Config# ip route 192.168.2.0/24 firewall | Cisco Systems OL-5650-02

Chapter 5 Configuring Firewall Load Balancing

Configuring FWLB

To configure CSS-A (the client side of the network configuration) as shown in Figure 5-1:

1.Use the ip firewall command to define firewall 1. For example:

(config)# ip firewall 1 192.168.28.1 192.168.27.1 192.168.27.3

2.Use the ip route command to define the static route for firewall 1. For example:

(config)# ip route 192.168.2.0/24 firewall 1

3.Use the ip firewall command to define firewall 2. For example:

(config)# ip firewall 2 192.168.28.2 192.168.27.2 192.168.27.3

4.Use the ip route command to define the static route for firewall 2. For example:

(config)# ip route 192.168.2.0/24 firewall 2

To configure CSS-B (the server side of the network configuration) as shown in Figure 5-1:

1.Use the ip firewall command to define firewall 1. For example:

(config)# ip firewall 1 192.168.27.1 192.168.28.1 192.168.28.3

2.Use the ip route command to define the static route for firewall 1. For example:

(config)# ip route 0.0.0.0/0 firewall 1

3.Use the ip firewall command to define firewall 2. For example:

(config)# ip firewall 2 192.168.27.2 192.168.28.2 192.168.28.3

4.Use the ip route command to define the static route for firewall 2. For example:

(config)# ip route 0.0.0.0/0 firewall 2

Firewall configurations are displayed in the IP portion of the running-config. For example:

(config)# show running-config

	Cisco Content Services Switch Security Configuration Guide
5-8	OL-5650-02

Image 106

Cisco Systems OL-5650-02 manual Config# ip firewall 1 192.168.28.1 192.168.27.1, Config# ip route 192.168.2.0/24 firewall

Contents

Cisco Content Services Switch Security Configuration Guide Cisco Content Services Switch Security Configuration Guide N T E N T S Iii ACL Overview Configuring the CSS as a Client of a Radius Server Configuring Firewall Load Balancing Example of Fwlb Vii Viii B L E S OL-5650-02 Preface Audience How to Use This GuideXii Related Documentation Xiii Rmon Xiv Document Title Description Symbols and Conventions Xvi Cisco.com Obtaining DocumentationXvii Ordering Documentation Documentation FeedbackDocumentation DVD Xviii Cisco Product Security Overview Reporting Security Problems in Cisco ProductsXix Obtaining Technical Assistance Cisco Technical Support Website Submitting a Service Request Xxi Definitions of Service Request Severity Xxii Xxiii Xxiv Controlling CSS Access Changing the Administrative Username and Password Config# username-offdm bobo password secret Creating Usernames and Passwords Config# username picard password captain superuser Controlling CSS Access Creating Usernames and Passwords Config# no username picard Config# username picard password captain superuser NwbnnnrConfig# username picard password flute superuser Controlling Remote User Access to the CSS Configuring Virtual Authentication #config virtual authentication primary tacacs Configuring Console Authentication#config virtual authentication secondary local #config console authentication secondary local #config console authentication primary tacacs#config no console authentication Controlling Administrative Access to the CSS Enabling Administrative Access to the CSS Disabling Administrative Access to the CSS Config# no restrict web-mgmt Controlling CSS Network Traffic Through Access Control Lists Config# restrict telnet ACL Overview ACL ACL Configuration Quick Start Config-acl7#clause 15 permit any any destination any Config-acl7#clause 10 deny any any destination range 20Config-acl7#apply circuit-VLAN1 Creating an ACL Config-acl7#remove circuit-VLAN1 Config# acl disableDeleting an ACL Configuring Clauses Cisco Content Services Switch Security Configuration Guide Variables Options Parameters Destination content ownername/ rulename for an Variables OptionsParameters Variables Options Parameters Show group ? Adding a Clause When ACLs are Globally Enabled Prefer Config-acl7apply circuit-VLAN1 Config-acl7remove circuit-VLAN1Deleting a Clause Applying an ACL to a Circuit or DNS Queries Removing an ACL from Circuits or DNS Queries Enabling ACLs on the CSS Disabling ACLs on the CSS Showing ACLs Field Description Setting the Show ACL Counters to Zero Logging ACL Activity Config-acl7#clause 1 log enable Config-acl7#clause 1 log disable Config# no logging subsystem acl ACL Example Configuring Network Qualifier Lists for ACLs Describing an NQL Creating an NQLAdding Networks to an NQL Config# logging subsystem nql level debug-7 Config-nqlbypassnql#no ip address 192.168.0.0/16 Showing NQL Configurations Adding an NQL to an ACL Clause Configuring the Secure Shell Daemon Protocol Enabling SSH # license Configuring Sshd Keepalive Configuring SSH AccessConfiguring Sshd in the CSS Config# no restrict ssh Configuring Sshd Port Configuring Sshd Server-Keybits Config# no sshd server-keybits Configuring Sshd VersionConfig# sshd server-keybits Config# sshd version Config# no restrict telnet Configuring Telnet Access When Using SshdShowing Sshd Configurations # show sshd config # show sshd sessions Ptyfd # show sshd version Radius Server Configuring the CSS as a Client of a Radius Server Config# radius-server primary 172.27.56.76 secret Hello Radius Configuration Quick StartConfig# radius-server secondary 172.27.56.79 secret Hello Configuring a Radius Server for Use with the CSS #config virtual authentication primary radius Configuring Authentication Settings Configuring Authorization Settings Specifying a Primary Radius Server Config# no radius-server secondary Config# no radius-server primarySpecifying a Secondary Radius Server Config# radius-server timeout Configuring the Radius Server TimeoutsConfiguring the Radius Server Retransmits Config# no radius-server timeout Config# radius-server dead-time Configuring the Radius Server Dead-TimeConfig# no radius-server retransmit Config# no radius-server dead-time Config# show radius statistics secondary DOWN, Unknown 3describes the fields in the show radius statistics output OL-5650-02 TACACS+ Server TACACS+ Configuration Quick Start Config# show tacacs-server Configuring Authorization Settings Configuring Global TACACS+ Attributes #config tacacs-server timeout Setting the Global CSS TACACS+ Timeout Period#config no tacacs-server timeout #config tacacs-server key acskefterefesdtx Setting the Global TACACS+ Keepalive Frequency#config tacacs-server key market #config no tacacs-server key Config# no tacacs-server frequency Defining a TACACS+ Server OL-5650-02 #config no tacacs-server 192.168.11.1 Setting TACACS+ Authorization #config no tacacs-server authorize config #config tacacs-server authorize config#config tacacs-server authorize non-config #config no tacacs-server authorize non-config Setting TACACS+ Accounting Showing TACACS+ Server Configuration Information Field Description OL-5650-02 Configuring Firewall Load Balancing Overview of Fwlb Configuring Fwlb Firewall Synchronization Config# ip firewall 1 192.168.27.1 192.168.28.1 Configuring a Keepalive Timeout for a FirewallConfig# no ip firewall Config# ip firewall timeout Configuring an IP Static Route for a FirewallConfig# no ip firewall timeout Config# no ip route 192.168.2.0/24 firewall Configuring Ospf to Advertise Firewall RoutesConfig# ip route 192.168.2.0/24 firewall 1 Config# ospf redistribute firewall metric 3 type1 Config# no ospf redistribute firewall Configuring RIP to Advertise Firewall RoutesExample of Fwlb Static Route Configuration Config# rip redistribute firewall Config# ip firewall 2 192.168.28.2 192.168.27.2 Config# ip firewall 1 192.168.28.1 192.168.27.1Config# ip route 192.168.2.0/24 firewall Config# ip route 0.0.0.0/0 firewall Example of Fwlb Configuring Fwlb with VIP and Virtual Interface Redundancy Fwlb with VIP/Interface Redundancy Configuration Cisco Content Services Switch Security Configuration Guide Example of Firewall and Route Configurations CSS-OUT-L Configuration CSS-IN-L Configuration Config# show flows Config# show flows 192.165.22.1Displaying Firewall Flow Summaries Config# show ip routes firewall Displaying Firewall IP Routes Config# show ip firewall Displaying Firewall IP Information OL-5650-02 D E IN-1 IN-2 FTP IN-3 Radius IN-4 XML IN-5 IN-6