Home > Articles > Cisco Certification > Understanding Cisco Secure Firewall Services Module 4.x Routing and Feature Enhancements

Understanding Cisco Secure Firewall Services Module 4.x Routing and Feature Enhancements

Chapter Description

This chapter discusses the key additions to the Cisco Secure Firewall Services Module (FWSM) 4.x code.

Configuring Route Health Injection

The FWSM has limited support for dynamic routing protocols when using "multiple-context" mode. Route Health Injection (RHI) has the capability of propagating routing information from individual contexts in routed-mode, including static routes, connected networks, and Network Address Translation (NAT) pools into the routing-engine on the host-chassis.

Because RHI has such a tight integration with the routing-engine, the minimum image needed on the Supervisor 720 and/or Supervisor 32 is 12.2(33)SXI.

RHI creates entries for static and directly connected routes in the MSFC.

Routes can be redistributed to any routing protocol: EIGRP, BGP, and so on.

RHI can also be used to advertise NAT pools into the MSFC.

RHI allows the FWSM to support more than one routing protocol in multi-context mode.

The following example shows how to propagate a default route into the routing-engine from a context on the FWSM.

Example 25-6 shows the configuration on the host-chassis.

Example 25-6. RHI MSFC Configuration

Host-Chassis(config)# firewall autostate
Host-Chassis(config)# firewall multiple-vlan-interfaces
Host-Chassis(config)# firewall module 9 vlan-group 9
Host-Chassis(config)# firewall vlan-group 9 10-100
Host-Chassis(config)# vlan 2-100,1000

Host-Chassis(config)# interface FastEthernet1/1
Host-Chassis(config-if)# switchport
Host-Chassis(config-if)# switchport access vlan 20
Host-Chassis(config-if)# switchport mode access

Host-Chassis(config)#interface FastEthernet1/2
Host-Chassis(config-if)# switchport
Host-Chassis(config-if)# switchport access vlan 21
Host-Chassis(config-if)# switchport mode access

The firewall autostate command sends messages from the host-chassis to the FWSM regarding the state of the VLANs associated with the FWSM. When an interface is configured to be in the same VLAN as the FWSM, and in the event that physical interface transitions to a "down" state, information can be propagated to the FWSM, consequently "downing" the interface associated with the FWSM. When this happens, the RHI will no longer be propagated to the routing-engine on the host-chassis.

Example 25-7 shows the configuration of the context on the FWSM (only pertinent information is shown).

Example 25-7. RHI FWSM Configuration

FWSM/RHI(config)# interface Vlan20
FWSM/RHI(config-if)# nameif Outside
FWSM/RHI(config-if)# security-level 0
FWSM/RHI(config-if)# ip address 10.20.20.1 255.255.255.0
FWSM/RHI(config)#interface Vlan21
FWSM/RHI(config-if)# nameif Inside
FWSM/RHI(config-if)# security-level 100
FWSM/RHI(config-if)# ip address 192.168.1.1 255.255.255.0
FWSM/RHI(config)# route Outside 0.0.0.0 0.0.0.0 10.20.20.254 1
FWSM/RHI(config)# route-inject
FWSM/RHI(config)# redistribute static interface Inside

Under the route-inject subsection, the redistribute command also offers another great feature. You can apply an access list to static routes, NAT pools, and connected networks redistributed to the routing-engine on the host-chassis, consequently providing very granular control over which routes are redistributed.

From the FWSM, using the show route-inject command, you can verify that the route is being propagated to the routing-engine on the host-chassis, as shown in Example 25-8.

Example 25-8. RHI on the FWSM

FWSM/RHI# show route-inject
Routes injected:
Address      Mask         Nexthop   Proto  Weight  Vlan
-------------------------------------------------------
0.0.0.0  0.0.0.0  10.20.20.254      1     1     20

The host-chassis, using the show ip route command verifies that the route has been received, as shown in Example 25-9.

Example 25-9. RHI on the MSFC

Host-Chassis# show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

C    192.168.121.0/24 is directly connected, Vlan121
C    192.168.1.0/24 is directly connected, Vlan21
S*   0.0.0.0/0 [1/0] via 192.168.1.1, Vlan21

You can see that this route shows up as "static". Now it can be redistributed into a dynamic routing protocol. In Example 25-10, we are using EIGRP.

Example 25-10. Redistribution of RHI (Static) Routes on the MSFC

router eigrp 1
 network 192.168.0.0 0.0.255.255
 no auto-summary
 redistribute static metric 1000 2000 255 1 1500

Downstream routers will now see that route in their local routing table, as shown in the output from the show ip route command in Example 25-11.

Example 25-11. Downstream RHI Routes

Downstream# show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.121.1 to network 0.0.0.0

C    192.168.121.0/24 is directly connected, FastEthernet2/0
D    192.168.1.0/24 [90/28416] via 192.168.121.1, 00:48:10, FastEthernet2/0
D*EX 0.0.0.0/0 [170/28416] via 192.168.121.1, 00:47:09, FastEthernet2/0

When the FWSM interface goes down, the static route being redistributed into the routing-engine on the host-chassis will be removed.

To really take advantage of the dynamic nature of RHI, only one interface should be assigned to the VLAN. In Example 25-11, interface FastEthernet1/1 is assigned to VLAN 20. In the event FastEthernet1/1 goes down, typically due to an upstream device or interface failure, the associated VLAN interface will also go down. If multiple interfaces have been assigned to the VLAN, all must go down to take down the interface of the FWSM. This completely nullifies the use for any type of dynamic changes.

Figure 25-2 shows a diagram of how RHI can be used.

Figure 25-2

Figure 25-2 RHI Usage

Although not really dynamic, it will automatically provide notification of the FWSM VLAN interface going down by removing the associated route. Something to be aware of is that it requires a physical failure. In the event the upstream had a Layer 3 problem, for example, the IP address changed, the VLAN interface would remain "up," but traffic would drop because the next-hop would not be available. One other notable item is that the routes are not Virtual Routing and Forwarding (VRF) aware, meaning that it will not function with MPLS or VRF-lite (at least not using 4.01 code). Propagating routes from the FWSM to the routing-engine on the host-chassis will be placed in the "global" routing table.

RHI helps to overcome the limitation that dynamic routing processes are not supported when the FWSM is operating the multi-context mode. Recognize that it requires a Layer 2 failure of the selected interface to retract routing information sent to the MSFC. Although some limitations exist, RHI is an excellent feature to have in your "tool kit."

3. Understanding Application Support | Next Section Previous Section