failover lan interface Designates the fal loverinterface.The
nterface- name vlan vzan example uses 'VLAN 100*.forthe failover
interface.This VLAN should notbe used
forany otherpurpose excepl.optionally.
the state Iink,orbe assigned to any
switch ports.ThisVLAN does need to be
assigned to the FW SM by the switch.and
this interface does notneed an ACL,as
failovertraffic i
s al
lowed automatically
and othertraffi cis deni
ed
a' failover interface ip Assigns IP addresses to the failover
fa 2over interface ip address interface on each FW SM .Both the
mask sta-nclby ip- addve-
ss prim ary and secondary IP address m ust
be in the same network.as desned by
the subnetm ask

@ 2008Cisco Systems,fnc Im pfementing FW SM fora DataCenterNetwork pnfrastructure 2-171


Step Actlon Notes
4' failover link interface name Definesthe state interface forstateful
(vlan v.
lan) - failoveroperations. ThisVLAN shouldnot
be used forany otherpurpose except,
optionally,the failoverIink,orbe
assigned to any swi tch ports.Ifthis
interface isusingthesame VLAN asthe
failoverIink, the vlan parameterdoes not
need to be specifi ed.The state VLAN
needsto be assigned to the FW SM by
theswitch.and thisinterface doesnot
need anACL asconnection state tramcis
allowed autom aticallyand othertraffic is
denied.
5' failover interface ip As with the failoverinterface, the state
stat:e n rerface ip address mask intefface needs an IP address assigned.
standEy ip address-
6 failover group l Configures the failovergroups with a
primary maximum oftwo permitted.Each fai lover
group mustbe uefined as ei thefa
exit primary orsecondafy failovergroup. For
failover group 2 load balancing,a differentunitpreference
secondary is assigned to each failovergroup.
exit
7. context c'on tex tr name Assigns each contextto a fail
overgroup.
join-falover-group (l 1 2)
8 failover Enables fai
lover,
9 changeto context con trext name Enables monitoring on an i
nterface
monitor-interface nrerface name

2-172 lmplemenlingCiscoDataCenterNetworklnfrastructure1(DCNI-I)v2.0 @ 2008ClscoSystems. Inc.


A ctive-Active:Defining the Configuration on the Secondary FW SM Procedure

Step Action Notes


1' Eailover lan interface Designatesthe failoverinterface.The
intevface- llame vlan v.
ian example uses 'VLAN 100.'forlhe failover
interface.This VLAN shouid notbe used for
any otherpurpose except,optionall y the
state Iink,orbe assigned to afly switch ports.
ThisVLAN does need to be assigned to the
FW SV bytheswitch,and lhi s interfacedoes
notneed an ACL as fail overtraffic is allowed
automaticar
ly anclothertraffi
cis deni
ed.
2' failover interface ip Assigns IP addresses to the failoverinterface
fai J.ov'
er in rez'fa ce .
p address on each FW SM .Both the primary and
mask sta- n dby ip'- addre-ss secondary IP address m uslbe in the same
network,as defined by the subnetmask.

@ 2008 Cisco System s.Inc. fm pfementlng FW SM fora Oafa CenterNetwork fnfrastructure 2.17'3
Step Actlon Notes
a failover lan unit aecondary Designates thi
s FW SM as the secondary
FW SM .

Note This com mand is the only


configuration statementthat
differs between the primafy and
thesecondaryFW SM .

4, failover Enabl
es failoveroperations.

2-174 lmpjementing CiscoData CenterNetwork lnfrastructure 1(DCNI-I)v2.D @ 2008 Cisco Syslems. lnc.
'

C o n f1g u r-
111q In terface M o n 1to r1n g
fwsm tconflgl#
monitor-interface fneerface
. Enables interface m onitoring
Ewsm lconfigl#
failover interface-policy numbert%)
. 6$()tstk)()t8)rtlskt()I(1 E
h''''''''''
'''
St''''
an ''''''''''''''
dby !CISCO(;ajal
yst6soo
fe.tlover tneerface-policy 2 E . E Serles Swltch 1 '
mon. qi/e
ieor-interfaae f.n. ! ' fk'
( i
' i * ' ': .;
mrnitor.lntertac* outsde .
5
' le 1
f E
E '
lnternet
!..............
pt............7
'' '
' #fi
... E : wpt
Outsl
deNelwerk !
.
-
w
E
. Inslde Network
E E
5 !ChscoCalaiys,6500
E Acllve Eserlesswltch2

6)2008 Cisco System s.Inc. Im plementing FW SM fora Dala CentefNetwork Infrastructure 2-1T5
V erification and T roubleshooting
fwsm tconfigl#
show failover
* Exam ines fai
loverstatus and configuration
fwsm (conf1g)#
show np (l I 2) fogrp-table (0-2 I all)
* ExaminesMAC and tlagsinnetwork processors(MAC addressestoggle
onfailover)
fwam(conftg).
show np (1 1 2) vlan (2-4996)
. Exam ines failovergroup ID assigned to an interface
fwsm (conf:tg)#
show np (1 I 2) global-table
* Examines MAC addresses ofthe failoverand Iogicalupdate interfaces
(doesnottoggleonfail
over)

To cxam ine the statusofthc failoveroperation and configuration,usc thc com m andslistcd in
tllctable.

Verifying the Status ofthe FailoverOperation and Configuration Com m ands


com mand Descrlptlon
show failover Displays inform ation aboutthe fai
loverstatus E)fthe uni
t.
show np (l t 2) fogrp- Displaysthefogrp-tabl
einformation. *
table (0-2 1 a.
ll)
show np (l
( I 2) vlan DisplaystheVLAN information.
2-4096)
show np (l I 2) Displaystheglobaltableinformati
on.
global-table

2-176 Implementing Gi
sco Data CenterNetwork lnlrastructure 1(DCN1-1)v2.
0 % 2D()B Cisco Systems. lnc.
V er-
1f-
1cat-
1on a.3d TroubIeshoot-
1ng (Cont-)
fwsm lconfigl#
debug fover sw itch
. Exam ines failoverstate m achine debugs
fwsm (config)#
debug fover fail
p Exam ines fai
lure eventdebugs
fwsm (config)#
debug fover (rx I tx)
m Exam ine failoverm essage reception and transmission
fwsm (config)#
debug fover ifc
w Examines network i
nterface status trace

'l't'
,trotlblcshootthc failoveroperatiol'
land (
J()nl-
igtlraliol).tlsc tlle col'
nlnandslistcd inlllc lablc.

Note Use these com mands with caution i


n production networks.

Troubleshootthe FailoverO peration and Configuration C om m ands

com mand Description


debug fover switch Displaysfail
overswi
tching status
debug fover fail Displays fail
overinternalexcepti
on

debug fover (rx j tx) Displaysfail


overmessagereceiveandmessagetransmi
t
debug fover ifc Displays network interface status trace

@ 2008 Cisco Systems,fnc. (mpiementl


ng FW'
SM fora Data CenterNetwork lnfrasfructure 2-177
Verifying the Fa1IoverC onf1guration
FWSM#ahow fatlover
Failover On
Fltlovet unit 'ttlry
Flilovwr LAN Iht*rtae@ failovwr Vl= 2Q
Unit Poll frequancy 1 seconds, holdtlme 15 a*conda
Intertace Poll frequency 15 seconds
Interface Pollcy 50%
Monitored Interfaces Q ot 250 maximum
Conflg arnc: acttve
Last 'atlover at: Q3:21::0 Mer 02 2006
Tb. koltl 'riaary - standby
Active timer 2453 (sec)
Interface inside (10.1.lQ.2): Normal (Not-Monltored)
Interface outslde (10.1.0.1:)l Normal (Not-Monttored)
Otb*r No.t! F@spnd*ry - Aetiv.
Active time: 50 (sec)
TnLerfaee inalde (lQ.1.l0.1)) Normal (Not-Monltored)
Interface outsid. 4l0.0..l1): Normal (Not-Monitored)

The show failovercom mand isused to display the failoverconfiguration ofthe Catalyst6500
SeriesFW SM .
The otltptltshow t:indicatesthescconditions:
K Failovcriscnablcd.
. ThisCatalyst6500 SeriesFW SM istlpedcfaultprim ary FW SM in thc redundantpair.
K Thc failovcrintcrfacc isusing VLAN 20.
w ThisCatalyst6500 SeriesFW SM iscurrcntly in standby modcbecause a failoverhas
occurrcds
'tlle otherCatalyst6500 SericsFW SM isin activcmode.

2-178 lmplementingCiscoDataCenterNetworklnfrastructure 1(DCNI-!)v2.D (


I)2D08CiscoSystems,lnc.
erify1ng the Fa1Iover C o nfig u ratio n
(Cont.)
Stateful Pailover Loglcal Update Statlatics
Link : state Vlan 21
Stateful Obj xmit xerr rcv
General 339 0 33l
sys emd 33l 0 33l
up time 0 0 0
RPC services 0 0 0
xlat. 0 0 0
TCP conn Q 0 0
UDP conn 0 0 0
ARP tb1 8 0 0
RIP Tbl 0 0 Q
LZBRIDGE Tb1 0 0 0
Klate Timeout 0 0 0
TCP NPa 4 0 37
UDP NPs 0 0 0
Logtcal Update Queue Information
Cur Max Total
Recv Q: 0 l 334
Xmft Q: 0 l 341

Thisplinltluldisplaystlle relpaillder('
)flhe tltltptltfrolzzthe sllol''failever colnlnand.

@ 2008 Cisco Systems,Inc. lmpfementi


ng FWSM fora Data CenterNetwork lnfrastructure 2-1F9
S um m ary
Thistopicsumm alizesthe key pointsthatwere discussed in this lesson.

S um m ary
. Cisco Catalyst6500 Series FW SM failoveris provided by an
active-standby pairofm odules.
. Failovermonitoring is used to cause a failoverto the standby
Catalyst6500 Series FW SM in response to network events.
. Configuration statements in the system execution space are used
to define the failoverconfiguration.

2-1B0 lmplementlngClscoDataCenlerNetworklnfrastructure1(DCNI-I)*2.0 (
I)2008CiscoSystems, Inc.
uqsson71

Im plem enting D eep P acket


Inspection

O verview
Thislcsson idcntifiesand describcsllow tlleCisco Catalyst6500 SeriesFirewallServices
M odtllc(FW SM )handlesthepacketswhereinspcctionbcyondprotocolllcadersisrequircd.

Objectives
Upon colnpletilpg thisIesson,yotlwillbeablcto tlndcrstand and implemcntdeep packet
illspectiollon tlleC'atalyst6500 ScriesF'
W SM .Tllisability incltldesbeing ablc to Ineettllese
objcctivcs:
* Describcdeep packetinspectiollon tlle Catalyst6500 ScricsF'
SVSM
* ldcntify thc com mandsuscd to contigtlrc and vcrify decp packetinspection
K DescribethcU RL tiltcring fullctionality
* ldcntify the com m andsto contigtlre and vcrify tlpe URL Gltering ftlllctiollality
D eep Packet Inspection O verview
Thistopiccxplainsthcdeep packetinspcction ftlnction on thcCatalyst6500 SeriesFW SM .

D eep P acket Inspection


. Deep packetinspection exam ines and m odifiesapplication data
payload
. This m ethod fi
xes applications broken by FW SM :
Embedded IP address
Embedded TCP/UDP portnumber
Multiple connections
. This method isalso used to provide application-levelsecurity:
.
MailGuard
-.
URLfiltering

Deep packetinspection isuscd in situationsw llcre thcCatalyst6500 SeriesFW SM needsto


analyzc ormodify thc application data payload contailpcd w ithin an IP packet.
Application data analysisisneeded in situations wherc a protocoluscsm ultiple connectionsfor
ollc interaction.Thcse applicationsoften usc a controlconnection to a wcll-known portthatcan
bespccified inthcaccesscontrollists(ACLs)govclmingtrafficaccessthroughtheCatalyst
6500 ScriesFW SM .Secondary data connectionsare opened to otherportsthatarenotwell-
known.Deep packctinspcction isused to dctectthe protocolcom mandsthatspecify the port +
llumbersofthcsc sccondary connections,so tllatllow entriescan bc dynam ically added to thc
stateftllpackctinspection tables.FTP isan exalnplcofthiskind ofapplication.
Application data payload modificationsarc necessary forapplicationsthatcm bed IP addresscs
ofcithcrcndpointw ithin theprotocolpackctsthattraversc an Catalyst6500 SericsFW SM that
ispcrforming Network AddressTrallslation (N AT)orPortAddressTranslation (PAT). Data
payload m oditications arc also tlsed to provide security forsolne applications. Forcxam ple
M ai1Guard controlsaccessto Sim ple M ailTranstkrProtocol(SM TP)senrersand lim itsthe
com lnandsthatcan be sentto thosc dcfincd in RFC 282l(llttp://'tools.ictf.org/htlnl/
'rfcz8zI).
URL tiltcriltg isalso possibie with datapayload lnodification.
Applicatiol:inspection engincswork with N AT to hclp idcntify thc location ofembedded
addrcssing infonnatioly.ThisallowsNAT to translatethcsc cm bcddcd addresses. and to update
any cllecksum orothcrficldsthatareaffccted by thc translation.
Eacllapplication inspection engine also m ollitorsscssionsto dcterm inc the portnumbersfor
sccontlary channcls.M any protocolsopcn secondar.yTCPorUserDatagram Protocol(UDP)
portslo im prove performance.The initialsession on awcll-known portisuscd to negotiatc
dynalnically assigned portnumbcrs.Theapplication inspection engine monitorsthesescssions,
identilicsthc dynam ic portassignmcnts.and pennitsdata cxchangeon thcse portsforthe
dtlration ofthespecific session.

2-182 lmplementingCiscoDataCenterNetworkInfrastructureh(DCNI-I)v2.
9 @ 2(08CiscoSystemsflnc.
The ligtlre showsthe Catalyst6500 Series FSVSNIinspection cllgine capabilities.
Additionalcapabilitiestllatarc Ilotlncntioned iI1the figtlrc also illcltltlc thesc:
. Specificapplications:
M icrosoh svindoqvsM essenger
M icrosoftNetM ceting
Rea!Player
Cisco IP plloncs
Cisco ColnlntlllieatorSoftplloncs
K Scctlrity services,NvhicllincludePoint-to-pointTunlpcling Protocol(PPTP)
lnspcction cngincsrclated to tlle data centercnvironlncntsarc listed in tlle table.

Inspection Engines Related to the Data CenterEnvironm ents


lnspection Engine Description
Advanced HTTP Inspection Helps protectfrom web-based attacks and othertypes ofport80
Engi
ne m isuse.
Enhanced FTP Inspection Engine Provides command fil
tering formore than ten di
fferentFTP
com mands.
Extended SMTP Inspection Provi
dessupportforExtended SMTP (ESMTP)protocoland
Engine supports fil
tering potentially harmfulcomm ands.
Enhanced lnternetControl Provi
des state tracking ofICMP packets to enable secure usage
Message Protocol(ICMP) ofping,traceroule,etc.
lnspection Engi
ne

@ 2008 Cisco Systems.lnc. lmplementi


ng FWSM fora Data CenterNetwork I
nfrastructure 2-183
Inspectlon Englne Descrlptlon
Sun Remote Procedure Call Based on implem entation from FW SM 2.1 soft
w are release
(SUnRPC)Inspection Engine some RPC applicationsIikeNetworkInformation Sefvice (NlS+)
use SUnRPC overTCP- anew consgurable optionwillbe
introduced fortheSUnRPC TCP inspection engine. The default
portis111.The defi nitionofthe new inspection engine inthe
inspection enginestableal lowsthe TCP packetsm atching 111as
source as wellasdestination pods to be processed by the
SUMRPC fixup.
NIS+ Inspection Engine Basedonim plementationfrom FW SM 2.1 software release,thi
s
inspectionenginewillinspectpodmapperrequestsand cachethe
NIS+service portnum ber.

2-184 ImplementingCisco DataCenterNetworkInfrastructure1(DCNI-I)v2.0 @ 2008Ci


scoSystems,Inc.
onfiguring Deep Packetlnspection
w The inspectcom mand replaces earlierfixup comm and
* Use modularpolicy fram ework com mands to configure deep packet
inspection
class-map inspection detault
match default-inspection-traEfic
policy-map global polscy
claaa Snspection-default
inspect dnsmaximum-length 5l2
inspect ftp
inspect h323 h225
inspect h323 ras
tnspect rsh
lnspect smtp
inapect nqlnet
lnspect sklnny
inspect sunrpc
tnspect xdmcp
inspect sip
lnspec: netbioa
tnspect tftp
service-policy global policy global

Enabling and applying deep packetinspectiollalwaysconsistsof:


w A classmap tllatidentiticsthc traffic thattlle Catalyst6500 ScriesFW SM stlbm itsto thc
inspcction engine w ith thc class-m ap comlnalld to Inatch thetlesired traffic.Use thc m atch
colllm a,ld to selectthe desircd lraftic.
* A po1icymap thatlillkstllcclassmap(andthusthcrclcvanttraffic)tolheinspcction
enginc.Dcfinc apolicy map w ith the policy-m ap comm alld:
Use thecolptigured classby specifying itwith thcclasscomm and.
U llderthe class,dctine which inspection engineis to bc tlsed witl)thc inspect
comlnand.You can optiol:ally append apreviously del ined m ap.
w A servicc policy thatappliestlle policy m ap to one interfaccorto alIinterfaces.Apply tllc
policy witl)tlleservice-policy comm and.
* Optionallydcfillemapsforvariousprotocols(1ITTP,FTP,ctc.)tospccifyprotocol-or
application-rclatcd parametersto jinc-tune an inspection engille.

Note Application inspection isenabled by defaultformany,butnotapI protocols.To determine the


inspection engines enabled by default exam ine the defaultpolicy configuration.

@ 2008Cisco Systems,lnc. Im plementing FW SM fora Data CenterNetwork Infrastructure 2-185


C onfiguring Inspects for D eep Packet
Inspection
lnspectionsare performed by configurable inspection engines
. Seven inspection enginesare notconfigurable:
-
C USEEMe
NetBIO S Nameserver
-
Oraserv
.. RealAudio
-
Sun RPC overUDP
- TFTP

-
XD MC P
. Only the firstIP fragm entis inspected
. TCP packet s cannotspan segments
. NAT/PAT variations are Iim ited with som e engines
. Perform s 4000 DNS inspections persecond

Inspcctsarcpcrformcd by inspcction cngincs.Scvcn ofthcse inspection engincsare not


collfigurable.butarc cnablcd by dcfault.
27 inspcction cllginesarcindividtlally contigurablc.Contigurable cnginescan be enabled or >
disabled.Tlle portsInonitored by the inspection engineare also contigured.
Illspcction cngincshave scverallim itationsincluding:
w ThcGrstIP fragmenlisthc only fragm cntofapackctthatcan bc inspected.
* TCP packetsto be inspected m tlstbecontained in a sillgleTCP segm ent.
* Some inspection ellginesllavc Iimitson thc NAT and PAT functiensthatthey support.
* Thc Dolnain Namc System (DNS)inspcction cnginc islimited to 4000 Gxupspersccond.

2-186 lmplementingCkscoDataCenterNetworklnfrastructure 1(DCNI-!)v2.O @ 20()8CiscoSystems.lnc.


FTP Inspection

Internet *
#
./.
,
u
z.'
y. ...'.
J.Z
8r '.
''..z4
.
-. -<&''

ftp -map ft;p -in


request-command deny appe cdup
!
policy-map global policy
class inspection default
inspect ftp strict ftp-in

Tlle cxamplc showsstrictFTP illspectwith FTP map contigured.


svhen FTP isttlnlleled ovcrHTTP itprevcntsweb browsersfrolu sclldillg elnbedded
colnlnands.ltw'illalso contain tlle basic FTP inspcctiolp.
lfFTP requcstcontainsconlloand thatisnotRFC colnpliant.thc conncction willbccloscd and
syslog willbc generated.
lf'FTP requestincludesFTP com luandsdisallowed by al1FTP m ap,thcconlycction willbc
closed and syslog willbe generated.

Note Since the i


nspectwas configured underthe globalpolicy,itdoes nothave to be speci ficall
y
appended to the interface.Using a defautti
nspection classdoes note require to configure
specialinspection class.

(
0 2008 Cisco Systems.Inc, Implementing FWSM fora Data CenlerNetworklnfrastructure 2-187
+

Ins ectio n

Jdi
j, K
.. s ' < +

http-map inbound-htkp
conbent-leng*h mn l0p max 2QQ ackion rese: log
content-typ@-verificltion Match-req-rsp action reset 1og
max-header-length reqveat lQ0 lction reeet 10:
mwx-uri-length l lction reawt Iog
port-mtaus* p2p Kction drop
port-misuse im action drop
port-misuee default lctton allow
1
clRes-map http-port
mltgh por: tcp eq vvw
I
poligy-map outaide- policy
elass http-port
tnapeet http inbound-http
I
eervtee-poliey outpidl-policy interflce outside

The exam ple shows HT'


I'P inspectwit?lHTTP m ap configtlred.
These stepshaveto becomplcted:
step 1 Create an HTTP map to detinepararnetersforHTTP inspect.
step2 Create aclass-m ap forHTTP inspection.
+
step3 Create apolicy map forHTTP inspection.
step4 Create service policy to detine scope ofinspection.

2-1B8 lmplementingCiscoDataCenterNetworkl
nfrastruclure1(DCNI-!)v2.
Q @ 2908CiscoBystems.lnc.
show C ollm ands
. Veri fy deep packetinspecli
on contigurati
on with these comm ands:
show running-config http-m ap
. show r unning-conflg ftp-map
- sbow r unning-config class-m ap
.... show running-config policy-m ap
... show r unning-config service-policy
. Verify deep packetinspecti on operation with the show service-policy
com mand
fwsm/admin#show service-poltcy
Global policyl
Service-policy: global- policy
Claas.map: inspection default
Inspect: dns maximum
-- length 512 packet 0, drop 0, reset.drop 0
Inspect: ftp, packet 0, drop 0. reset-drop 0
Inspectl h323 h225. phcket 0: drop ;. reset-drop 0
IsupecL: h32) ras packek 0. drop ;. reset-drop 0
Ipspect:netbios, packet e, drop Q. reset-drep 0
Inspec': rsh. palket 0, drop 0. reset-drop 0
. . .output omieted ...

To exalnine the deep packetinspection colltiguration,use tllese comlnands:


K show running-config http-nlap
* show running-contig ftp-m ap
w s'how running-config class-m ap
* show running-config policy-m ap
* show running-config service-policy
To verify deep packetinspection operatiol).tlse the show service-policy comm and.
fwsm/admin#show service-policy

Global policy :
Service-policy : global policy
Class-map : inspection default
Inspect : dns maximum-length 512 , packet 0, drop 0, reset-drop O
Inspect : ftp, packet 0, drop 0, reset-drop 0
Inspect : h323 h225/ packet 0, drop 0, reset-drop O
Inspect : h323 ras , packet 0, drop 0, reset-drop 0
Inspect : netbios, packet 0, drop 0, reset-drop 0
Inspect : rsh , packet 0, drop 0, reset-drop O
Inspect: skinny packet 0, drop 0, reset-drop O
Inspect: sqlnet, packet 0, drop reset-drop 0
Inspect: sunrpc, packet 0, drop reset-drop O
Inspect : tftp , packet 0, drop 0, reset-drop 0
Inspect : sip , packet 0r drop 0 , reset-drop 0
Inspect : xdmcp , packet 0, drop 0, reset-drop 0

@ 2008 Cisco Systems.Inc. (mplementi


ng FW SM fora Data CenterNetwork lnfrastructure 2-169
U R L Filtering O verview
Thistopicexplainsthe U RL Gltering funetionalit'
y on Catalyst65(* SeriesFW SM .

U R L F-
1Itering
' '
....
S*4 ss
rj
l
e
t(
we
9ri
rl
rp

> *
lnternet * x.-, ,

t)
'
;
.
h
i;

l ..
.6*
4j19.1'.

4.
X +

rti
lRequestsenttoGl
teringserveranddestinati
on
1f
;
'Allowedrequestisreturnedtouser
$'

i
%
i'
DeniedrequestisdroppedbyCatalyst6500Seri
esFWSM

Filtering can bc applied to connection requestsoriginating froln am orc secure network to a less
secure network.
Although ACLScan be used to preventoutbound accessto specific websitesorFTP servers,
contiguring and managing wcb usage in thismannerisnotpracticalbecauseofthe size and
dynamicnatureofthelnternct.TheCatalyst6500SeriesFW SM canbeused inconjtmction
with a separate servernm ning one oftheInternetfiltering products:
v
w W ebsenseEntemrise:SupportsHTTP,HTTP overSecureSocketsLayer(HTTPS),and
FTP filtcring
w SecureComputingSmartFilter(fonnerlyN2H2):SupportsHTTP andlong URL filtering
Althotlgh Catalyst6500 SeriesFW SM performanceislessafrected when using an external
server,uscrsmay notice longeraccesstim esto wcbsitesorFTP serversw hen thc tiltering
serverisrelnote from the FW SM .

U RL Filtering O peration
W hcn a userissucsan HTTP,HTTPS,orFTP GET request, the Catalyst6500 SericsFW SM
sendsthe requcstto the web orFTP sen'er and to the filtering sen'cratthe sam etime. Ifthe
filtering servcrperm itsthe connection tbrtheuser,these actionsoccurforeach requesttype:
* ForHTTP,thcCatalyst6500 SeriesFW SM allow sthe reply from thew eb serverto reach
thc userwho issued thc originalrequest.
> ForHTTPS,the Catalyst6500 SeriesFW SM allowsthecomplction ofSecure SocketLayer
(SSL)connection negotiation,andallowsthereply from thewebservcrtoreachtheuser
who issued the originalrequest.
+

2-190 lmpl
ementingCiscoDataCenterNetworklnfrastructure1(DCNI-!)v2.
0 @ 2008CiscoSystems. Inc.
'

K ForFTP.thc Catalyst6500 SeriesFW SM allowsthe stlcccssftllFTP rcturn codcto reach


tlleuserunchallged.Forcxam plc,a succcsst-
ulrcttlrn codc is250.
.(--CPD c()??lll?(7??J
.sllcL
'e.
v.
jhll.
It
-tllc tiltcring serverdeniesthc conllection.thescactiollsoccurforcach requesttype:
. ForHTTP,the Catalyst6500 Series FW SM rcdircctstllc uscrttAa block page,indicating
tllatacccsswasdcnied.
K ForCITTPS,theCatalyst6500 SeriesFW SM preventsthecolnpletion ofSSL connectioll
negotiatioll.The brow scrdisplaysan en'
orInessagc,stlcl)as:%t-l
-lle Page orthe contentcan
notbe displayctl.''
w ForFTP.tlleCatalyst6500 ScricsFW SM alterstlle FTP return code to show tllatthe
connection wasdcnicd.Forcxalnplc,thc Catalyst6500 SeriesFW SM changcscodc 250 to
codc550.f)?'
!'(
.
'f.'
/t
'
??'3'not/4?//?t:
/.
* ForScctlre Conlptltillg SlnartFilter(forlnerly N2I-12,)if-yotlcnablcd uscratlthcnticaliollon
thcCatalyst6500 ScriesFW-SM forIITTP,HTTPS.orFTP,tlle FW SM also sendsthe
tlsel'llaTlle to the filtcring scrvcr.Thctiltering scrvcrcalltllclltlsc user-specific tiltcring
settings.orprovidcenhanccd rcportillg pcr-user.W ebscllse supportsfiltering by IP addrcss
ollly.

Note Fil
tering appl
ies onl
y to outbound connecti
ons.

Ifuseratlthenticatiol)iscnablcd on thc Catalyst6500 SericsFW SM ,tlle FW SM also sendsthe


uscnlalne to tlle filtering servcr.The liltering servercan usctlscnlam etiltering settingsor
providc cnhanccd rcporting rcgarding usagc.

@ 2008 Ci
sco Systems,fnc, lmplementing FWSM f
ora Data CenterNetworklnfrastructure 2-191
C onf1gur1ng U R L F1Itering

Filering
7 w..
*
-''
.
:. Server
x.
k1 1O.0.10.45

Intem et
Y x.7
*

url-server (perimeter) vendor websense hoat 10.0.10.45


filter url http 10.0.0.0 255.0.Q.0 0 0 allow
l
+
url-server (perimeter) vendor n2h2 hoat 10.0.10.45
filter url http l0.0.Q.9 255,0.0.0 0 0 allow

U RL Gltcring iscontigured Grstby identifying tht tilteringscrvers. *

Configuring W ebsense Server


+
To idclltify a W cbscnsc Enterprisc sclwer.cntcrthe url-server venderw ebsense colnmand.
url-server(if a:7,r?t?)vendorwebsensehostip addressgtimeout.
%ecllntl%jgprotocoltcp
(version llt4tltudp)
url-servervendorw ebsense Param eters

Param eter Descrlptlon


+
f name Theinterface through whi
chthe FW SM com muni
cateswiththe
server.
host ip address The W ebsense serverIP address.
timeout seconds The numberofseconds between 10 and 120 before the FW SM
stopstrying toconnecttotheserverand attemptsto connectto
thenextserverinthe Iist(lfavail
able).The defaultvalueis30
seconds.
protocol tcp (version Specifi
esthatcomm unicationbetweenthe FW SM andthe
(l 1 4); WebsenseserverusesT'CP.whichisthedefaul
tprotocol.
Version 4 is recomm ended although version 1 is the default.
Version 4 allows the FW SM to send authenticated usernames to
the W ebsense serverand to suppod URL caching. +

protocol udp Specises UDP which has greaterthroughput,butwhich does not


suppod I
ong URLS.

Y r

2-192 lmplementngCiscoDataCenterNet
worklnfrastructure1(DCNI-!)v2.O @ 2008Ci
scoSystems,Inc.
C onfiguring Secure Com puting Sm ad Filter
To idclltify :11)N2H2 Scntiill)serveraelttct'thc url-servervendor n2h2 colllnland.

url-seN ervendor1-12112 Param eters

Param eter Description


if naze The interface through whi
ch the FW SM com municateswith the
server.
host ip address The W ebsense serverIP address.
port number Specifi
es the portused to comm unicate with the N2F12 server.
The defaultis 4005 forTCP orUDP.
timeout seconds The numberofseconds belween 10 and 120 before the FW SM
stops trying to connectto the server and attemptsto connectto
the nextserverinthe I
ist(ifavail
able).The defaultvalue i
s30
seconds.
protocol tcp Specifi
es thatcom munication between the FW SM and the
W ebsense serveruses TCP whi ch is the defaul
tprotocoj.
protocol udp Speciges UDP which has greaterthroughput.butwhich does not
suppo!'
tIong URLS.

Enabl1ng 'Iffering
By def -
atllt u'llen a uscrisstlesa reqtlestto colpncctto a wcbsitc orFTP servcrvthe Catalyst
6500 Serics FSVSM sendstllc reqtlestto tllttvveb orFTP scrvcr.alltlto tllc fiItcring serverattllc
salnc1illlc.If'llpe tiltering selwcrdoes llotl' espolld beforc tlpc web orFTP scl w cr.thc rcply lirln
tlle web orFTP scrverisdnpplq led.To avoid dropping tral' t
ic.yotlcan colll igtlrc tlleCatalys!
6500 Serics I''h/SN1to btll 'lrrcplies froln wcb alltlFTP sers'crs.svllen tllfztiltering scn'cr
cN'cllttlally rcspollds,tlle C'alalyst6.500 ScricsF' SVSM can allt)w'tlle collllcctikpn.

url-block block Param eters


Param eter Description
il-
locg
k-bl'ffer-.
1.flzltr Sets the amountofmemory assigned to lhe bufterfrom 0 to 128
bl
ocks.Each block is 1550 bytes.

Enabling C aching

@ 2008 Cisco System s,fnc. lm pfementingFVV'SM foraOata CenterNetwork lnfrastructure 2-193


Note Requestsforcached IP addressesare notpassedtothefilteringserverandare notIogged.
As a resul
t,this activity does notappearin any repods.

To cnablecaching.cntcrthe url-cache com mand.


url-cache 4dstIsrc dsttL'bb'
le.
%
url-cache Param eters

Param eter Descrlptlon


dst Configures the FW SM to cache the destinati
on serveraddress for
any userthataccesses the sen/er
src- dst Configures the FW SM to cache the source and destinati
on server
address,so accessisonl y cached fora given useratthe source
address.
kby-tres Specifiesthe cache size between 1 and 128 KB,

Identi ing Traffic


*
To identify HTTP traftic to be tiltercd by a fiitcring scrvcr.enterthc filterurlcommand.
filterur1Ehttp I#(pl./g-r(?r/1(
l.
voltt' e ip 't?lfrcc r?.
(L' - - ltlk
$
;/(tlest ip dest 1??t7.$.
/(Eallow)(proxy-block)
Ilongurl-truncate1longurl-deny)(egl-truncatel
filterurIParam eters
Param eter Descrlptlon
http I por:E-port:q Speci
fiestheporttowhichtheHTTprequestissent.wi
ththe
http keyword specifying port80.
source- ip source- mask Speci fythesource addressandm askforrequeststhatareto be
fil
tered.Speci
fy00 foral1addresses.
dest- ip dest- mask Specifythedestination serveraddressand mask.Specl
fy0 0for
ajjaddresses.
*
allow Configures the FW SV to allow connecti ons to pass wi
thout
sl
tering ifthe fil
tering serverisunavailable.Connectionsare
droppedwithoutthisoption.
proxy -block Preventsusersfrom connectingto anHTTP proxy server.
longurl-truncate 1 SpecifylheprocessingforURLSthatareIongerthanthe
longurl-deny maximum length of1159 bytes.By defaus t,the FW SM drops the
packetifthe requeslis a I
ong URL.Ifyou specifythe Iongurl-
truncate option.the FW SM sends the hostname orIP address
porti
on ofthe URL forevaluation to the filtering server.The
Iongurl-deny option denies the URL and forwards tbe userto
the block page.
cgi-truncate Confi
gures the FW SM to truncate Comm on Gateway Interface
(CG1)URLSto i
ncludeonl
ytheCGIscriptIocati
onandthescript
name,butnotthe parameters.

Note The maxim um Iength of1159 bytescanbe increasedforW ebsenseservers,

To cxcmpttratlic from being filtered,cnterthefilter urIexceptcolnm and.

2-194 tmplementing Gisco Data CenterNetwork lnfrastructure 1(DCNI


-!)v2.
0 ()2001$Cisco Bystems,lnc.
url-server (perimeter) vendor websense host 10.0 .10 .45
filter ur1 http 10.0 .0.0 255.0 .0 .0 0 0 allow
?
url-server (perimeter) vendor n2142 host 10 .0 .10 .45
http 10.0.0.0 255.0.0 .0 O 0 allow

@ 2008 Cisco System s.Inc. Im plementing FW SM fora Data CenterNetwork Infrastructure 2-195
S um m ary
Thistopic summ arizesthc key pointsthatw ere discussed in thislcsson.

S um m ary
. Deep packetinspection exam ines and modi fies application data
payload.
* Deep packetinspection fixes applicati onsbroken bythe Cisco
Catalyst6500 Series FW SM .
* URLfi ltering is used in combination with an externalserver.
. Trafficfrom blacklisted URLS isdenied bythe Catalyst6500
Series FW SM .

2-196 ImplementingCisco DataCenterNetworkInfrastructure1(DCNI-I)v2.0 @ 2008CiscoSystemsllnc.


M odule S um m ary
Tl)is topic stllnmarizesthc kcy ptaints thatvcre discussed in 1.12islnodule.

M odule Stlm m ary


' The Cisco Catalyst6500 Series FW SM analyzes and m odifies
fields in the lP,UDP,and TCP headers,using statefulpacket
filtering to controltragic between two ormore networks.
. VLANS are used to connectthe Catalyst6500 Series FW SM to
the network in eitherrouted ortransparentmode.
m The Catalyst6500 Series FW SM usesTCP connection
m anagem ent,NAT policies and deep packetinspection to detect
and mitigate attacks.
K The Catalyst6500 Series FW SM supportsm ultiple security
contextsto im plementvirtualfirewallsand provide centralized
services underdi stributed control.
* The Catalyst6500 Series FW SM supportsb0th active-standby
and Matefulactive-active failover,in eitherintra-chassis or
interchassis configurations.

@ 2008Ci
scoSystems.lnc. lmplementing FW SM fora DataCenterNetworklnfrastructure 2-197
M odule Self-c heck
Usc tllcqucstionshcre to review w hatyou learned in thism odule.The correctanswersand
solutionsare found in the M odule Self-chcck AnswerKey.

Q 1) lIow lnanyCatalyst6500SeriesFW SM modulesaresupportcd inaCiscoCatalyst


6509 sw itch chassis? (Source:Ilnplcm cnting Traftic Flows)
AJ 2
B) 4
C*) 7
DJ 8
W llich statem cntistrue regarding Catalyst6500 SeriesFW SM transparentl'
node?
(Sourcc:lmplelncnting TrafficFlows)
A) Each interface hasaunique IP address.
%
B) Only oneV LAN isrcqtlircd pcrcontext.
C) Transparentm ode t'irewallspassonly routed traftic.
D) Transparentmode tirewallspassm ulticasttraftic
In whatordcrdoestheCatalyst6500 ScriesFW SM match rcaladdrcssesto NAT
colnmands?(Source:lm plem enling Traffic Flows)
A) StaticNAT andPAT,policy dynamicNAT.regtllardyllalnicNAT,NAT
exem ption
B) NAT cxemption.static NAT and PAT.policy dynam icN AT,regulardynalnic
N AT
Policy dynam ic NAT,regtllardynamic NAT.staticNAT and PAT.N AT
exclnption
DJ NAT exemption,policy dynam icNAT,regulardynam icN AT.static NAT and
PAT
Q4) W hatfcaturcpreventsmaliciotlstlscrsfrom impcrsonatinghostsorrotlters?(Source:
IlnplcmentingACLs)
A) A RP inspection
B) Etllertype ACLS
C) Extcnded ACLS
D) N AT exem ption
()5) W hathastobeconfiguredpriortoenabling theSSH rcmotcacccssto theCatalyst6500
Serics FW SM ? (Source:Im plclncllling M anagem entAccess)
A) AAA scrver
B) RSA kcy
C) Routeroperationalnledc
D) Adlnin contcxt
W hich routing protocolsdoestllcCatalyst6500 SeriesFW SM activcly participatc in?
(Sourcc:Im plementing Routing)
A) BG P and R1P
B) If;RP and BG P
C) OSPF and RlP
D) OSPF and EIGRP

2-198 SmplementipgCirmoDataCenterNetworkInfrastructu'e1(DCNI-I)42.0 Q 2908 Cisco Systems. 1nc


Aj Dccp packetinspcctioll
B) Dynalnic PAT
C) SYN cookics
D) U R.
L l'
ilteri1)g

A) Destination '
VLAN alld dcstillatiol'
iI1*
'atltlress
.
IE
.
I) Destination VLAN and stltlrce IP adtlrcss
C) Source V LAN antldeslillatiolllP atltlrcss
D) SotlrceVLAN and sotlrcc lP atltlrcss

(
i
D 2008Cfsco Systems,fnc. lmplemerlting FW SM fora DataCenterNetkvorklnfraslructtzra 2-199
M odule Self-c heck A nsw erKey
B

()
'
D

2-200 lmplementing Cisco Data CenterNetwork lnfrastructure 1(DCNI-!)72.


0 @ 2008Cisco Systems, lnc.
Mpdule31

Im plem enting N etw ork


A nalysis w ith C isco N A M

O verview

Module Objectives
*

3-2 ImplementingCi
scoDataCenterNetworkInfrastructure1(DCNI
-I)12.0 @ 2008Cisco Systems. Inc.
Lesson1I

Iptoducing C isco N A M

O verview

Objectives
N etw ork Traffic M onitoring O verview
+
This zopicdescribesllctwork traffic m ollitoring,thcm otive,and thcbenefits.
'

lm portance of M onitoring Traffic


+

Challenges: Benefi
ts:
. Insuretraffic flow andopti
m um Ease deploymentofnew
performancefrom one poi ntto technol ogies
another Im Prove utilizati
onofnetwork
w Receive information before an resources
outage orservicedegradation . Efschentplanning fornetworkgrowth
. Understand the cause forslow * Reduce networkdowntimeand
networkltraffic,orapplication failures
* Gainfactstojustifyexpendituresand +
ROI
* Proacti
ve moni
toring
r-uu-fu :';xl p-tw-.x..
.-. -.!
--
....-. -cr---'
::7
-E
q'y:
.2 ra.2
. -.1 f- .,*@
*t*
;*
=- .:

'
:-
-H 5.
-
;.i:
. ,.
. .
. 'iI . . ! :
1 z.
1, k *
Z
? 1
*
.F-
r.uli .
-
.y.
..
,
:.
v
P.
'
.
-
j,
..
-
.u...,
.i...
; ,k .
21.
k - tJ.
- 5 ;!q 4.
+ ! E
' -
,.:.
, ., S.
t#.t
r.

C hallenges
Network adm inistratorsand corporate cxccutivesundcrstand thatmanaging thc network is
im portantand vitalto businessopcrations. Itissilnply notenotlgh to know ifa deviccisdown
orthe tletwork isslow.You necd to be proactive by m onitoring thc dcvicesand thenetwork
and watehing fortrendsordeviationsfrom an established bascline.
W hcn there isanetwork problem,you m ustlyavctherightinformation to make dccisionsto
rcsolve thcprobleln quickly. You can obtain thisinformation only by m onitoring thc
application trafficand knowing who i5generating thctraffic and wherc thc traftic isgoing. lf
morebandwidthiswal-rantcd,recommcndationsneedto bejustiticd. Network monitoring can
providcthecostjustitication.Visibility intotheperfonnanccofnctworks, and thc system sand
applications thatrullon thcm , isessential. By gaining visibility into thc nctwork.youcan
proactively rcsolve problem s.plan forchangcsin resotlrce usage, and fnanagc valtlable network
resourccs.

Benefits
Cisco lnakcsmanaging thc network easy by providing visibiIity into the nctwork and btlilding
intclligcnce illto the dcvices.
Can nctworksrun withoutpcrformancc m anagemcnt?Can network cnginccrsredcsign
networkswithoutunderstanding how theexisting nctwork isbeing uscd? Can new applications
be dcployed overcxisting networkswithoutunderstanding the im gactoftheapplication traftic
on thc performance ofthe application orthcperform ance ofothercxisting applications? By
levcraging pcrfonnance data, you can perfonn tasks lnore cfficiently and effcctivcly.

3-4 Implementlng CiscoData CenterNetworkInfrastrudure 1(DCN1-1):2.0 @ 2008 Cisco Systems.Inc.


+
M onitoring networksllclps you t
o Inaximizc investrncntsin the following w ays:
K lmprovc utiIization ofllctwork rcsources
w Facilitatc deploymclltofncw tcchllologics,sucl!asvoiee
M ultiprotocolLabelSwitching(M PLS) , qual
ity ofscrvice(Qt)S). and
. Enablceffieientplanning forfuture
nctworkgrowth
* Reduce network downtilne and failures

@ 2008 Ci
sco Systems, Inc. I
m pl
ementi
ng NetworkAnal
ysiswith Gi
sco NAM 3-5
'

Netw ork Perform ance M anagem ent


Campus tt*. QJ 4
BCanp
eh 47
: W#N
T:
O., ,
'
Js.
** E*ev &
z
.
-f -z.
- --..A.
-k,. -
vu *;.
.
W AN . .. . .

Rr ' .. '
.

Variousdata collection sources


Device interfaces '
;
.
'j .
..
spannedtraffi cfrom portsand '
VLANS Datac.nter ..
NetFlow data exports d.a.. k
* Collectionpurm se:
Appl ication response tlmes . . .. . . .
(serverfarm) '' x
'' ' ''
Bandwidth usage .
Troubleshooting q w r r
.
x..,j ,y.j 4

Data can be gathcrcd and analyzcd from variotlsdata sourccs;


* Routerand switch interfaces
* Trarfic spanned orforwarded from portsand V LANS
* NetFlow Data Exports(NDES)
K Packctheadcrs(Diffserv andTypcofServiceETOSIbits)
* Nctwork-Bascd Application Rccognition (NBAR)
+
Port-levelorinterfacestatisticsm ay bethe tirstalarln when issuesarise. Thcsestatisticsare
available mostofthetilnc by sim ply querying thc rotltcrorsw itch. ltmay only bcneccssary to
monitorthcsc statisticsatcriticalpoints in the network and notatallacccsspoints. v

Collectingstatisticsatuppcr-laycrprotocols(lletworkthroughapplication)wouldrequircthe
useofNetFlow oraRemotcMonitoring vcrsion2(RM ONZ)probeoranalyzer, such asCisco
NAM .NctFlow and Cisco NAM can providevisibility inte what(applications, hosts.
conversations)isusing valuablcW A N orLAN rcsourcesatthc core ordistribution layers and
attheW AN edge oraccesslayer. >
To gathcrintbnnation aboutthc traffic travcrsing the :etwork. the packetslleed to be analyzed.
Packetson an interfaceorNetFlow statisticscan be copied, spanncd,orforwarded from other
dcvicesorinterfaccs.The information in tlpepackctheaderscan providca wcalth of
illformation on how the network isbcing uscd. (How thigoccursisdiscussed lateri n this
lesson.)
Butthc traftic cannotbcanalyzed ifitisnotscen. Tllerctbrc wherc you gatherthc dataand
w hy you are gatherillg thc data should be abig partofCisco NAM deploym cntplanning.
Thclecation ofw'hcre you gatherthc data dependson yotlrcollcction purpose:
* Application responsc timcs(server farm )
. Bandwidtl)usage
* Troublesllooting

3-6 ImplementingCi
scoDataCenterNetworkInfrastructure1(DCNI
-I)72.0 @ 2008Gisco Systems, lnc.
W hat D ata to C ollect
' Port-levelstati
stics- utilization, collisions,and fragm ents:
Basic physicalstatistics are good forusagetrending and
baselining
Usefulanm here in the network
.

NotnecessaryforaIluserports
e Detailed physical-,network-,and application-layerdata:
CollectLayer2-7 statistics forunderstanding traffic breakdown
Valuable forW AN aggregation links
ValuableforLAN aggregationlinks(building-to-buil
ding,
distribution-to-core,serverfarm-to-core)
. W hatcollection intervals?
Shorterintervals forreal-time monitoring and troubleshooting
(5-30 seconds)
.
Longerintervalsforhistoricaltrendgng(5-15 minutes)

@ 2008Cfsco Systenls.lnc. lrnplementi


ng NetworkArtalysiswithtlisco NAM 3-7
'

N etw ork Perform ance M etrics


N;''t'v4zchrk P eI1ornlarl('e : ;; 4. *
q'
$.lf>lrIf:
Response Tlme * Time elapsed between theend ofa queryonone endof
a conversati on pai
rand thebeginning ofa resm nse
from the otherendofa pair
m Latency'afunctlon ofresponseti m elisany
characteristicofa networkorsystem thatlncreases the
response tlme
Reliabili
ty * A measurementofthe consistencyofperformance of
any nete rk.system,orapplicati
on.according to i
ts
specifications
Deviceorlnterface * The amountofdata moved successfull yfrom one place
Uti
lizations to anotherin agiven timewith a speci
sed amountof
bandwldth
NetworkUtiti
zat
l-
on *HowthenetworkIsbelngused,includingprotocolsand
Pattem s users,and how thepatterns are& anging

M easuring the health ofanetwork istypically done with businesspcrfbrmance m etrics, such as
thc following:
* Response tim e:Thcelapsed tim cbctween the cnd ofa query on oneend ofaconvcrsation
pairand thcbeginning ofa response from the otllcrend ofa pair. Latency isany
charactcristic ofa nctwork orsysteln thatincreasesthc rcsponsc time.
*
* Reliability:A m casurem entoftheconsistcncy ofany network, system ,orapplication in
performing accordingto itsspecitications.
* Utilization:The pcrcentage oftotalbandwidth tlscd fortransporting data. Utilization is
ohcn monitorcd on an ongoing basisto evaluateusageofthe network ovcrtim cfor
capacity-planlling purposes.
Tllcse mctricscal)be uscd to evaluatchow wcllnetwork, systcm .and application resotlrccsare
pcrform ing and how these resourccsaffcctthedelivcry ofnctwork senziccs, both forprescnt
analysisantlftlture planning.

3-8 lmplementing Cisco Data CenterNetworkInfrastruclure 1 (DCNI-I)v2.0 @ 2008 Cisco Syslems. Inc.
D eployincl M on itoring per P urposo
Branch Campus u
' A : .
= .
.. j
eu swAz.
x
.
.
,
z Reaul
-
jT
yji
me
zatjT
j or
nafrc
,
4
.
'-.
,' t
ua/
'a.
'''''
v c. .. . - . >
.. .
y .r .'#
. (C
Uon
ti
ll
zalp
verontions
sa Erccr
sol
PrTalker
ccol s
s)
. J .L
< .yy .
4
( 7* Htstorical
Reportsng
'8 '
;
i (StaljstlcsoverTl
me)
W AN Edge , 4
Datacenter FaugtIsolation and
* '4 Troubleshooting
(Thresholds Alarms
PacketDecode)
7
11
: 1i d
'd1' '
>. 'i
'
eerformance
.-; . ,.y . M onjtorlng
# y# a,
.# :
4 (x
'.o
#K-qv# ,
?.
,
$
#,q . .....
jaesyj
ouseyimes.
#j r),j ot

t-
,
t-
k.tt4 Hea
s1
wth
'tcVoI
. h/qP,
ollQoS)
ler

NA M D eploym entDependenton M onitoring Purposes

* 2008 Cssco Systems.l


nc. lmpl
ementing NetworkAnahystswith Cisco NAM 3-9
* Troubleshooting:Dcterm ining thecatlse ofnetwork issucscan be aidcd by the use of
packetcapturesorpacketdccodcs,orby sctting thrcshold conditionson statisticscollccted
and alarm ing on thcconditionswhen a threshold isreachcd.
. Perform anceanalytics:Evaluating thc experience ofthe end userwith using thcnetwork
can empoweryourorganization to be more proactive in responding to application rcsponse
tim csorvoice orvidco quality issues.Also,monitoring 1he trafficperdifferentiated
sers'icescodcpoint(DSCP)valucscan hclp withfine-tuningQoS settings.

3-10 lmplementi
ngCiscoDataCenterNetworkIpfrastructure 1(DCNI-I)72.0 @ 2008 Ci
sco Systems, lnc.
The B ig Picture Defined

(
l)2008 Cisco Systemsllnc. Implementing NetworkAnalysiswith Ci
sco NAM 3-11
Interface Statistics
. lnterfaces store pedormance statistics on the traflic received and +
sent:
- Statistics overtim e
- Can be obtained via SNM P
- Can tri ggeran eventupon threshold reached
. Typicalinterface statistics include:
.
Utilization
- Packet
- s in and out
-
B/esinand out
-
Multicastpackets in and out
+
-
Errors

Thc Cisco Catalyst6500 SeriesSwitchescollectstatisticson thc amountoftraflicornumbcrof


errorso11each ofitsinterfaces.These statisticsarcstored in an M 1B il1thc deviccand can bc
rctrievcd by applicationsusing SNM P.
Mostdeviccsalsosupportlnini-RemoteM onitoring(mini-RM ON)statistics, which supplies
morcthanjustthesc intcrfacestatistics.
'italsoprovidelhesestatisticsand featurcs:
* Hoststatistits:Byle and packetcountslo and froln ahost(by M AC addressatthe data-
link laycr,network adtlress atthe network laycr. and nctwork addressatthe application
laycr).
* Conversation statistics:Bytcandpackctcountsfrom onehosttoanother(byM AC
addressatthe data-link layer,nctwork addressatthe network laycr, and nctwork addressat
theapplicationlayer).
* Thresholdsand alarms:RM ON cal)sctup thrcsholdstolookforvariousconditions(for
cxample.Iinkutilizationgrcatcrthan70percentfor60 seconds)and inform amanagemellt
statiol)with an SNM P trap w hen thecondition occurs.

3-12 ImplementingCi
scoDataCenterNetworkInfrastructure1(DCNI-I)v2.O @ 2008Cisco Systems. Inc,
'

S N M P M IB s
. u IBr
Variablesdefiningdevice status (e.g..temperature = 85degrees)
Justfacts,notwhetheritis good orbad
Defined according to SMIrules :.118 Iand N!IB h,
A managed objectisdescri
bed using a unique01 ' Syst
e
. Deqf
mI D
'nption
. MIB 1and MIB 11: . xosocref
Standard M IB fordevlces I
nlectaces
' FkcltltllA(1tz!L)Ie
. MIB extensions' . Tfaf
sccauots
'
VLAN statistics'VoIP,SMO N.DSMON M lBs Frro
rcf
xlnts
. 6!c
RMON Iand 11 MlBs
Vendorspeci
fic.Ci
sco M IB d q) ()
! ;
1.:alrl
g6k
yq!e>'2)aI
;
ISzt
l
c!t;
'es I hnt edaoes
ART MIB pQ I
l Intexaoes
l !
i j jsherf
aces
I cotp
r.
l
ers oa.lpeq 'z ht
yl
es I. r
ners FIlesi

C)2008 Ci
sco Systems.lnc. lmpl
ementing NetworkAnalysiswith Cisco NAM 3-13
R M O N M IB C ontents
. RMON l(stati sti
cson Layers 1and2): uIcd.RMoNcaobe
A Traffic rates errors,and packetsize
. # e
.
cn
aa
tb
all
edte
ys sn
wj
lh
tp
ci
:Ch
ps
oc
ro
t
s
distri
bution
+ Short-and Iong-term histofy ofstatistics
overtime
+.Thresholdconditi
onsseton statistics
+ Eventforreachingthresholds(alarms) ..,.....
Hosts and conversations p.,z's'. .'.*siaf
:
Packetfil
ters and captures 6 - -'' ; L*
. RMON.II
. RMON 11(statisti
cson Layers3 through7): 5 '.
e'
.*' sondar
d
. Masterlistofprotocols seen on data 4 : '.*
source 3 z .
.. Statistics on these protocols 2 :
'''.''.'
.
Hostsand conversations (networkand . RM
nnO
St dN'
d'
ar
applicationlayers) 1 - i

Thc figure show's the contentsofthe RM ON M IB. The RM ON M IB isastandard M IB


included asa sllbtrcc offthe M 1B2 stlbtrec.
RM ON,in bricf,collcctsthc follow ing:
* Basic Iayerstatistics:Linc utilization. packcts,and errors,and protocolutilization and
packcts
. H oststatistics:Byte and packetcountsto and from a hostby M AC addrcssatLaycr2.
nctwork addrcss atLayer3,and nctwork addrcssatthe application laycr
w Conversation statistics:Byte and packetcountsfrom one hostto anotherby M AC addrcss
atLayer2,network addressatLayer3 and network addressatthc application layer
w Packetcapture:To capture asubsetofnctwork traffic fordetailed protocolanalysis
w Thresholdsand alarm s:To setup thrcsholdsto look forvariousconditions, such as
cxceeding a spcciticd bytc rate orpackctratc. and to inform am anagcmcntstation withan *
SNM P trap w hcn thc condition occurs
Due to thc largc nulnberofstatisticsgathercd pcrinterfacc, lnostRM ON implelnentationsare
in standalone network dtviccs, often callcd RM ON analyzcrs, such astbe Netw ork Analysis
M odtlle (NAM ).Thcexception to this isthc usc ofa sm allsubsctofRM ON implemcnted on a
sw itch to collectbasicdata-link layerstatisticsand a bricfhistory ofthese statistics, and to be *
ablcto sctthrcsholdsagainstthestatisticss aIlon a per-portbasis.ThissubsetofRM ON is
known asm ini-RM oN (statistics. history.alarms.andcvents).
RM ON 11offerscxtensiollsto the RM ON lstandard by providing statisticsbcyond the data-
link layer.Statisticsare availablc o1)thc network layerthrough theapplicalion laycr. Basically,
RM ON 11looksdecpcrinto cvcry packetitanalyzcsto dctailwhich nctwork layeraddressesare
constlming the mostbandwidth,whicllnctwork layeraddressesarc talking to each othcr and
which applicatiolls-identitied by portllumbers, arcconsum ing bandwidth.

3-14 Impl
ementingGiscoDataCenterNetworklnfrastructure 1(DCNI
-I)v2.0 Q 2008 Ci
sco Systems, lnc.
N etFlow Statistics
. NetFlow isused to analyze packets sentthrough a NetFlow-
enabled device
. Inspectsthe packetand stores statistics perflow
. Flow isdeterm ined bythe protocoland conversation information
* Statistics can be expoded via ND6 to collectors

*
., f
. ; . :;'.i' ' i .. v A c;t4

NetFlow Engine
;.. r' .,vp4t)!tt
.
L'*, .y.
-------1:' .
...--.+ '. 't j
I
j
f.

'
7
v
?2
pji
4 l:qy i
jj.4
).;
)u ?
J
f
t
,/
'
L,
jd
7
yt
jk:$
r>
y
..'- . .
FE
55
)
)ht
i,
65.
-.
-..
..
-1
..:y
J.
xW
1.
,
;ql-
)jt
i
, r.
. :#y.
,
p
h j
l$
,,
.iy y .
'j .1:j
k
jjpjjyk j
j
jj
.

I
() l
e .-
- w r$
y.
t
.
)I
jl
k
tl
; ;
.
k
s,
b
- yy
lj
yy
q
tvvzs
kL
.
cjj
tqj :);
...-... . vk ?..'
.-. .-,
.xz?
.
.
.
z
, u

g
.j f
p
,.-,sj,.
&.
; .