Cisco Systems OL-5650-02 guide

Chapter 5 Configuring Firewall Load Balancing

Configuring FWLB

•index - An existing index number for the firewall route. For information on configuring a firewall index, see the ip firewall command.

•distance - The optional administrative distance. Enter an integer from 1 to 254. A smaller number is preferable. The default value is 1.

Note The CLI prevents you from configuring IP static routes that are firewall routes and IP static routes that are not firewall routes with the same destination addresses and administrative costs. Make either the costs or the addresses unique between firewall and non-firewall routes.

For example:

(config)# ip route 192.168.2.0/24 firewall 1 2

To remove a firewall route, enter:

(config)# no ip route 192.168.2.0/24 firewall 1

Configuring OSPF to Advertise Firewall Routes

To advertise firewall routes from other protocols through OSPF, use the ospf redistribute firewall command. Redistribution of these routes makes them OSPF external routes.

You can optionally:

•Define the network cost for the route by including the metric option. Enter a number from 1 to 16,777,215. The default is 1.

•Define a 32-bit tag value to advertise each external route by including the tag option. You can use it to communicate information between autonomous system boundary routers (ASBRs).

•Advertise the routes as ASE type1 by including the type1 option. The default is ASE type2. The difference between type1 and type2 is how the cost is calculated. For a type2 ASE, only the external cost (metric) is considered when comparing multiple paths to the same destination. For type1 ASE, the combination of the external cost and the cost to reach the ASBR is used.

For example:

(config)# ospf redistribute firewall metric 3 type1

	Cisco Content Services Switch Security Configuration Guide
5-6	OL-5650-02

Image 104

Cisco Systems OL-5650-02 manual Configuring Ospf to Advertise Firewall Routes, Config# ip route 192.168.2.0/24 firewall 1

Contents

Cisco Content Services Switch Security Configuration Guide Cisco Content Services Switch Security Configuration Guide N T E N T S Iii ACL Overview Configuring the CSS as a Client of a Radius Server Configuring Firewall Load Balancing Example of Fwlb Vii Viii B L E S OL-5650-02 Preface Xii How to Use This GuideAudience Related Documentation Xiii Rmon Xiv Document Title Description Symbols and Conventions Xvi Xvii Obtaining DocumentationCisco.com Documentation Feedback Documentation DVDOrdering Documentation Xviii Xix Reporting Security Problems in Cisco ProductsCisco Product Security Overview Obtaining Technical Assistance Cisco Technical Support Website Submitting a Service Request Xxi Definitions of Service Request Severity Xxii Xxiii Xxiv Controlling CSS Access Changing the Administrative Username and Password Config# username-offdm bobo password secret Creating Usernames and Passwords Config# username picard password captain superuser Controlling CSS Access Creating Usernames and Passwords Config# username picard password flute superuser Config# username picard password captain superuser NwbnnnrConfig# no username picard Controlling Remote User Access to the CSS Configuring Virtual Authentication #config virtual authentication secondary local Configuring Console Authentication#config virtual authentication primary tacacs #config no console authentication #config console authentication primary tacacs#config console authentication secondary local Controlling Administrative Access to the CSS Enabling Administrative Access to the CSS Disabling Administrative Access to the CSS Config# no restrict web-mgmt Controlling CSS Network Traffic Through Access Control Lists Config# restrict telnet ACL Overview ACL ACL Configuration Quick Start Config-acl7#apply circuit-VLAN1 Config-acl7#clause 10 deny any any destination range 20Config-acl7#clause 15 permit any any destination any Creating an ACL Deleting an ACL Config# acl disableConfig-acl7#remove circuit-VLAN1 Configuring Clauses Cisco Content Services Switch Security Configuration Guide Variables Options Parameters Destination content ownername/ rulename for an Variables OptionsParameters Variables Options Parameters Show group ? Adding a Clause When ACLs are Globally Enabled Prefer Deleting a Clause Config-acl7remove circuit-VLAN1Config-acl7apply circuit-VLAN1 Applying an ACL to a Circuit or DNS Queries Removing an ACL from Circuits or DNS Queries Enabling ACLs on the CSS Disabling ACLs on the CSS Showing ACLs Field Description Setting the Show ACL Counters to Zero Logging ACL Activity Config-acl7#clause 1 log enable Config-acl7#clause 1 log disable Config# no logging subsystem acl ACL Example Configuring Network Qualifier Lists for ACLs Adding Networks to an NQL Creating an NQLDescribing an NQL Config# logging subsystem nql level debug-7 Config-nqlbypassnql#no ip address 192.168.0.0/16 Showing NQL Configurations Adding an NQL to an ACL Clause Configuring the Secure Shell Daemon Protocol Enabling SSH # license Configuring SSH Access Configuring Sshd in the CSSConfiguring Sshd Keepalive Config# no restrict ssh Configuring Sshd Port Configuring Sshd Server-Keybits Configuring Sshd Version Config# sshd server-keybitsConfig# no sshd server-keybits Config# sshd version Configuring Telnet Access When Using Sshd Showing Sshd ConfigurationsConfig# no restrict telnet # show sshd config # show sshd sessions Ptyfd # show sshd version Radius Server Configuring the CSS as a Client of a Radius Server Config# radius-server secondary 172.27.56.79 secret Hello Radius Configuration Quick StartConfig# radius-server primary 172.27.56.76 secret Hello Configuring a Radius Server for Use with the CSS #config virtual authentication primary radius Configuring Authentication Settings Configuring Authorization Settings Specifying a Primary Radius Server Specifying a Secondary Radius Server Config# no radius-server primaryConfig# no radius-server secondary Configuring the Radius Server Timeouts Configuring the Radius Server RetransmitsConfig# radius-server timeout Config# no radius-server timeout Configuring the Radius Server Dead-Time Config# no radius-server retransmitConfig# radius-server dead-time Config# no radius-server dead-time Config# show radius statistics secondary DOWN, Unknown 3describes the fields in the show radius statistics output OL-5650-02 TACACS+ Server TACACS+ Configuration Quick Start Config# show tacacs-server Configuring Authorization Settings Configuring Global TACACS+ Attributes #config no tacacs-server timeout Setting the Global CSS TACACS+ Timeout Period#config tacacs-server timeout Setting the Global TACACS+ Keepalive Frequency #config tacacs-server key market#config tacacs-server key acskefterefesdtx #config no tacacs-server key Config# no tacacs-server frequency Defining a TACACS+ Server OL-5650-02 #config no tacacs-server 192.168.11.1 Setting TACACS+ Authorization #config tacacs-server authorize config #config tacacs-server authorize non-config#config no tacacs-server authorize config #config no tacacs-server authorize non-config Setting TACACS+ Accounting Showing TACACS+ Server Configuration Information Field Description OL-5650-02 Configuring Firewall Load Balancing Overview of Fwlb Configuring Fwlb Firewall Synchronization Config# no ip firewall Configuring a Keepalive Timeout for a FirewallConfig# ip firewall 1 192.168.27.1 192.168.28.1 Config# no ip firewall timeout Configuring an IP Static Route for a FirewallConfig# ip firewall timeout Configuring Ospf to Advertise Firewall Routes Config# ip route 192.168.2.0/24 firewall 1Config# no ip route 192.168.2.0/24 firewall Config# ospf redistribute firewall metric 3 type1 Configuring RIP to Advertise Firewall Routes Example of Fwlb Static Route ConfigurationConfig# no ospf redistribute firewall Config# rip redistribute firewall Config# ip firewall 1 192.168.28.1 192.168.27.1 Config# ip route 192.168.2.0/24 firewallConfig# ip firewall 2 192.168.28.2 192.168.27.2 Config# ip route 0.0.0.0/0 firewall Example of Fwlb Configuring Fwlb with VIP and Virtual Interface Redundancy Fwlb with VIP/Interface Redundancy Configuration Cisco Content Services Switch Security Configuration Guide Example of Firewall and Route Configurations CSS-OUT-L Configuration CSS-IN-L Configuration Displaying Firewall Flow Summaries Config# show flows 192.165.22.1Config# show flows Config# show ip routes firewall Displaying Firewall IP Routes Config# show ip firewall Displaying Firewall IP Information OL-5650-02 D E IN-1 IN-2 FTP IN-3 Radius IN-4 XML IN-5 IN-6