CCNP BCMSN Exam Certification Guide (3rd Edition)

8-4. Firewall Load-Balancing Appliance

A Cisco CSS acts as a multilayer switch and performs FWLB as well as many other types of content processing. A CSS interface can carry a single VLAN or a trunk with multiple VLANs.

A CSS unit must be placed on each side of a firewall farm so that connections are load-balanced to the firewalls in each direction. Firewalls are defined individually rather than as a distinct firewall farm.

The CSS performs a route lookup on each inbound connection to determine the possible firewalls that can be used. The CSS then computes the exclusive OR (XOR) of the source and destination IP addresses as a hash value to select which firewall will receive the connection.

Keepalives (custom ICMP packets) are sent from one CSS to the other at regular intervals. If keepalives are not received from the opposite CSS through a firewall, that firewall is declared dead (failed).

CSS FWLB Configuration

You can use the following steps to configure FWLB on one CSS device. Remember that FWLB requires a load-balancing device on each side of the firewall farm. Be sure to repeat the entire configuration process for the outside and inside CSS FWLB platforms.

1.

Configure each CSS physical interface.

  1. Select the interface:

    (config) interface interface_name

  2. Configure trunking mode (one or multiple VLANs):

    (config-if) bridge vlan vlan-id

    or

    (config-if) trunk

    To carry only one VLAN on the interface, use the bridge vlan vlan-id command. The interface is assigned to VLAN number vlan-id (1 to 4094; the default is 1). The CSS performs Layer 2 bridging between interfaces with the same VLAN assignments.

    To carry multiple VLANs on the interface, you can configure it as an 802.1Q trunk. Use the trunk command.

  3. (Optional; trunk only) Identify each VLAN to be trunked:

    (config-if) vlan vlan-id

    VLAN number vlan-id (1 to 4094) is encapsulated on the trunk link. To identify the VLAN as the native VLAN (unencapsulated or untagged frames), follow this with the default-vlan command.

2.

Assign IP addresses to the CSS VLANs.

  1. Define a logical circuit:

    (config) circuit circuit_name

    Here, the circuit represents a logical interface within the CSS. You can see a list of available circuit names with the circuit ? command. Generally, circuit_name is a VLAN that has been configured in the CSS, of the form VLANvlan-id.

  2. Assign an IP address:

    (config-circuit) ip address ip_address subnet_mask (config-circuit-ip) enable

3.

(Optional) Define a default route toward the public network:

(config) ip route 0.0.0.0 0.0.0.0 next-hop-address

On the outside CSS unit, you should configure a default route so that traffic can be forwarded to and from the public network. The next-hop-address is the IP address of the nearest router in the public network.

4.

Define each firewall in the firewall farm:

(config) ip firewall index local_firewall_address remote_firewall_address remote_css_address

You must assign each firewall in the farm a unique arbitrary index number (1 to 254). The firewall must have the same index configured in both inside and outside CSS units.

You must also define the firewall in terms of its IP addresses. The local_firewall_address is the address of the interface nearest to the CSS, and the remote_firewall_address is the address nearest to the CSS on the other side of the firewall. The other CSS unit must also be defined by its IP address remote_css_address. (The remote-side IP addresses are defined here because of how the CSS detects firewall failures.)

5.

Define static routes to reach beyond the firewall farm:

(config) ip route ip_address subnet_mask firewall index distance

The CSS on one side of the firewall farm needs to know about any networks that are located on the other side. You can define a static route to the network ip_address with a subnet mask subnet_mask (either in dotted-decimal or /n prefix length notation). This route can be reached through the firewall with an index number index (1 to 254).

You can also assign an administrative distance to the route to adjust whether static or dynamic routes are more preferable. You can also use the distance (1 to 254; the default is 1; lower is more preferable) to differentiate between two or more sets of firewalls.

For example, if you normally expect traffic to pass through one firewall farm (indices 1 through n), you could use a distance of 1. Then define other static routes to the same destination network, but point to a different firewall and use a higher distance. The route (and firewalls) with the lower distance is used unless all of them have failed.

6.

(Optional) Adjust the keepalive timing:

(config) ip firewall timeout seconds

Each CSS unit expects to receive keepalive probes at regular intervals from the CSS on the other side of the firewall farm. The keepalive probes are sent every seconds (3 to 16; the default is 3 seconds) and are expected to be received every seconds.

TIP

You must configure the keepalive timeout interval identically for the CSS units on both sides of the firewall farm. With identical configurations, both units correctly detect a failed keepalive from each other at the same time. At that time, each unit declares its side of the firewall to be dead, and subsequent connections are assigned to another firewall. Otherwise, if both units don't detect the same failure, connections could be improperly assigned to the firewalls in an asymmetric fashion.

TIP

Each CSS sends an ICMP packet as a keepalive to the target address of the opposing CSS unit. Each CSS also substitutes the destination MAC address of the specific firewall that is being tested so that the keepalive probe passes through that firewall.

For this reason, you must make sure that each firewall in the firewall farm is configured to pass ICMP packets between the two CSS IP addresses. The ICMP packets (both echo and echo-reply) must be able to pass through the firewall in both directions (outside to inside and inside to outside).

CSS Appliance Firewall Load-Balancing Example

The network from the example in section 8-2 is reused here so that you can get a feel for the difference between IOS FWLB, CSM FWLB, and CSS FWLB configurations.

Performing FWLB using this method requires two CSS load-balancing devices:

  • One located externally with respect to the firewall farm

  • One located internally with respect to the firewall farm

Figure 8-7 shows a network diagram for this example.

Figure 8-7. Network Diagram for the CSS FWLB Example

The firewall farm consists of three real firewalls.

The outside (unprotected) interfaces of the three real firewalls are at 192.168.100.3, 192.168.100.4, and 192.168.100.5. On the outside, the default gateway to the public network is 192.168.1.1, and the outside CSS unit is at 192.168.1.2.

The inside (protected) interfaces of the three real firewalls are at 192.168.200.3, 192.168.200.4, and 192.168.200.5. The inside CSS unit performs firewall load balancing for outbound traffic to the firewall farm. On the internal secure network (192.168.199.0/24), one server is in use at 192.168.199.100. This server supports both inbound HTTP and Telnet connections.

Basic Firewall Configuration

This section begins with coverage of the firewall configurations. Firewalls A and B are FWSMs installed in the Catalyst A chassis. Firewall C is an external Cisco PIX Firewall, connected to Catalyst A through a Gigabit Ethernet link. This section shows the configuration commands to give you a basic idea of all the pieces that must be configured for FWLB using an FWLB appliance. Notice that all three firewalls have identical security policies configured. This is important because any of the three firewalls could be assigned connections from any pair of inside and outside hosts.

Notice also that access list rules have been configured to allow the inside and outside CSS units to pass ICMP packets between each other. This is important to allow each CSS to monitor the health of each firewall:

Firewall(config)# hostname fwsm-a fwsm-a(config)# nameif vlan100 outside security0 fwsm-a(config)# nameif vlan200 inside security100 fwsm-a(config)# ip address outside 192.168.100.3 255.255.255.0 fwsm-a(config)# ip address inside 192.168.200.3 255.255.255.0 fwsm-a(config)# icmp permit 192.168.100.0 255.255.255.0 outside fwsm-a(config)# icmp permit 192.168.200.0 255.255.255.0 inside fwsm-a(config)# static (inside,outside) 192.168.199.100 192.168.199.100 netmask 255.255.255.255 0 0 fwsm-a(config)# static (inside,outside) 192.168.200.1 192.168.200.1 netmask 255.255.255.255 0 0 fwsm-a(config)# static (inside,outside) 192.168.100.1 192.168.100.1 netmask 255.255.255.255 0 0 fwsm-a(config)# object-group icmp-type ICMP fwsm-a(config-icmp)# icmp-object echo fwsm-a(config-icmp)# icmp-object echo-reply fwsm-a(config-icmp)# icmp-object time-exceeded fwsm-a(config-icmp)# icmp-object unreachable fwsm-a(config-icmp)# exit fwsm-a(config)# access-list acl_out permit icmp host 192.168.100.1 host 192.168.200.1 fwsm-a(config)# access-list acl_out permit tcp any host 192.168.199.100 eq telnet fwsm-a(config)# access-list acl_out permit tcp any host 192.168.199.100 eq www fwsm-a(config)# access-list acl_out permit icmp any host 192.168.199.100 object-group ICMP fwsm-a(config)# access-list acl_in permit ip 192.168.199.100 255.255.255.255 any fwsm-a(config)# access-list acl_in permit icmp host 192.168.200.1 host 192.168.100.1 fwsm-a(config)# access-group acl_out in interface outside fwsm-a(config)# access-group acl_in in interface inside fwsm-a(config)# route outside 0.0.0.0 0.0.0.0 192.168.100.1 1 fwsm-a(config)# route inside 192.168.199.0 255.255.255.0 192.168.200.1 1 ________________________________________________________________ Firewall(config)# hostname fwsm-b fwsm-b(config)# nameif vlan100 outside security0 fwsm-b(config)# nameif vlan200 inside security100 fwsm-b(config)# ip address outside 192.168.100.4 255.255.255.0 fwsm-b(config)# ip address inside 192.168.200.4 255.255.255.0 fwsm-b(config)# icmp permit 192.168.100.0 255.255.255.0 outside fwsm-b(config)# icmp permit 192.168.200.0 255.255.255.0 inside fwsm-b(config)# static (inside,outside) 192.168.199.100 192.168.199.100 netmask 255.255.255.0 0 0 fwsm-b(config)# static (inside,outside) 192.168.200.1 192.168.200.1 netmask 255.255.255.255 0 0 fwsm-b(config)# static (inside,outside) 192.168.100.1 192.168.100.1 netmask 255.255.255.255 0 0 object-group icmp-type ICMP fwsm-a(config-icmp)# icmp-object echo fwsm-a(config-icmp)# icmp-object echo-reply fwsm-a(config-icmp)# icmp-object time-exceeded fwsm-a(config-icmp)# icmp-object unreachable fwsm-a(config-icmp)# exit fwsm-b(config)# access-list acl_out permit icmp host 192.168.100.1 host 192.168.200.1 fwsm-b(config)# access-list acl_out permit tcp any host 192.168.199.100 eq telnet fwsm-b(config)# access-list acl_out permit tcp any host 192.168.199.100 eq www fwsm-b(config)# access-list acl_out permit icmp any host 192.168.199.100 object-group ICMP fwsm-b(config)# access-list acl_in permit ip 192.168.199.100 255.255.255.255 any fwsm-b(config)# access-list acl_in permit icmp host 192.168.200.1 host 192.168.100.1 fwsm-b(config)# access-group acl_out in interface outside fwsm-b(config)# access-group acl_in in interface inside fwsm-b(config)# route outside 0.0.0.0 0.0.0.0 192.168.100.1 1 fwsm-b(config)# route inside 192.168.199.0 255.255.255.0 192.168.200.1 1 ________________________________________________________________ Firewall(config)# hostname pix-c pix-c(config)# interface gb-ethernet0 1000full pix-c(config)# interface gb-ethernet1 1000full pix-c(config)# nameif gb-ethernet0 outside security0 pix-c(config)# nameif gb-ethernet1 inside security100 pix-c(config)# ip address outside 192.168.100.5 255.255.255.0 pix-c(config)# ip address inside 192.168.200.5 255.255.255.0 pix-c(config)# icmp permit 192.168.100.0 255.255.255.0 outside pix-c(config)# icmp permit 192.168.200.0 255.255.255.0 inside pix-c(config)# static (inside,outside) 192.168.199.100 192.168.199.100 netmask 255.255.255.0 0 0 pix-c(config)# static (inside,outside) 192.168.200.1 192.168.200.1 netmask 255.255.255.255 0 0 pix-c(config)# static (inside,outside) 192.168.100.1 192.168.100.1 netmask 255.255.255.255 0 0 pix-c(config)# object-group icmp-type ICMP pix-c(config-icmp)# icmp-object echo pix-c(config-icmp)# icmp-object echo-reply pix-c(config-icmp)# icmp-object time-exceeded pix-c(config-icmp)# icmp-object unreachable pix-c(config-icmp)# exit pix-c(config)# access-list acl_out permit icmp host 192.168.100.1 host 192.168.200.1 pix-c(config)# access-list acl_out permit tcp any host 192.168.199.100 eq telnet pix-c(config)# access-list acl_out permit tcp any host 192.168.199.100 eq www pix-c(config)# access-list acl_out permit icmp any host 192.168.199.100 object-group ICMP pix-c(config)# access-list acl_in permit ip 192.168.199.100 255.255.255.255 any pix-c(config)# access-list acl_in permit icmp host 192.168.200.1 host 192.168.100.1 pix-c(config)# access-group acl_out in interface outside pix-c(config)# access-group acl_in in interface inside pix-c(config)# route outside 0.0.0.0 0.0.0.0 192.168.100.1 1 pix-c(config)# route inside 192.168.199.0 255.255.255.0 192.168.200.1 1

Outside CSS FWLB Configuration

The outside CSS unit is configured with three firewalls and three static routes. Notice that each of the static routes lists the internal (secure) network as the destination and has each firewall as a next-hop gateway address. Firewall keepalive probes are sent and are expected every 3 seconds by default. The configuration commands are as follows:

(config) interface ethernet-1 (config-if) description "Outside public network" (config-if) bridge vlan 10 (config) circuit VLAN10 (config-circuit) description "Circuit to the outside network" (config-circuit) ip address 192.168.1.2 255.255.255.0 (config-circuit-ip) enable (config) interface ethernet-2 (config-if) description "Firewall farm outside" (config-if) bridge vlan 100 (config) circuit VLAN100 (config-circuit) description "Circuit to the firewall farm" (config-circuit) ip address 192.168.100.1 255.255.255.0 (config-circuit-ip) enable (config) ip route 0.0.0.0 0.0.0.0 192.168.1.1 (config) ip firewall 1 192.168.100.3 192.168.200.3 192.168.200.1 (config) ip firewall 2 192.168.100.4 192.168.200.4 192.168.200.1 (config) ip firewall 3 192.168.100.5 192.168.200.5 192.168.200.1 (config) ip route 192.168.199.0 255.255.255.0 firewall 1 1 (config) ip route 192.168.199.0 255.255.255.0 firewall 2 1 (config) ip route 192.168.199.0 255.255.255.0 firewall 3 1 (config) ip route 192.168.200.0 255.255.255.0 firewall 1 1 (config) ip route 192.168.200.0 255.255.255.0 firewall 2 1 (config) ip route 192.168.200.0 255.255.255.0 firewall 3 1

Inside CSS FWLB Configuration

The inside CSS unit is also configured with the inside addresses of the three firewalls. Notice this time that three static routes have been configured as default routes to reach the outside public network. Each one has a different firewall as a next-hop gateway address. Firewall keepalive probes are sent and are expected every 3 seconds by default. The configuration commands are as follows:

(config) interface ethernet-1 (config-if) description "Firewall farm inside" (config-if) bridge vlan 200 (config) circuit VLAN200 (config-circuit) description "Circuit to the firewall farm" (config-circuit) ip address 192.168.200.1 255.255.255.0 (config-circuit-ip) enable (config) interface ethernet-2 (config-if) description "Inside private network" (config-if) bridge vlan 400 (config) circuit VLAN400 (config-circuit) description "Circuit to the inside network" (config-circuit) ip address 192.168.199.1 255.255.255.0 (config-circuit-ip) enable (config) ip firewall 1 192.168.200.3 192.168.100.3 192.168.100.1 (config) ip firewall 2 192.168.200.4 192.168.100.4 192.168.100.1 (config) ip firewall 3 192.168.200.5 192.168.100.5 192.168.100.1 (config) ip route 0.0.0.0 0.0.0.0 firewall 1 1 (config) ip route 0.0.0.0 0.0.0.0 firewall 2 1 (config) ip route 0.0.0.0 0.0.0.0 firewall 3 1

Displaying Information About CSS FWLB

Table 8-4 lists the CSS commands that you can use to display helpful information about CSS FWLB configuration and status.

Table 8-4. Commands to Display CSS FWLB Configuration and Status

Command Syntax

Display Function

show ip firewall

Firewall status

show ip routes firewall

Static routes to firewalls

show flows [source_address [destination_address]]

Load-balancing connections to firewalls

    Категории