Top
Browse > Home / Design / Design: Cisco Firewall Services Module Virtualization Design Traps

Design: Cisco Firewall Services Module Virtualization Design Traps

18 November, 2008 by Greg Ferro            Print Posting

The Cisco Firewall Service Modules (FWSM) has a design limitation based on its ability to discriminate packet forwarding between multiple contexts. It also applies to ASA/PIX software. Lets review this.

The Cisco Firewall Services Module (FWSM) is a module that installs into the a Catalyst 6500 switch, and connects via 6 x 1 gigabit ethernet channel bonded into a single Etherchannel on the backplane. Delivering up to 6 gigabits per second at less than 300W in a C6500 chassis it has got some potential as a high performance firewall.

When used in multi-context mode to provide multiple logical firewalls there are some specific considerations.

Virtualisation

The Cisco FWSM uses what appears to be a type-2 hypervisor to provide multiple logical firewalls from a single physical unit (very similar to that method used Cisco ASA/PIX platforms). I model that function along these lines when showing the System Context and the Admin context.

fwsm-classifier-4.jpg

Packet Classification

Each packet that enters the FWSM in Routed Mode must be classified and then allocated to a context. Each packet is sent to a context. In the event that the packet cannot be classified, it will send the packet to the Admin context. It is very important to understand this when troubleshooting.

The FWSM uses a single GLOBAL MAC ADDRESS across all interfaces. You cannot change it.

This is not a problem unless the multiple contexts want to share the same VLAN interface. If two virtual contexts share the same VLAN (regardless of IP address), then the FWSM OS must use some other
criteria to determine which context is the destination for the packets because all interfaces have the same MAC address

From the manual:

Routed Mode Only
The FWSM lets you share an interface between contexts. However, packet classification requirements might make sharing interfaces impractical. Because the classifier relies on active NAT sessions to classify the destination addresses to a context, the classifier is limited by how you can configure NAT. If you do not want to perform NAT, you must use unique interfaces.

Note: The FWSM does not support sharing the outside interface of one context with the inside interface of another context (known as cascading contexts). Traffic that is outbound from one context (from a higher to a lower security interface) can only enter another context as inbound traffic (lower to higher security); it cannot be outbound for both contexts, or inbound for both contexts.

Lets start with something that works:

Single Context per VLAN

When the virtual context contains a single FWSM interface in a given VLAN,
the FWSM classifier will classify all packets into that context. This is
illustrated in the figure below.

fwsm-classifier-1.jpg

In this design we have two VLANs, one front and one back, and only one VLAN with an SVI configured with an IP address.

Think carefully about your VLAN interfaces on your Supervisor

A classic mistake1 is to think you can configure two interface on your Supervisor and then add VLANs to the FWSM. Of course, these will be in the same routing process and the packets will never reach the FWSM.

fwsm-classifier-5.jpg

Use VRF-lite or MPLS to configure around this problem, since the routing tables will be separate in each VRF the interfaces do not exist is a single routing space and would look something like this. Herewith is the reason why Security Engineers need to have some MPLS skills.

fwsm-classifier-6.jpg

It would also be possible to use Policy Based Routing but this nearly always ends in tears.

Multiple Contexts per VLAN

In the scenario in which multiple contexts have interfaces within the
same VLAN, the classifier will continue to intercept packets and extract the destination IP address. The classifier can use NAT statements to establish to which context to send the packets to. Thus for a number of firewalls that share a VLAN with public IP addresses, perform NAT on all traffic to RFC1918 addresses you can have many contexts on a single VLAN, the but the private VLANs MUST be separate.

Thus the following will work correctly:

fwsm-classifier-2.jpg

The scenarios described above are valid and correct design solutions. The following describes invalid scenarios that must be avoided. They all
relate to scenarios where multiple contexts have interfaces within a
single VLAN.

The classifier does not use the routing for classification. Even though
a context includes a static route that points to an external router as
the next hop to a subnet, and a different context includes a static
command for the same subnet, then the classifier uses the static command
to classify packets destined for that subnet and ignores the static
route.

The routing table is ignored in every case. The figure below illustrates this scenario.

fwsm-classifier-3.jpg

As mentioned earlier, the FWSM classifier can use a mapped address in an
active dynamic address translation (set by the global command) to permit
traffic. This can results in working one way flows, which may be desirable, whereby egress traffic from the DMZ is forwarded to the FWSM the traffic is placed in the translation table, and return packets that are part of the flow will return through this flow.

Static NAT Hack

However, a new inbound flow will never be classified and will be dumped
to the Admin context. In this case a static NAT is required.

It is possible to solve this problem using a static NAT added to configuration, but this is not a particularly scalable solution, and would be hard to maintain since you would not normally configure NAT for every access rule unless you actually wanted to perform address translation.

Hard Lessons - Shared

I had a few hard lessons on configuring the Cisco FWSM before I fully understood how the packet classifier worked. You should take some time to learn this before you start designing with FWSM.

It might be worth noting that the Juniper NetScreen OS has similar issues but, possibly, handles it better than the FWSM (if only just).

Footnote: Cisco PIX / ASA virtualization

Most of the information above applies to Cisco ASA/PIX when used in Multiple Context Mode, but the option of building cascading contexts and multiple contexts per VLAN is possible because you can configure the MAC address on the interface (which is recommended practice anyway because of failover MAC addresses when the secondary starts before the primary).

VN:F [1.0.8_357]
Please rate this post :    Why ?
Rating: 10.0/10 (3 votes cast)
Share:
  • Reddit
  • Digg
  • del.icio.us
  • Facebook
  • StumbleUpon
  • TwitThis
  • LinkedIn
  • Technorati

Footnotes

  1. I’ll admit I have done this twice when I wasn’t thinking properly [back]
Filed Under: Design
Tagged:

Speak Your Mind

Tell us what you're thinking...

Bottom