Appendix 8.2.8 Firewall Services Module

Overview

This appendix includes the following topics:

■

Objectives

■

FWSM Overview

■

Network Model

■

Getting Started

■

Using PDM with the FWSM

■

Troubleshooting the FWSM

■

Summary

Objectives

Upon completion of this appendix, the student will be able to
perform the following tasks:

■

Describe the FWSM features and benefits.

■

Explain the similarities and differences between the FWSM
and the PIX Security Appliance.

■

Describe a typical deployment scenario for the FWSM.

■

Initialize the FWSM.

■

Configure the switch VLANs.

■

Configure the FWSM interfaces.

■

Prepare the FWSM to work with PDM.

■

Install PDM on the FWSM.

FWSM Overview

FWSM Key Features

FWSM Key Features (Cont.)

FWSM and PIX Security Appliance Comparison

FWSM and PIX Security Appliance Feature Comparison (cont.)

Cayalyst 6500 Switch Requirements

This section introduces the FWSM.
The Cisco Firewall Services Module (FWSM) is an integrated
module for the Cisco Catalyst 6500 Series Switch. The Cisco
Catalyst 6500 provides intelligent services such as firewall
capability, intrusion detection, and virtual private networking,
along with multilayer LAN, WAN, and MAN switching
capabilities.
The Cisco FWSM is a high-performance firewall solution,
providing 5 Gbps of throughput per module and scaling to 20Gb of
bandwidth with multiple modules in one chassis. The FWSM is
completely VLAN aware, offers dynamic routing, and is fully
integrated within the Cisco Catalyst 6500 Series switches. The
FWSM is based on Cisco PIX Security Appliance technology, and
therefore offers the same security and reliability. It includes the
entire PIX Security Appliance 6.0 software feature set and some of
the features of PIX Security Appliance software version 6.2.
the FWSM also offers dynamic routing via RIP and OSPF, intra-
and inter-chassis failover, a variety of management options, and
secure out-of-band management via IPSec. It supports the
following features of PIX Security Appliance software version 6.2:

■

Command authorization

■

Object grouping

■

ILS/NetMeeting fixup

■

URL filtering enhancement

The FWSM can operate with 802.1q and Inter-Switch Link (ISL)
protocols and supports up to 100 firewall VLANs. Other ways in
which the FWSM differs from the PIX Security Appliance are as
follow:

■

By default, both inbound and outbound connections are
denied.

■

The conduit command is not supported.

■

Active X and Java filtering fixups are not supported.

■

By default, the http fixup is disabled.

■

Bi-directional NAT is not supported.

■

The OSPF routing protocol is supported.

Other differences between the FWSM and the PIX Security
Appliance include the following:

■

No licensing is required.

■

VPN functionality (IPSEC, PPTP and L2TP) for packets
flowing across the firewall is not supported.

■

IDS Syslog messages are not generated.

■

The maximum number of ACLs supported is 128,000.

The FWSM occupies one slot in a Cisco Catalyst 6500 switch. Up
to four modules can be installed in the same switch chassis. The
FWSM has the following requirements for the Catalyst 6500
switch:

■

Supervisor 2 with Multilayer Switch Feature Card 2
(MSFC2)

■

Native Cisco IOS® software release 12.1(13)E or higher

■

Hybrid CatOS minimum software release 7.5(1)

Network Model: Typical FWSM deployments and traffic flow

Figure [1]: Firewalling with the FWSM

Figure 2 Packet Flow with MSFC as Connected Router on the Outside

Figure 3 Packet Flow with MSFC as Connected Router on Inside (Cont.)

Packet Flow with MSFC Not Used as Connected Router on Any Firewall
Interface

The Firewall Services Module can be used in a variety of
topologies depending on the network needs. For example, in a data
center the requirement may be to provide access control or
segregate security domains. A security domain can be a collection
of servers with the same security level. Within that domain,
multiple subnets or server farms can exist. When configured to
function on the perimeter of the network, the FWSM module can
provide access control to the inside network as a whole, or
segregate multiple security zones through VLAN interfaces of

different security levels. The security zones can be either in the
same network or can define the boundaries of multiple networks.
The FWSM configuration has the following characteristics:

■

Each firewall interface is a Layer 3 interface. It is uniquely
associated with a VLAN, a Security Level and an IP
address.

■

An interface is firewalled depending on where the interface
is used. The module interfaces are firewalled while all other
interfaces in the system are considered to be outside the
firewall. Each firewall interface has a fixed VLAN.

■

The MSFC may be configured as a connected router on any
one and only one firewall interface, but it is not necessary
to configure the MSFC as a connected router. The FWSM
views all networks or sub-networks beyond an interface as
belonging to the same security level.

■

Traffic from all of the non-firewall VLANs in the switch
(those not recognized by the module) is routed through the
MSFC without being stopped by the firewall.

The Figure [1] shows a firewall configuration with the FWSM[1].
The switch and the router beneath it represent a FWSM and a
Multilayer Switch Feature Card (MSFC) respectively within same
switch. The MSFC, which provides multiprotocol routing with
multi-layer switching for the Catalyst 6000 family switch Ethernet
interfaces, is used in this example as a router on the network inside
the firewall. VLANs 100, 101 and 102 are configured as firewall
VLANs. The MSFC is connected to only one of the controlled
firewall interfaces. All router interfaces configured on the MSFC
are considered to be the same security level as the firewall
interface to which the MSFC is connected. In this example,
VLANs 201 and 202, which are not configured as controlled, are
considered inside the firewall, but traffic between them is routed
by the MSFC without being protected by the firewall.

Figure 2 shows some of the VLANs carrying traffic assigned to the
FWSM[2]. Only the traffic on those VLANs is protected by
firewalls. The arrows trace a connection originating from VLAN
201 (effectively inside) and destined for the outside interface. The
following sequence of events occurs:

1. The packet from the inside interface (VLAN 201) is bridged

to the MSFC interface.

2. The MSFC routes the packet to the firewall interface

(VLAN 100).

3. The firewall module rewrites the packet with the destination

VLAN as 200. The packet from the firewall module is
bridged to the outside interface.

4. The return packet from the outside interface on VLAN 200

is bridged to the firewall interface.

5. The firewall re-writes the packet with the destination VLAN

as 100. The packet from the FWSM is bridged to the MSFC
interface.

6. The MSFC routes the packet back to the inside interface (VLAN
201).
Figure 3 explains the case in which the MSFC is not used as a
connected router on any firewall interface[3]. The arrows trace a
connection originating from VLAN 100 (inside) and destined for
the outside interface. The following sequence of events occurs

1. The packet from the inside interface on VLAN 100 is

bridged to the FWSM interface.

2. Depending on the firewall configuration, the FWSM

rewrites the packet with the destination VLAN as 200. The
packet from the firewall module is bridged to the outside
interface.

3. The return packet from the outside interface on VLAN 200

is bridged to the FWSM interface.

4. Depending on the firewall configuration and earlier state

maintained as a result of packet 1, the FWSM rewrites the
packet with the destination VLAN as 100.

The packet from the firewall module is bridged to the inside
interface.

FWSM Configuration

Figure 1 Getting Started with the FWSM

Figure 2 Initializing the FWSM

Figure 3 FWSM Initialization Commands

Figure 4 FWSM Initialization Commands (Cont.)

Figure 5 Initializing the FWSM Example

Figure 6 Configuring the Switch VLAN

Figure 7 Switch VLAN Configuration Example

Figure 8 Configuring the FWSM Interfaces

Administrators can access the switch Command Line Interface
(CLI) through a Telnet connection to the switch or through the
switch console interface. From the switch console, an administrator
can session into the FWSM to configure it.

Before an administrator can configure the FWSM, the
following tasks must be completed.

■

Initialize the FWSM

■

Configure the switch VLANs

■

Configure the FWSM interfaces

Step 1

Enter the show module command to verify that the system
acknowledges the new module and has brought it online. The
syntax for the show module command is as follows:
show module [mod-num | all]

mod-num

Number of the module and the port on the module.

all

Displays the information for all modules.

The following is an example of the output of the show module
command:

Figure: The output of the show module command

Step 2

Use the session slot command to establish a console session
with the module. The syntax for the session slot command is
as follows:

session slot mod {processor processor-id}

mod

Slot number

processor processor-
id

Processor ID

Step 3

At the login prompt, type root to log in to the root account.

Step 4

At the password prompt, type root as the root password.

Step 5

Use the ip address command to configure the IP address and

subnet mask. The syntax for the ip address command is as follows:

ip address ip-address netmask

Ip-address

IP address of the module

netmask

Netmask for ip-address

Step 6

Use the ip broadcast command to configure the IP broadcast
address. The syntax for the ip broadcast command is as
follows:

ip broadcast broadcast-address

broadcast-address Broadcast address for network ip-address

Step 7

Use the ip host command to configure the IP host module used
in the CLI prompt, show commands, and log messages. The syntax
for the ip host command is as follows:

ip host hostname

hostname

Module name to be used in CLI prompt,
show commands, and log message

Step 8

Use the ip gateway command to configure the default gateway.
The syntax for the ip gateway command is as follows:

ip gateway gateway-address

gateway-address

Gateway of last resort to be bused by the
module

Step 9

Use the ip domain command to configure the domain name for
the module. The syntax for the ip domain command is as
follows:

ip domain domain-name

domain-name

Domain name for the module

Step 10

Use the ip nameserver command to configure one or more IP
addresses as DNS name servers. The syntax for the ip
nameserver command is as follows:

ip nameserver name-server1 [name-server2][name-server3]]

name-server1

IP address of DNS sever(s)

name-server2

IP address of second DNS server if using a
second DNS server

name-server3

IP address of third DNS server if using a third
DNS server

Figure 5shows an example of initializing a firewall module in Slot
9 of a Catalyst 6500 switch[5].

To prevent losing the switch configuration or having the definition
of a firewall interface becoming out of synchronization between
the module and the route processor, the administrator should first
configure a VLAN on the route processor MSFC and then
configure the VLANs for the module. VLAN IDs must be the same
for the switch and the module. The route processor configuration
for the module requires only a single VLAN for the firewall and a
non-firewall VLAN. After the route processor VLAN is
configured, the controlled VLAN is sent to the module. The
administrator can then configure the module firewall functions.
To enable a single controlled VLAN as the router interface on the
route processor, complete the following steps:

Step 1

Use the interface vlan command to define a controlled
VLAN on the MSFC (route processor). The syntax of the
interface vlan command is as follows:

interface vlan vlan_number

vlan_number

Number of the VLAN

Step 2

Use the vlan command to create VLANs. The syntax for the

vlan command is as follows:

vlan vlan_number no shut

vlan_number

Number of the VLAN

Step 3

Use the firewall vlan-group command to create a firewall

group of controlled VLANs. The syntax for the firewall
vlan-group command is as follows:

firewall vlan-group firewall_group vlan_range

firewall_group

Name of the firewall vlan group

vlan_range

Numerical range of VLAN numbers to be included
in the group

Step 4

Use the firewall module command to attach the VLAN and

firewall group to the slot where the module is located. The syntax
for the firewall module command is as follows:

firewall module module_number vlan-group firewall_group

module_number

Number of the module

firewall_group

Name of the firewall vlan group

Step 5

Use the end command to update the VLAN database and return to

privileged EXEC mode. The syntax for the end command is as
follows:

end

The figure shows how to enable a controlled VLAN in global
configuration mode.
VLAN 100 is defined as the single controlled VLAN on the
MSFC. VLANs 200, 100, 101, and 102 are then created in the
switch and assigned to firewall vlan group 3. Group 3 is attached
to slot 3, the slot in which the FWSM is installed.

To configure the module interfaces, complete the following steps:

Step 1

Use the moduleif command to assign a module and security

level to each interface on the module. The syntax of the
moduleif command is as follows:

moduleif vlan_id if_module security_level

Step 2

Use the ip address command to configure an IP address and

netmask for each module interface. The syntax for the ip
address command is as follows:

ip address if_module ip_address [netmask]

Once the FWSM is initialized, and the switch vlans and the FWSM
interfaces are configured, the administrator is ready to configure
the FWSM to allow the desired traffic to protected networks. This
will require the creation of Access Control Lists ACLs to allow
outbound as well as inbound traffic. This is because the FWSM,

unlike the PIX Security Appliance, denies all inbound and
outbound connections that are not explicitly permitted by ACLs.
Configuring the firewall policy in the FWSM is much like doing so
in the PIX Security Appliance because the FWSM application
software is similar to that of the PIX Security Appliance software.
For a description of the PIX Security Appliance commands
supported by the FWSM, go to the following

http://www.cisco.com/en/US/products/hw/switches/ps708/products
_installation_and_configuration_guide_chapter09186a00800e3be0
.html

This page contains the following:

■

Commands that support the maintenance software

■

Cisco IOS commands that support the FWSM

■

New commands specific to the FWSM

■

PIX Security Appliance commands that were changed for
the FWSM

■

PIX Security Appliance commands that are not used by the
FWSM

■

PIX Security Appliance commands used by the FWSM and
their corresponding PIX Security Appliance software
versions

Using PDM with the FWSM

Figure 1 PDM and the FWSM

Figure 2 Preparing the FWSM for PDM

Figure 3 Using PDM with the FWSM

The PDM can be used to configure and monitor the FWSM. When
running on the FWSM, PDM looks somewhat different because it
does not have the Wizards menu or the VPN tab. Furthermore, the
System Properties Interfaces table looks different. Running on the
FWSM, the interfaces in the table are a combination of interfaces
configured on the FWSM and the output from the show vlan
command. PDM supports VLANs and Syslog rate limiting but
does not support OSPF.
The figure shows the steps needed to prepare the FWSM to use
PDM. Be sure to have initialized the FWSM before attempting to
install PDM.
To start using PDM to configure the FWSM, use the HTTP secure
(https) command and type the following address:
https://IP address of FWSM
The IP address is the address of one of the VLAN interfaces on the
FWSM.

Troubleshooting the FWSM

Figure 4 Status LED

Figure 5 Status LED Descriptions

Figure 6 Resetting and Rebooting the FWSM

Figure 7 Memory Test

This section provides troubleshooting information that can be used
to determine the possible causes for the Catalyst 6000 FWSM not
functioning properly.
The status LED is a quick method to determine the state of the
FWSM. The status LED is located in the left corner of the module.
LED status colors are described in the following table:

If it is impossible to reach the module through the CLI or an
external Telnet session, enter the hw-mod module
module_number reset command to reset and reboot the
module. The reset process requires several minutes. The syntax for
the command is as follows:

hw-module module module_number reset

module_number

Number of module *** wish to reset

The figure shows how to reset the module, installed in Slot 9, from
the CLI. [***Figure reference—Which Figure shows this?]

When the FWSM initially boots, by default it runs a partial
memory test. To perform a full memory test, use the hw-module
module module_number memtest- full command. The
syntax of the command is as follows:

hw-module module module_number mem-test-full

module_number

Number of module

A full memory test takes more time to complete than a partial
memory test depending on the memory size. The table lists the
memory and approximate boot time for a long memory test.

Memory Size

Boot Time

512MB 3

minutes

1GB 6

minutes

Summary

Figure 8 FWSM Configuration Summary

This section has introduced the FWSM line card, summarized its
configuration, and introduced its control via the PDM.