Home > Articles > Cisco Certification > Understanding Cisco Secure Firewall Services Module 4.x Routing and Feature Enhancements

Understanding Cisco Secure Firewall Services Module 4.x Routing and Feature Enhancements

Chapter Description

This chapter discusses the key additions to the Cisco Secure Firewall Services Module (FWSM) 4.x code.

Several significant additions to the 4.x code enhance routing and other features. Some of these additions include Enhanced Interior Gateway Routing Protocol (EIGRP) routing, route health injection, and some additional security features and application inspection enhancements.

Configuring EIGRP

EIGRP has been a long-awaited feature for the Firewall Services Module (FWSM). With EIGRP support, the FWSM can be integrated into an existing EIGRP network, minimizing the need to redistribute routing information into other routing protocols. This reduces the complexity of managing multiple routing processes and simplifies the network design, especially within the datacenter.

Redistribution of routes between routing protocols can be difficult because each routing protocol exercises different methods to classify routes (cost). For example, RIP uses hop-count, OSPF uses a metric (single value), and EIGRP uses bandwidth and delay by default. When routing information is exchanged, the methods used to classify them are also lost. Consequently, routing loops can easily occur if you redistribute a route into one process, change the cost, and inject the route back into the first routing process. Use caution if you find yourself in this situation.

EIGRP is supported only in single-context mode and allows only one single EIGRP routing process. Unlike Routing Information Protocol (RIP) and Open Shortest Path First (OSPF), which cannot be enabled simultaneously, EIGRP and RIP or EIGRP and OSPF can be. Where additional security is required, when connecting to the Internet or other untrusted connections, an EIGRP process can be used on the inside and another routing process can be used on the outside.

Using Figure 25-1, the following example shows how EIGRP is configured to exchange routing information with the local network and extend the default route learned from the OSPF process exchanged on the outside interface to the local network. In the event the router on the outside stops forwarding the default route to the FWSM, the FWSM will remove the route from the local routing table, consequently removing the default route in the local network.

Figure 25-1

Figure 25-1 EIGRP and OSPF Route Redistribution

To enhance the security for the routing information exchanged on the outside, OSPF Message Digest 5 (MD5) authentication has also been configured.

Example 25-1 shows the configuration of the FWSM (only the pertinent information is shown).

Example 25-1. EIGRP Route Redistribution

interface Vlan10
 nameif Inside
 security-level 100
 ip address
interface Vlan11
 nameif Outside
 security-level 0
 ip address
 ospf message-digest-key 1 md5 <removed>

router eigrp 1
 no auto-summary
 redistribute ospf 1 metric 1000 2000 255 1 1500

router ospf 1
 network area 0
 area 0 authentication message-digest
 redistribute eigrp 1 subnets

As the output from the show route command shows in Example 25-2, the FWSM has learned about the routes from the local network via EIGRP. These routes are denoted with the letter "D," and the route from the outside has been learned via OSPF denoted with the letter "O."

Example 25-2. EIGRP Redistributed Routes

FWSM# show route
D [90/26880256] via, 1:42:35, Inside
D [90/27008256] via, 1:42:35, Inside
D [90/130816] via, 1:42:35, Inside
O is a summary, 1:42:43, Null0
C is directly connected, Inside
D [90/27008256] via, 1:42:35, Inside
C is directly connected, Outside
O*E2 [110/1] via, 0:38:26, Outside

The FWSM is exchanging routing information with the Multilayer Switch Feature Card (MSFC) associated with the inside interface, as the output from the show eigrp neighbors command reveals in Example 25-3.

Example 25-3. EIGRP Neighbors

FWSM# show eigrp neighbors
EIGRP-IPv4 neighbors for process 1
H   Address                 Interface        Hold Uptime   SRTT  RTO  Q  Seq
                                             (sec)         (ms)      Cnt Num
0                Vl10             12  02:59:38 1    200   0   63

The OSPF adjacency has been established with the router on the outside interface, as the output from the show ospf neighbor command reveals in Example 25-4.

Example 25-4. OSPF Neighbor

FWSM# show ospf neighbor
Neighbor ID      Pri   State           Dead Time   Address         Interface      1   FULL/BDR        0:00:33     Outside

In Example 25-5, the last two lines from the show ospf interface command also indicate that the neighbor adjacency is using MD5.

Example 25-5. OSPF Interfaces

FWSM# show ospf interface
Outside is up, line protocol is up
  Internet Address mask, Area 0
  Process ID 1, Router ID, Network Type BROADCAST, Cost: 10
  Transmit Delay is 1 sec, State DR, Priority 1
  Designated Router (ID), Interface address
  Backup Designated router (ID), Interface address
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 0:00:03
  Index 1/1, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 3, maximum is 6
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor (Backup Designated Router)
  Suppress hello for 0 neighbor(s)
  Message digest authentication enabled
    Youngest key id is 1

The challenges of complex redistribution scenarios from EIGRP to OSPF or RIP on adjacent routers are now eliminated with the capability of supporting EIGRP natively on the FWSM. Running EIGRP through the FWSM should be reserved for passing routing information internal to the network—for example, within the datacenter. This minimizes the impact of attacks targeting routing protocols.

The addition of EIGPR support makes the integration of the FWSM into networks taking advantage of the EIGRP routing protocol substantially easier, by not requiring the redistribution between routing protocols. When required, you still have the capability to redistribute routing information between routing protocols on the FWSM, but use caution that you do not cause a routing loop.

2. Configuring Route Health Injection | Next Section