-
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference, 4.0
-
About This Guide
-
Using the Command Line Interface
- A through B Commands
- C Commands
- D through F Commands
- G through I Commands
- J through L Commands
- M through O Commands
- P though R Commands
-
S Commands
-
same-security-traffic -- show asdm sessions
-
show asp drop -- show curpriv
-
show debug -- show ipv6 traffic
-
show isakmp sa -- show route
-
show running-config -- show running-config isakmp
-
show running-config logging -- show running-config vpn-sessiondb
-
show service-policy -- show xlate
-
shun -- sysopt uauth allow-http-cache
-
- T through Z Commands
-
Feedback
Table Of Contents
eigrp log-neighbor-changes through ftp-map Commands
firewall multiple-vlan-interfaces (IOS)
eigrp log-neighbor-changes through ftp-map Commands
eigrp log-neighbor-changes
To enable the logging of EIGRP neighbor adjacency changes, use the eigrp log-neighbor-changes command in router configuration mode. To turn off this function, use the no form of this command.
eigrp log-neighbor-changes
no eigrp log-neighbor-changes
Syntax Description
This command has no arguments or keywords.
Defaults
This command is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
The eigrp log-neighbor-changes command is enabled by default; only the no form of the command appears in the running configuration.
Examples
The following example disables the logging of EIGRP neighbor changes:
hostname(config)# router eigrp 100hostname(config-router)# no eigrp log-neighbor-changesRelated Commands
eigrp log-neighbor-warnings
To enable the logging of EIGRP neighbor warning messages, use the eigrp log-neighbor-warnings command in router configuration mode. To turn off this function, use the no form of this command.
eigrp log-neighbor-warnings [seconds]
no eigrp log-neighbor-warnings
Syntax Description
seconds
(Optional) The time interval (in seconds) between repeated neighbor warning messages. Valid values are from 1 to 65535. Repeated warnings are not logged if they occur during this interval.
Defaults
This command is enabled by default. All neighbor warning messages are logged.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
The eigrp log-neighbor-warnings command is enabled by default; only the no form of the command appears in the running configuration.
Examples
The following example disables the logging of EIGRP neighbor warning messages:
hostname(config)# router eigrp 100hostname(config-router)# no eigrp log-neighbor-warningsThe following example logs EIGRP neighbor warning messages and repeats the warning messages in 5-minute (300 seconds) intervals:
hostname(config)# router eigrp 100hostname(config-router)# eigrp log-neighbor-warnings 300Related Commands
eigrp router-id
To specify router ID used by the EIGRP routing process, use the eigrp router-id command in router configuration mode. To restore the default value, use the no form of this command.
eigrp router-id ip-addr
no eigrp router-id [ip-addr]
Syntax Description
ip-addr
Router ID in IP address (dotted-decimal) format. You cannot use 0.0.0.0 or 255.255.255.255 as the router ID.
Defaults
If not specified, the highest-level IP address on the FWSM is used as the router ID.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
If the eigrp router-id command is not configured, EIGRP automatically selects the highest IP address on the FWSM to use as the router ID when an EIGRP process is started.The router ID is not changed unless the EIGRP process is removed using the no router eigrp command or unless the router ID is manually configured with the eigrp router-id command.
The router ID is used to identify the originating router for external routes. If an external route is received with the local router ID, the route is discarded. To prevent this, use the eigrp router-id command to specify a global address for the router ID.
A unique value should be configured for each EIGRP router.
Examples
The following example configures 172.16.1.3 as a fixed router ID for the EIGRP routing process:
hostname(config)# router eigrp 100hostname(config-router)# eigrp router-id 172.16.1.3Related Commands
router eigrp
Enters router configuration mode for the EIGRP routing process.
show running-config router
Displays the commands in the global router configuration.
eigrp stub
To configure the EIGRP routing process as a stub routing process, use the eigrp stub command in router configuration mode. To remove EIGRP stub routing, use the no form of this command.
eigrp stub [receive-only] | {[connected] [redistributed] [static] [summary]}
no eigrp stub [receive-only] | {[connected] [redistributed] [static] [summary]}
Syntax Description
Defaults
Stub routing is not enabled.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
Use the eigrp stub command to configure the FWSM as a stub where the FWSM directs all IP traffic to a distribution router.
Using the receive-only keyword restricts the FWSM from sharing any of its routes with any other router in the autonomous system; the FWSM only receives updates from the EIGRP neighbor. You cannot use any other keyword with the receive-only keyword.
You can specify one or more of the connected, static, summary, and redistributed keywords. If any of these keywords is used with the eigrp stub command, only the route types specified by the particular keyword are sent.
The connected keyword permits the EIGRP stub routing process to send connected routes. If the connected routes are not covered by a network statement, it may be necessary to redistribute connected routes with the redistribute command under the EIGRP process.
The static keyword permits the EIGRP stub routing process to send static routes. Without the configuration of this option, EIGRP will not send any static routes. It may be necessary to redistribute them with the redistribute command under the EIGRP process.
The summary keyword permits the EIGRP stub routing process to send summary routes. You can create summary routes manually with the summary-address eigrp command or automatically with the auto-summary command enabled (auto-summary is enabled by default).
The redistributed keyword permits the EIGRP stub routing process to send routes redistributed into the EIGRP routing process from other routing protocols. If you do not configure this option, EIGRP does not advertise redistributed routes.
Examples
The following example uses the eigrp stub command to configure the FWSM as an EIGRP stub that advertises connected and summary routes:
hostname(config)# router eigrp 100hostname(config-router)# network 10.0.0.0hostname(config-router)# eigrp stub connected summaryThe following example uses the eigrp stub command to configure the FWSM as an EIGRP stub that advertises connected and static routes. Sending summary routes is not permitted.
hostname(config)# router eigrp 100hostname(config-router)# network 10.0.0.0hostname(config-router)# eigrp stub connected staticThe following example uses the eigrp stub command to configure the FWSM as an EIGRP stub that only receives EIGRP updates. Connected, summary, and static route information is not sent.
hostname(config)# router eigrp 100hostname(config-router)# network 10.0.0.0 eigrphostname(config-router)# eigrp stub receive-onlyThe following example uses the eigrp stub command to configure the FWSM as an EIGRP stub that advertises routes redistributed into EIGRP from other routing protocols:
hostname(config)# router eigrp 100hostname(config-router)# network 10.0.0.0hostname(config-router)# eigrp stub redistributedThe following example uses the eigrp stub command without any of the optional arguments. When used without arugments, the eigrp stub commands advertises connected and summary routes by default.
hostname(config)# router eigrp 100hostname(config-router)# network 10.0.0.0hostname(config-router)# eigrp stubRelated Commands
To include the indicated email address in the Subject Alternative Name extension of the certificate during enrollment, use the email command in crypto ca trustpoint configuration mode. To restore the default setting, use the no form of this command.
email address
no email [address]
Syntax Description
Defaults
The default setting is not set.
Command Modes
The following table shows the modes in which you can enter the command:
Crypto ca trustpoint configuration
•
•
•
•
—
Command History
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint central, and includes the email address jjh@example.net in the enrollment request for trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# email jjh@example.nethostname(ca-trustpoint)#Related Commands
enable
To enter privileged EXEC mode, use the enable command in user EXEC mode.
enable [level]
Syntax Description
Defaults
Enters privilege level 15 unless you are using command authorization, in which case the default level depends on the level configured for your username.
Command Modes
The following table shows the modes in which you can enter the command:
User EXEC
•
•
•
•
•
Command History
Usage Guidelines
The default enable password is blank. See the enable password command to set the password.
To use privilege levels other than the default of 15, configure local command authorization (see the aaa authorization command command and specify the LOCAL keyword), and set the commands to different privilege levels using the privilege command. If you do not configure local command authorization, the enable levels are ignored, and you have access to level 15 regardless of the level you set. See the show curpriv command to view your current privilege level.
Levels 2 and above enter privileged EXEC mode. Levels 0 and 1 enter user EXEC mode.
Enter the disable command to exit privileged EXEC mode.
Examples
The following example enters privileged EXEC mode:
hostname> enablePassword: Pa$$w0rdhostname#The following example enters privileged EXEC mode for level 10:
hostname> enable 10Password: Pa$$w0rd10hostname#Related Commands
enable password
To set the enable password for privileged EXEC mode, use the enable password command in global configuration mode. To remove the password for a level other than 15, use the no form of this command. You cannot remove the level 15 password.
enable password password [level level] [encrypted]
no enable password level level
Syntax Description
Defaults
The default password is blank. The default level is 15.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
The default password for enable level 15 (the default level) is blank. To reset the password to be blank, do not enter any text for the password.
For multiple context mode, you can create an enable password for the system configuration as well as for each context.
To use privilege levels other than the default of 15, configure local command authorization (see the aaa authorization command command and specify the LOCAL keyword), and set the commands to different privilege levels using the privilege command. If you do not configure local command authorization, the enable levels are ignored, and you have access to level 15 regardless of the level you set. See the show curpriv command to view your current privilege level.
Levels 2 and above enter privileged EXEC mode. Levels 0 and 1 enter user EXEC mode.
Examples
The following example sets the enable password to Pa$$w0rd:
hostname(config)# enable password Pa$$w0rdThe following example sets the enable password to Pa$$w0rd10 for level 10:
hostname(config)# enable password Pa$$w0rd10 level 10The following example sets the enable password to an encrypted password that you copied from another FWSM:
hostname(config)# enable password jMorNbK0514fadBh encryptedRelated Commands
endpoint
To associate endpoints with an HSI group, use the endpoint command in HSI group configuration mode. To remove the endpoint, use the no form of this command.
endpoint ip address interface
no endpoint ip address interface
Syntax Description
interface
The interface on the FWSM that is connected to the endpoint.
ip address
The IP address of the endpoint.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Hsi group configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the endpoint command to identify the endpoints associated with an HSI group. An HSI group allows the FWSM to open dynamic, port-specific pinholes for an H.245 connection when an HSI is involved in H.225 call-signalling.
Each HSI group can contain a maximum of ten endpoints. You must configure an HSI within the group before configuring any endpoints. You must remove all endpoints and the HSI before removing the HSI group.
Examples
The following example shows how to define an H.225 map.
hostname(config)# h225-map hmaphostname(config-h225-map)# hsi-group 1hostname(config-h225-map-hsi-grp)# hsi 10.10.15.11hostname(config-h225-map-hsi-grp)# endpoint 10.3.6.1 insidehostname(config-h225-map-hsi-grp)# endpoint 10.10.25.5 outsidehostname(config-h225-map-hsi-grp)# exithostname(config-h225-map-hsi-grp)# exitRelated Commands
endpoint-mapper
To configure endpoint mapper options for DCERPC inspection, use the endpoint-mapper command in policy-map configuration mode. To disable this feature, use the no form of this command.
endpoint-mapper [epm-service-only] [lookup-operation [timeout value]]
no endpoint-mapper [epm-service-only] [lookup-operation [timeout value]]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Policy-map configuration
•
•
•
•
—
Command History
Examples
The following example shows how to configure the endpoint mapper in a DCERPC map:
hostname(config)# policy-map type inspect dcerpc dcerpc_maphostname(config-pmap)# endpoint-mapper epm-service-onlyRelated Commands
enforcenextupdate
To specify how to handle the NextUpdate CRL field, use the enforcenextupdate command in crl configure configuration mode. To permit a lapsed or missing NextUpdate field, use the no form of this command.
enforcenextupdate
no enforcenextupdate
Syntax Description
This command has no arguments or keywords.
Defaults
The default setting is enforced (on).
Command Modes
The following table shows the modes in which you can enter the command:
Crl configure configuration
•
•
•
•
—
Command History
Usage Guidelines
If set, this command requires CRLs to have a NextUpdate field that has not yet lapsed. If not used, the FWSM allows a missing or lapsed NextUpdate field in a CRL.
Examples
The following example enters crl configure configuration mode, and requires CRLs to have a NextUpdate field that has not expired for trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# crl configurehostname(ca-crl)# enforcenextupdatehostname(ca-crl)#Related Commands
cache-time
Specifies a cache refresh time in minutes.
crl configure
Enters ca-crl configuration mode.
crypto ca trustpoint
Enters trustpoint configuration mode.
enrollment retry count
To specify a retry count, use the enrollment retry count command in crypto ca trustpoint configuration mode. To restore the default setting of the retry count, use the no form of this command.
enrollment retry count number
no enrollment retry count
Syntax Description
number
Sets the maximum number of attempts to send an enrollment request. The valid range is 0, 1-100 retries.
Defaults
The default setting for number is 0 (unlimited).
Command Modes
The following table shows the modes in which you can enter the command:
Crypto ca trustpoint configuration
•
•
•
•
—
Command History
Usage Guidelines
After requesting a certificate, the FWSM waits to receive a certificate from the CA. If the FWSM does not receive a certificate within the configured retry period, it sends another certificate request. The FWSM repeats the request until either it receives a response or reaches the end of the configured retry period.
This command is optional and applies only when automatic enrollment is configured.
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint central, and configures an enrollment retry count of 20 retries within trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# enrollment retry count 20hostname(ca-trustpoint)#Related Commands
enrollment retry period
To specify a retry period, use the enrollment retry period command in crypto ca trustpoint configuration mode. To restore the default setting of the retry period, use the no form of this command.
enrollment retry period minutes
no enrollment retry period
Syntax Description
minutes
Sets the number of minutes between attempts to send an enrollment request. the valid range is 1- 60 minutes.
Defaults
The default setting is 1 minute.
Command Modes
The following table shows the modes in which you can enter the command:
Crypto ca trustpoint configuration
•
•
•
•
—
Command History
Usage Guidelines
After requesting a certificate, the FWSM waits to receive a certificate from the CA. If the FWSM does not receive a certificate within the specified retry period, it sends another certificate request.
This command is optional and applies only when automatic enrollment is configured.
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint central, and configures an enrollment retry period of 10 minutes within trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# enrollment retry period 10hostname(ca-trustpoint)#Related Commands
enrollment terminal
To specify cut and paste enrollment with this trustpoint (also known as manual enrollment), use the enrollment terminal command in crypto ca trustpoint configuration mode. To restore the default setting of the command, use the no form of this command.
enrollment terminal
no enrollment terminal
Syntax Description
This command has no arguments or keywords.
Defaults
The default setting is off.
Command Modes
The following table shows the modes in which you can enter the command:
Crypto ca trustpoint configuration
•
•
•
•
—
Command History
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint central, and specifies the cut and paste method of CA enrollment for trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# enrollment terminalhostname(ca-trustpoint)#Related Commands
enrollment url
To specify automatic enrollment (SCEP) to enroll with this trustpoint and to configure the enrollment URL, use the enrollment url command in crypto ca trustpoint configuration mode. To restore the default setting of the command, use the no form of this command.
enrollment url url
no enrollment url
Syntax Description
url
Specifies the name of the URL for automatic enrollment. The maximum length is 1 K characters (effectively unbounded).
Defaults
The default setting is off.
Command Modes
The following table shows the modes in which you can enter the command:
Crypto ca trustpoint configuration
•
•
•
•
—
Command History
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint central, and specifies SCEP enrollment at the URL https://enrollsite for trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# enrollment url https://enrollsitehostname(ca-trustpoint)#Related Commands
erase
To erase and reformat the file system, use the erase command in privileged EXEC mode. This command overwrites all files and erases the file system, including hidden system files, and then reinstalls the file system.
erase [flash:]
Syntax Description
Defaults
This command has no default settings.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
The erase command erases all data on the Flash memory using the OxFF pattern and then rewrites an empty file system allocation table to the device.
To delete all visible files (excluding hidden system files), enter the delete /recursive command, instead of the erase command.
Examples
The following example erases and reformats the file system:
hostname# erase flash:Related Commands
delete
Removes all visible files, excluding hidden system files.
format
Erases all files (including hidden system files) and formats the file system.
established
To permit return connections on ports that are based on an established connection, use the established command in global configuration mode. To disable the established feature, use the no form of this command.
established est_protocol dest_port [source_port] [permitto protocol port [-port]] [permitfrom protocol port[-port]]
no established est_protocol dest_port [source_port] [permitto protocol port [-port]] [permitfrom protocol port[-port]]
Syntax Description
Defaults
The defaults are as follows:
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
1.1(1)
This command was introduced.
3.1(1)
The keywords to and from were removed from the CLI. Use the keywords permitto and permitfrom instead.
Usage Guidelines
The established command lets you permit return access for outbound connections through the FWSM. This command works with an original connection that is outbound from a network and protected by the FWSM and a return connection that is inbound between the same two devices on an external host. The established command lets you specify the destination port that is used for connection lookups. This addition allows more control over the command and provides support for protocols where the destination port is known, but the source port is unknown. The permitto and permitfrom keywords define the return inbound connection.
Caution
Examples
The following set of examples shows potential security violations could occur if you do not use the established command correctly.
This example shows that if an internal system makes a TCP connection to an external host on port 4000, then the external host could come back in on any port using any protocol:
hostname(config)# established tcp 4000 0You can specify the source and destination ports as 0 if the protocol does not specify which ports are used. Use wildcard ports (0) only when necessary.
hostname(config)# established tcp 0 0
Note
You can use the established command with the nat 0 command (where there are no global commands).
Note
The FWSM supports XDMCP with assistance from the established command.
Caution
XDMCP is on by default, but it does not complete the session unless you enter the established command as follows:
hostname(config)# established tcp 6000 0 permitto tcp 6000 permitfrom tcp 1024-65535Entering the established command enables the internal XDMCP-equipped (UNIX or ReflectionX) hosts to access external XDMCP-equipped XWindows servers. UDP/177-based XDMCP negotiates a TCP-based XWindows session, and subsequent TCP back connections are permitted. Because the source port(s) of the return traffic is unknown, specify the source_port field as 0 (wildcard). The dest_port should be 6000 + n, where n represents the local display number. Use this UNIX command to change this value:
hostname(config)# setenv DISPLAY hostname:displaynumber.screennumberThe established command is needed because many TCP connections are generated (based on user interaction) and the source port for these connections is unknown. Only the destination port is static. The FWSM performs XDMCP fixups transparently. No configuration is required, but you must enter the established command to accommodate the TCP session.
The following example shows a connection between two hosts using protocol A destined for port B from source port C. To permit return connections through the FWSM and protocol D (protocol D can be different from protocol A), the source port(s) must correspond to port F and the destination port(s) must correspond to port E.
hostname(config)# established A B C permitto D E permitfrom D FThe following example shows how a connection is started by an internal host to an external host using TCP destination port 6060 and any source port. The FWSM permits return traffic between the hosts through TCP destination port 6061 and any TCP source port.
hostname(config)# established tcp 6060 0 permitto tcp 6061 permitfrom tcp 0The following example shows how a connection is started by an internal host to an external host using UDP destination port 6060 and any source port. The FWSM permits return traffic between the hosts through TCP destination port 6061 and TCP source port 1024-65535.
hostname(config)# established udp 6060 0 permitto tcp 6061 permitfrom tcp 1024-65535The following example shows how a local host starts a TCP connection on port 9999 to a foreign host. The example allows packets from the foreign host on port 4242 back to local host on port 5454.
hostname(config)# established tcp 9999 permitto tcp 5454 permitfrom tcp 4242Related Commands
clear configure established
Removes all established commands.
show running-config established
Displays the allowed inbound connections that are based on established connections.
exit
To exit the current configuration mode, or to log out from privileged or user EXEC modes, use the exit command.
exit
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
User EXEC
•
•
•
•
•
Command History
Usage Guidelines
You can also use the key sequence Ctrl Z to exit global configuration (and higher) modes. This key sequence does not work with privileged or user EXEC modes.
When you enter the exit command in privileged or user EXEC modes, you log out from the FWSM. Use the disable command to return to user EXEC mode from privileged EXEC mode.
Examples
The following example shows how to use the exit command to exit global configuration mode, and then logout from the session:
hostname(config)# exithostname# exitLogoffThe following example shows how to use the exit command to exit global configuration mode, and then use the disable command to exit privileged EXEC mode:
hostname(config)# exithostname# disablehostname>Related Commands
failover
To enable failover, use the failover command in global configuration mode. To disable failover, use the no form of this command.
failover
no failover
Syntax Description
This command has no arguments or keywords.
Defaults
Failover is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
1.1(1)
This command was introduced.
3.1(1)
This command was limited to enable or disable failover in the configuration (see the failover active command).
Usage Guidelines
Use the no form of this command to disable failover.
Caution
Examples
The following example disables failover:
hostname(config)# no failoverhostname(config)#Related Commands
failover active
To switch a standby FWSM or failover group to the active state, use the failover active command in privileged EXEC mode. To switch an active FWSM or failover group to standby, use the no form of this command.
failover active [group group_id]
no failover active [group group_id]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
Use the failover active command to initiate a failover switch from the standby unit, or use the no failover active command from the active unit to initiate a failover switch. You can use this feature to return a failed unit to service, or to force an active unit offline for maintenance. If you are not using Stateful Failover, all active connections are dropped and must be reestablished by the clients after the failover occurs.
Switching for a failover group is available only for Active/Active failover. If you enter the failover active command on an Active/Active failover unit without specifying a failover group, all groups on the unit become active.
Examples
The following example switches the standby group 1 to active:
hostname# failover active group 1Related Commands
failover group
To configure an Active/Active failover group, use the failover group command in global configuration mode. To remove a failover group, use the no form of this command.
failover group num
no failover group num
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
—
—
•
Command History
Usage Guidelines
You can define a maximum of 2 failover groups. The failover group command can only be added to the system context of devices configured for multiple context mode. You can create and remove failover groups only when failover is disabled.
Entering this command puts you in the failover group command mode. The primary, secondary, preempt, replication http, interface-policy, and polltime interface commands are available in the failover group configuration mode. Use the exit command to return to global configuration mode.
Note
When removing failover groups, you must remove failover group 1 last. Failover group 1 always contains the admin context. Any context not assigned to a failover group defaults to failover group 1. You cannot remove a failover group that has contexts explicitly assigned to it.
Examples
The following partial example shows a possible configuration for two failover groups:
hostname(config)# failover group 1hostname(config-fover-group)# primaryhostname(config-fover-group)# preempt 100hostname(config-fover-group)# exithostname(config)# failover group 2hostname(config-fover-group)# secondaryhostname(config-fover-group)# preempt 100hostname(config-fover-group)# exithostname(config)#Related Commands
failover interface ip
To specify the IP address and mask for the failover interface and the Stateful Failover interface, use the failover interface ip command in global configuration mode. To remove the IP address, use the no form of this command.
failover interface ip if_name ip_address mask standby ip_address
no failover interface ip if_name ip_address mask standby ip_address
Syntax Description
Defaults
Not configured.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
Failover and Stateful Failover interfaces are functions of Layer 3, even when the FWSM is operating in transparent firewall mode, and are global to the system.
In multiple context mode, you configure failover in the system context (except for the monitor-interface command).
This command must be part of the configuration when bootstrapping a FWSM for LAN failover.
Examples
The following example shows how to specify the IP address and mask for the failover interface:
hostname(config)# failover interface ip lanlink 172.27.48.1 255.255.255.0 standby 172.27.48.2Related Commands
failover interface-policy
To specify the policy for failover when monitoring detects an interface failure, use the failover interface-policy command in global configuration mode. To restore the default, use the no form of this command.
failover interface-policy num[%]
no failover interface-policy num[%]
Syntax Description
Defaults
The defaults are as follows:
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
There is no space between the num argument and the optional % keyword.
If the number of failed interfaces meets the configured policy and the other FWSM is functioning properly, the FWSM will mark itself as failed and a failover may occur (if the active FWSM is the one that fails). Only interfaces that are designated as monitored by the monitor-interface command count towards the policy.
Note
Examples
The following examples show two ways to specify the failover policy:
hostname(config)# failover interface-policy 20%hostname(config)# failover interface-policy 5Related Commands
failover key
To specify the key for encrypted and authenticated communication between units in a failover pair, use the failover key command in global configuration mode. To remove the shared secret, use the no form of this command.
failover key {secret | hex key}
no failover key
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
To encrypt and authenticate failover communications between the units, you must configure both units with a shared secret or hexadecimal key. If you do not specify a failover key, failover communication is transmitted in the clear.
Caution
Examples
The following example shows how to specify a shared secret for securing failover communication between units in a failover pair:
hostname(config)# failover key abcdefgThe following example shows how to specify a hexadecimal key for securing failover communication between two units in a failover pair:
hostname(config)# failover key hex 6a1ed228381cf5c68557cb0c32e614dcRelated Commands
show running-config failover
Displays the failover commands in the running configuration.
failover lan interface
To specify the interface name and VLAN used for failover communication, use the failover lan interface command in global configuration mode. To remove the failover interface, use the no form of this command.
failover lan interface if_name vlan vlan
no failover lan interface if_name vlan vlan
Syntax Description
if_name
Specifies the name of the FWSM interface dedicated to failover.
vlan vlan
Specifies the VLAN number.
Defaults
Not configured.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
The active and standby modules constantly communicate over this link to determine the operating status of each module. Communications over the failover link include the the module state (active or standby), hello messages (also sent on all other interfaces), and configuration synchronization between the two modules.
Failover requires a dedicated interface for passing failover traffic, however you can also use the LAN failover interface for the Stateful Failover link. If you use the same interface for both LAN failover and Stateful Failover, the interface needs enough capacity to handle both the failover and Stateful Failover traffic.
Use a dedicated VLAN for the failover link. Sharing the failover link VLAN with any other VLANs can cause intermittent traffic problems and ping and ARP failures.
You can use any unused interface on the module as the failover interface. You cannot specify an interface that is currently configured with a name. The failover interface is not configured as a normal networking interface; it exists only for failover communications. This interface should only be used for the failover link (and optionally for the state link).
On systems running in multiple context mode, the failover link resides in the system context. This interface and the state link, if used, are the only interfaces that you can configure in the system context. All other interfaces are allocated to and configured from within security contexts.
Note
The no form of this command also clears the failover interface IP address configuration.
This command must be part of the configuration when bootstrapping an FWSM for failover.
Examples
The following example configures the failover LAN interface:
hostname(config)# failover lan interface folink vlan 101Related Commands
failover lan unit
Specifies the LAN-based failover primary or secondary unit.
failover link
Specifies the Stateful Failover interface.
failover lan unit
To configure the FWSM as either the primary or secondary unit in a failover configuration, use the failover lan unit command in global configuration mode. To restore the default setting, use the no form of this command.
failover lan unit {primary | secondary}
no failover lan unit {primary | secondary}
Syntax Description
primary
Specifies the FWSM as a primary unit.
secondary
Specifies the security appliance as a secondary unit.
Defaults
Secondary.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
For Active/Standby failover, the primary and secondary designation for the failover unit refers to which unit becomes active at boot time. The primary unit becomes the active unit at boot time when the following occurs:
•
•
If the secondary unit is already active when the primary unit boots, the primary unit does not take control; it becomes the standby unit. In this case, you need to issue the no failover active command on the secondary (active) unit to force the primary unit back to active status.
For Active/Active failover, each failover group is assigned a primary or secondary unit preference. This preference determines on which unit in the failover pair the contexts in the failover group become active at startup when both units start simultaneously (within the failover polling period).
This command must be part of the configuration when bootstrapping an FWSM for failover.
Examples
The following example sets the FWSM as the primary unit:
hostname(config)# failover lan unit primaryRelated Commands
failover link
To specify the Stateful Failover interface and VLAN, use the failover link command in global configuration mode. To remove the Stateful Failover interface, use the no form of this command.
failover link if_name [vlan vlan]
no failover link
Syntax Description
Defaults
Not configured.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
The physical or logical interface argument is required when not sharing the failover communication interface.
The failover link command enables Stateful Failover. Enter the no failover link command to disable Stateful Failover and also clear the Stateful Failover interface IP address configuration.
To use Stateful Failover, you must configure a state link to pass all state information. You have two options for configuring a state link: you can use a dedicated interface for the state link or you can use the failover link.
Caution
The state traffic can be large. If you are using the failover link as the state link and you experience performance problems, consider dedicating a separate link for the state traffic.
In multiple context mode, the state link resides in the system context. This interface and the failover interface are the only interfaces in the system context. All other interfaces are allocated to and configured from within security contexts.
Note
Caution
Examples
The following example shows how to specify the Stateful Failover interface:
hostname(config)# failover link stateful_if vlan 101Related Commands
failover polltime
To specify the failover unit and interface poll times and unit hold time, use the failover polltime command in global configuration mode. To restore the default poll time, use the no form of this command.
failover polltime [unit] [msec] time [holdtime time]
failover polltime interface time
no failover polltime [unit] [msec] time [holdtime time]
no failover polltime interface time
Syntax Description
Defaults
The defaults are as follows:
•
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
You cannot enter a holdtime value that is less than 3 times the unit poll time. With a faster poll time, the FWSM can detect failure and trigger failover faster. However, faster detection can cause unnecessary switchovers when the network is temporarily congested.
When the unit or interface keywords are not specified, the poll time configured is for the unit.
You can include both failover polltime unit and failover polltime interface commands in the configuration.
Note
If a hello packet is not heard on the failover communication interface during the hold time, the standby unit switches to active and the peer is considered failed. Five missed consecutive interface hello packets cause interface testing.
Note
Examples
The following example sets the unit poll time frequency to 3 seconds:
hostname(config)# failover polltime 3Related Commands
polltime interface
Specifies the interface polltime for Active/Active failover configurations.
show failover
Displays failover configuration information.
failover preempt
To cause the primary unit in an Active/Standby failover configuration to become active on boot if the standby unit is currently in the active state, use the failover preempt command in global configuration mode. To remove the preemption, use the no form of this command.
failover preempt [delay]
no failover preempt [delay]
Syntax Description
delay
The wait time, in seconds, before the peer is preempted. Valid values are from 1 to 1200 seconds. If the delay is not specified, there is no delay.
Defaults
By default, there is no delay.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
If the secondary unit in an Active/Standby pair is in the active state, the primary unit will automatically enter the standby state when it boots. It will remain in the standby state until a failover occurs or until you manually force it to the active state using the no failover active command on the secondary unit. Using the failover preempt command causes the primary unit to become active automatically and causes the secondary unit to enter the standby state.
Note
Examples
The following example configures the primary unit to become active after a 5 second delay if it boots while the secondary unit is in the active state.
hostname(config)# failoverhostname(config)# failover lan unit primaryhostname(config)# failover preempt 5hostname(config)# failover lan interface foverlink Vlan56hostname(config)# failover replication httphostname(config)# failover link foverlink Vlan56hostname(config)# failover interface ip foverlink 10.1.1.1 255.255.255.0 standby 10.1.1.99hostname(config)#Related Commands
failover reload-standby
To force the standby unit to reboot, use the failover reload-standby command in privileged EXEC mode.
failover reload-standby
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
Use this command when your failover units do not synchronize. The standby unit restarts and resynchronizes to the active unit after it finishes booting.
Examples
The following example shows how to use the failover reload-standby command on the active unit to force the standby unit to reboot:
hostname# failover reload-standbyRelated Commands
write standby
Writes the running configuration to the memory on the standby unit.
failover replication http
To enable HTTP (port 80) connection replication, use the failover replication http command in global configuration mode. To disable HTTP connection replication, use the no form of this command.
failover replication http
no failover replication http
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
By default, the FWSM does not replicate HTTP session information when Stateful Failover is enabled. Because HTTP sessions are typically short-lived, and because HTTP clients typically retry failed connection attempts, not replicating HTTP sessions increases system performance without causing serious data or connection loss. The failover replication http command enables the stateful replication of HTTP sessions in a Stateful Failover environment, but could have a negative effect on system performance.
In Active/Active failover configurations, you control HTTP session replication per failover group using the replication http command in failover group configuration mode.
Examples
The following example shows how to enable HTTP connection replication:
hostname(config)# failover replication httpRelated Commands
replication http
Enables HTTP session replication for a specific failover group.
show running-config failover
Displays the failover commands in the running configuration.
failover reset
To restore a failed FWSM to an unfailed state, use the failover reset command in privileged EXEC mode.
failover reset [group group_id]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
1.1(1)
This command was introduced.
3.1(1)
This command was modified to allow the optional failover group ID.
Usage Guidelines
The failover reset command lets you change the failed unit or group to an unfailed state. The failover reset command can be entered on either unit, but we recommend that you always enter the command on the active unit. Entering the failover reset command at the active unit will "unfail" the standby unit.
You can display the failover status of the unit with the show failover or show failover state commands.
There is no no version of this command.
In Active/Active failover, entering failover reset resets the whole unit. Specifying a failover group with the command resets only the specified group.
Examples
The following example shows how to change a failed unit to an unfailed state:
hostname# failover resetRelated Commands
failover interface-policy
Specifies the policy for failover when monitoring detects interface failures.
show failover
Displays information about the failover status of the unit.
failover suspend-config-sync
To suspend failover configuration synchronization, use the failover suspend-config-sync command in global configuration mode. To disable failover, use the no form of this command.
failover suspend-config-sync
no failover suspend-config-sync
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
This command can be run only on the active unit. Running this command disables interface monitoring and logical updates.
Examples
The following example suspends failover configuration synchronization:
hostname(config)# failover suspend-config-synchostname(config)#Related Commands
filter activex
To remove ActiveX objects in HTTP traffic passing through the FWSM, use the filter activex command in global configuration mode. To remove the configuration, use the no form of this command.
filter activex {[port[-port] | except } local_ip local_mask foreign_ip foreign_mask]
no filter activex {[port[-port] | except } local_ip local_mask foreign_ip foreign_mask]
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
ActiveX objects may pose security risks because they can contain code intended to attack hosts and servers on a protected network. You can disable ActiveX objects with the filter activex command.
ActiveX controls, formerly known as OLE or OCX controls, are components you can insert in a web page or other application. These controls include custom forms, calendars, or any of the extensive third-party forms for gathering or displaying information. As a technology, ActiveX creates many potential problems for network clients including causing workstations to fail, introducing network security problems, or being used to attack servers.
The filter activex command command blocks the HTML <object> commands by commenting them out within the HTML web page. ActiveX filtering of HTML files is performed by selectively replacing the <APPLET> and </APPLET> and <OBJECT CLASSID> and </OBJECT> tags with comments. Filtering of nested tags is supported by converting top-level tags to comments.
Caution
If the <OBJECT> or </OBJECT> HTML tags split across network packets or if the code in the tags is longer than the number of bytes in the MTU, the FWSM cannot block the tag.
ActiveX blocking does not occur when users access an IP address referenced by the alias command.
Examples
The following example specifies that Activex objects are blocked on all outbound connections:
hostname(config)# filter activex 80 0 0 0 0This command specifies that the ActiveX object blocking applies to web traffic on port 80 from any local host and for connections to any foreign host.
Related Commands
filter ftp
To identify the FTP traffic to be filtered by a Websense server, use the filter ftp command in global configuration mode. To remove the configuration, use the no form of this command.
filter ftp {[port[-port] | except } local_ip local_mask foreign_ip foreign_mask] [allow] [interact-block]
no filter ftp {[port[-port] | except } local_ip local_mask foreign_ip foreign_mask] [allow] [interact-block]
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
The filter ftp command lets you identify the FTP traffic to be filtered by a Websense server. FTP filtering is not supported on N2H2 servers.
After enabling this feature, when a user issues an FTP GET request to a server, the FWSM sends the request to the FTP server and to the Websense server at the same time. If the Websense server permits the connection, the FWSM allows the successful FTP return code to reach the user unchanged. For example, a successful return code is "250: CWD command successful."
If the Websense server denies the connection, the FWSM alters the FTP return code to show that the connection was denied. For example, the FWSM would change code 250 to "550 Requested file is prohibited by URL filtering policy." Websense only filters FTP GET commands and not PUT commands).
Use the interactive-block option to prevent interactive FTP sessions that do not provide the entire directory path. An interactive FTP client allows the user to change directories without typing the entire path. For example, the user might enter cd ./files instead of cd /public/files. You must identify and enable the URL filtering server before using these commands.
Examples
The following example shows how to enable FTP filtering:
hostname(config)# url-server (perimeter) host 10.0.1.1hostname(config)# filter ftp 21 0 0 0 0hostname(config)# filter ftp except 10.0.2.54 255.255.255.255 0 0Related Commands
filter https
To identify the HTTPS traffic to be filtered by a Websense server, use the filter https command in global configuration mode. To remove the configuration, use the no form of this command.
filter https {[port[-port] | except} local_ip local_mask foreign_ip foreign_mask] [allow]
no filter https {[port[-port] | except} local_ip local_mask foreign_ip foreign_mask] [allow]
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
The FWSM supports filtering of HTTPS and FTP sites using an external Websense filtering server.
Note
HTTPS filtering works by preventing the completion of SSL connection negotiation if the site is not allowed. The browser displays an error message such as "The Page or the content cannot be displayed."
Because HTTPS content is encrypted, the FWSM sends the URL lookup without directory and filename information.
Examples
The following example filters all outbound HTTPS connections except those from the 10.0.2.54 host:
hostname(config)# url-server (perimeter) host 10.0.1.1hostname(config)# filter https 443 0 0 0 0hostname(config)# filter https except 10.0.2.54 255.255.255.255 0 0Related Commands
filter java
To remove Java applets from HTTP traffic passing through the FWSM, use the filter java command in global configuration mode. To remove the configuration, use the no form of this command.
filter java {[port[-port] | except} local_ip local_mask foreign_ip foreign_mask]
no filter java {[port[-port] | except} local_ip local_mask foreign_ip foreign_mask]
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
Java applets may pose security risks because they can contain code intended to attack hosts and servers on a protected network. You can remove Java applets with the filter java command.
The filter java command filters out Java applets that return to the FWSM from an outbound connection. The user still receives the HTML page, but the web page source for the applet is commented out so that the applet cannot execute.
If the applet or /applet HTML tags split across network packets or if the code in the tags is longer than the number of bytes in the MTU, the FWSM cannot block the tag. If Java applets are known to be in <object> tags, use the filter activex command to remove them.
Examples
The following example specifies that Java applets are blocked on all outbound connections:
hostname(config)# filter java 80 0 0 0 0This command specifies that the Java applet blocking applies to web traffic on port 80 from any local host and for connections to any foreign host.
The following example blocks downloading of Java applets to a host on a protected network:
hostname(config)# filter java http 192.168.3.3 255.255.255.255 0 0This command prevents host 192.168.3.3 from downloading Java applets.
Related Commands
filter url
To direct traffic to a URL filtering server, use the filter url command in global configuration mode. To remove the configuration, use the no form of this command.
filter url {[port[-port] | except } local_ip local_mask foreign_ip foreign_mask] [allow] [cgi-truncate] [longurl-truncate | longurl-deny] [proxy-block]
no filter url {[port[-port] | except } local_ip local_mask foreign_ip foreign_mask] [allow] [cgi-truncate] [longurl-truncate | longurl-deny] [proxy-block]
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
The filter url command lets you prevent outbound users from accessing World Wide Web URLs that you designate using the N2H2 or Websense filtering application.
Note
The allow option to the filter url command determines how the FWSM behaves if the N2H2 or Websense server goes off line. If you use the allow option with the filter url command and the N2H2 or Websense server goes offline, port 80 traffic passes through the FWSM without filtering. Used without the allow option and with the server off line, the FWSM stops outbound port 80 (Web) traffic until the server is back on line, or if another URL server is available, passes control to the next URL server.
Note
The N2H2 or Websense server works with the FWSM to deny users from access to websites based on the company security policy.
Using the Websense Filtering Server
Websense protocol Version 4 enables group and username authentication between a host and a FWSM. The FWSM performs a username lookup, and then the Websense server handles URL filtering and username logging.
The N2H2 server must be a Windows workstation (2000, NT, or XP), running an IFP Server, with a recommended minimum of 512 MB of RAM. Also, the long URL support for the N2H2 service is capped at 3 KB, less than the cap for Websense.
Websense protocol Version 4 contains the following enhancements:
•
•
•
Information on Websense is available at the following website:
http://www.websense.com/
Configuration Procedure
To filter URLs, perform the following steps:
Step 1
Step 2
Step 3
Note
Step 4
Working with Long URLs
Filtering URLs up to 4 KB is supported for the Websense filtering server, and up to 1159 bytes for the N2H2 filtering server.
Use the longurl-truncate and cgi-truncate options to allow handling of URL requests longer than the maximum permitted size.
If a URL is longer than the maximum, and you do not enable the longurl-truncate or longurl-deny options, the FWSM drops the packet.
The longurl-truncate option causes the FWSM to send only the hostname or IP address portion of the URL for evaluation to the filtering server when the URL is longer than the maximum length permitted. Use the longurl-deny option to deny outbound URL traffic if the URL is longer than the maximum permitted.
Use the cgi-truncate option to truncate CGI URLs to include only the CGI script location and the script name without any parameters. Many long HTTP requests are CGI requests. If the parameters list is very long, waiting and sending the complete CGI request including the parameter list can use up memory resources and affect FWSM performance.
Buffering HTTP Responses
By default, when a user issues a request to connect to a specific website, the FWSM sends the request to the web server and to the filtering server at the same time. If the filtering server does not respond before the web content server, the response from the web server is dropped. This delays the web server response from the point of view of the web client.
By enabling the HTTP response buffer, replies from web content servers are buffered and the responses will be forwarded to the requesting user if the filtering server allows the connection. This prevents the delay that may otherwise occur.
To enable the HTTP response buffer, enter the following command:
url-block block block-buffer-limitReplace block-buffer-limit with the maximum number of blocks that will be buffered. The permitted values are from 0 to 128, which specifies the number of 1550-byte blocks that can be buffered at one time.
Examples
The following example filters all outbound HTTP connections except those from the 10.0.2.54 host:
hostname(config)# url-server (perimeter) host 10.0.1.1hostname(config)# filter url 80 0 0 0 0hostname(config)# filter url except 10.0.2.54 255.255.255.255 0 0The following example blocks all outbound HTTP connections destined to a proxy server that listens on port 8080:
hostname(config)# filter url 8080 0 0 0 0 proxy-blockRelated Commands
firewall autostate (IOS)
To enable autostate messaging, use the firewall autostate command in global configuration mode. To disable autostate, use the no form of this command. Autostate messaging lets the FWSM quickly detect that a switch interface has failed or has come up.
firewall autostate
no firewall autostate
Syntax Description
This command has no arguments or keywords.
Defaults
By default, autostate is disabled.
Command Modes
Global configuration.
Command History
12.2(18)SXF5
This command was introduced.
15.1(3)S
This command was integrated into Cisco IOS Release 15.1(3)S. This command is supported on the Cisco 7600 Series routers.
Usage Guidelines
The supervisor engine can send autostate messages to the FWSM about the status of physical interfaces associated with FWSM VLANs. For example, when all physical interfaces associated with a VLAN go down, the autostate message tells the FWSM that the VLAN is down. This information lets the FWSM declare the VLAN as down, bypassing the interface monitoring tests normally required for determining which side suffered a link failure. Autostate messaging provides a dramatic improvement in the time the FWSM takes to detect a link failure (a few milliseconds as compared to up to 45 seconds without autostate support).
The switch supervisor sends an autostate message to the FWSM when:
•
•
Examples
The following example enables autostate:
Router(config)# firewall autostateRelated Commands
firewall module (IOS)
To assign firewall groups to the FWSM, enter the firewall module command in global configuration mode. To remove the groups, use the no form of this command.
firewall module module_number vlan-group firewall_group
no firewall module module_number vlan-group firewall_group
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration.
Command History
Usage Guidelines
In Cisco IOS software, create up to 16 firewall VLAN groups (using the firewall vlan-group command), and then assign the groups to the FWSM using the firewall module command.. For example, you can assign all the VLANs to one group, or you can create an inside group and an outside group, or you can create a group for each customer. Each group can contain unlimited VLANs.
You cannot assign the same VLAN to multiple firewall groups; however, you can assign multiple firewall groups to an FWSM and you can assign a single firewall group to multiple FWSMs. VLANs that you want to assign to multiple FWSMs, for example, can reside in a separate group from VLANs that are unique to each FWSM.
Examples
The following example shows how you can create three firewall VLAN groups: one for each FWSM, and one that includes VLANs assigned to both FWSMs.
Router(config)# firewall vlan-group 50 55-57Router(config)# firewall vlan-group 51 70-85Router(config)# firewall vlan-group 52 100Router(config)# firewall module 5 vlan-group 50,52Router(config)# firewall module 8 vlan-group 51,52The following is sample output from the show firewall vlan-group command:
Router# show firewall vlan-groupGroup vlans----- ------50 55-5751 70-8552 100The following is sample output from the show firewall module command, which shows all VLAN groups:
Router# show firewall moduleModule Vlan-groups5 50,528 51,52Related Commands
firewall vlan-group
Assigns VLANs to a VLAN group.
show firewall vlan-group
Shows the VLAN groups and the VLANs assigned to them.
show module
Shows all installed modules.
firewall multiple-vlan-interfaces (IOS)
To allow you to add more than one SVI to the FWSM, use the firewall multiple-vlan-interfaces command in global configuration mode. To disable this feature, use the no form of this command.
firewall multiple-vlan-interfaces
no firewall multiple-vlan-interfaces
Syntax Description
This command has no arguments or keywords.
Defaults
By default, multiple SVIs are not allowed.
Command Modes
Global configuration.
Command History
Usage Guidelines
A VLAN defined on the MSFC is called a switched virtual interface. If you assign the VLAN used for the SVI to the FWSM, then the MSFC routes between the FWSM and other Layer 3 VLANs. For security reasons, by default, only one SVI can exist between the MSFC and the FWSM. For example, if you misconfigure the system with multiple SVIs, you could accidentally allow traffic to pass around the FWSM by assigning both the inside and outside VLANs to the MSFC.
However, you might need to bypass the FWSM in some network scenarios. For example, if you have an IPX host on the same Ethernet segment as IP hosts, you will need multiple SVIs. Because the FWSM in routed firewall mode only handles IP traffic and drops other protocol traffic like IPX (transparent firewall mode can optionally allow non-IP traffic), you might want to bypass the FWSM for IPX traffic. Make sure to configure the MSFC with an access list that allows only IPX traffic to pass on the VLAN.
For transparent firewalls in multiple context mode, you need to use multiple SVIs because each context requires a unique VLAN on its outside interface. You might also choose to use multiple SVIs in routed mode so you do not have to share a single VLAN for the outside interface.
Examples
The following example shows a typical configuration with multiple SVIs:
Router(config)# firewall vlan-group 50 55-57Router(config)# firewall vlan-group 51 70-85Router(config)# firewall module 8 vlan-group 50-51Router(config)# firewall multiple-vlan-interfacesRouter(config)# interface vlan 55Router(config-if)# ip address 10.1.1.1 255.255.255.0Router(config-if)# no shutdownRouter(config-if)# interface vlan 56Router(config-if)# ip address 10.1.2.1 255.255.255.0Router(config-if)# no shutdownRouter(config-if)# endRouter#The following is sample output from the show interface command:
Router# show interface vlan 55Vlan55 is up, line protocol is upHardware is EtherSVI, address is 0008.20de.45ca (bia 0008.20de.45ca)Internet address is 55.1.1.1/24MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,reliability 255/255, txload 1/255, rxload 1/255Encapsulation ARPA, loopback not setARP type:ARPA, ARP Timeout 04:00:00Last input never, output 00:00:08, output hang neverLast clearing of "show interface" counters neverInput queue:0/75/0/0 (size/max/drops/flushes); Total output drops:0Queueing strategy:fifoOutput queue :0/40 (size/max)5 minute input rate 0 bits/sec, 0 packets/sec5 minute output rate 0 bits/sec, 0 packets/secL2 Switched:ucast:196 pkt, 13328 bytes - mcast:4 pkt, 256 bytesL3 in Switched:ucast:0 pkt, 0 bytes - mcast:0 pkt, 0 bytes mcastL3 out Switched:ucast:0 pkt, 0 bytes0 packets input, 0 bytes, 0 no bufferReceived 0 broadcasts, 0 runts, 0 giants, 0 throttles0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored4 packets output, 256 bytes, 0 underruns0 output errors, 0 interface resets0 output buffer failures, 0 output buffers swapped outRelated Commands
firewall module
Assigns a VLAN group to the FWSM.
firewall vlan-group
Defines a VLAN group.
firewall transparent
To set the firewall mode to transparent mode, use the firewall transparent command in global configuration mode. To restore routed mode, use the no form of this command.
firewall transparent
no firewall transparent
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
A transparent firewall is a Layer 2 firewall that acts like a "bump in the wire," or a "stealth firewall," and is not seen as a router hop to connected devices. You can set the mode independently for each security context in multiple context mode.
When you change modes, the FWSM clears the configuration because many commands are not supported for both modes. If you already have a populated configuration, be sure to back up your configuration before changing the mode; you can use this backup for reference when creating your new configuration.
If you download a text configuration to the FWSM that changes the mode with the firewall transparent command, be sure to put the command at the top of the configuration; the FWSM changes the mode as soon as it reads the command and then continues reading the configuration you downloaded. If the command is later in the configuration, the FWSM clears all the preceding lines in the configuration.
Examples
The following example changes the firewall mode to transparent:
hostname(config)# firewall transparentRelated Commands
firewall vlan-group (IOS)
To assign VLANs to a firewall group, enter the firewall vlan-group command in global configuration mode. To remove the VLANs, use the no form of this command.
firewall vlan-group firewall_group vlan_range
no firewall vlan-group firewall_group vlan_range
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration.
Command History
Usage Guidelines
In Cisco IOS software, create up to 16 firewall VLAN groups using the firewall vlan-group command, and then assign the groups to the FWSM (using the firewall module command). For example, you can assign all the VLANs to one group, or you can create an inside group and an outside group, or you can create a group for each customer. Each group can contain unlimited VLANs.
You cannot assign the same VLAN to multiple firewall groups; however, you can assign multiple firewall groups to an FWSM and you can assign a single firewall group to multiple FWSMs. VLANs that you want to assign to multiple FWSMs, for example, can reside in a separate group from VLANs that are unique to each FWSM.
Examples
The following example shows how you can create three firewall VLAN groups: one for each FWSM, and one that includes VLANs assigned to both FWSMs.
Router(config)# firewall vlan-group 50 55-57Router(config)# firewall vlan-group 51 70-85Router(config)# firewall vlan-group 52 100Router(config)# firewall module 5 vlan-group 50,52Router(config)# firewall module 8 vlan-group 51,52The following is sample output from the show firewall vlan-group command:
Router# show firewall vlan-groupGroup vlans----- ------50 55-5751 70-8552 100The following is sample output from the show firewall module command, which shows all VLAN groups:
Router# show firewall moduleModule Vlan-groups5 50,528 51,52Related Commands
firewall module
Assigns a VLAN group to an FWSM.
show firewall vlan-group
Shows the VLAN groups and the VLANs assigned to them.
show module
Shows all installed modules.
format
To erase all files and format the file system, use the format command in privileged EXEC mode. This command erases all files on the file system, including hidden system files, and reinstalls the file system.
format disk:
Syntax Description
Defaults
disk: is required.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
The format command erases all data on the specified file system and then rewrites the FAT information to the device.
Caution
To delete all visible files (excluding hidden system files), enter the delete /recursive command, instead of the format command.
Examples
This example shows how to format the disk system:
fwsm(config)# format disk:format operation may take a while. Continue? [confirm]Related Commands
delete
Removes all user-visible files.
erase
Deletes all files and formats the Flash memory.
fsck
Repairs a corrupt file system.
fqdn
To include the indicated FQDN in the Subject Alternative Name extension of the certificate during enrollment, use the fqdn command in crypto ca trustpoint configuration mode. To restore the default setting of the fqdn, use the no form of this command.
fqdn fqdn
no fqdn
Syntax Description
Defaults
The default setting is not to include the FQDN.
Command Modes
The following table shows the modes in which you can enter the command:
Crypto ca trustpoint configuration
•
•
•
•
—
Command History
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint central, and includes the FQDN engineering in the enrollment request for trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# fqdn engineeringhostname(ca-trustpoint)#Related Commands
fragment
To provide additional management of packet fragmentation and improve compatibility with NFS, use the fragment command in global configuration mode. To restore the value to the default, use the no form of this command.
fragment {size | chain | timeout limit} [interface]
no fragment {size | chain | timeout limit} [interface]
Syntax Description
Defaults
The defaults are as follows:
•
•
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
By default, the FWSM accepts up to 24 fragments to reconstruct a full IP packet. Based on your network security policy, you should consider configuring the FWSM to prevent fragmented packets from traversing the FWSM by entering the fragment chain 1 interface command on each interface. Setting the limit to 1 means that all packets must be whole; that is, unfragmented.
If a large percentage of the network traffic through the FWSM is NFS, additional tuning might be necessary to avoid database overflow.
In an environment where the MTU size is small between the NFS server and client, such as a WAN interface, the chain keyword might require additional tuning. In this case, we recommend using NFS over TCP to improve efficiency.
Examples
The following example shows how to prevent fragmented packets on the outside and inside interfaces:
hostname(config)# fragment chain 1 outsidehostname(config)# fragment chain 1 insideContinue entering the fragment chain 1 interface command for each additional interface on which you want to prevent fragmented packets.
The following example shows how to configure the fragment database on the outside interface to a maximum size of 2000, a maximum chain length of 45, and a wait time of 10 seconds:
hostname(config)# fragment size 2000 outsidehostname(config)# fragment chain 45 outsidehostname(config)# fragment timeout 10 outsideRelated Commands
fsck
To perform a file system check and to repair corruptions, use the fsck command in privileged EXEC mode.
fsck [/no confirm]{disk0: | disk1: | flash:}
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
The fsck command checks and attempts to repair corrupt file systems. Try using this command before resorting to more permanent procedures.
The /noconfirm keyword automatically repairs corruptions without seeking your confirmation first.
Examples
This example shows how to check the file system of the Flash memory:
hostname# fsck flash:Related Commands
ftp mode passive
To set the FTP mode to passive, use the ftp mode passive command in global configuration mode. To reset the FTP client to active mode, use the no form of this command.
ftp mode passive
no ftp mode passive
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
The ftp mode passive command sets the FTP mode to passive.The FWSM can use FTP to upload or download image files or configuration files to or from an FTP server. The ftp mode passive command controls how the FTP client on the FWSM interacts with the FTP server.
In passive FTP, the client initiates both the control connection and the data connection. Passive mode refers to the server state, in that the server is passively accepting both the control connection and the data connection, which are initiated by the client.
In passive mode, both destination and source ports are ephemeral ports (greater than 1023). The mode is set by the client, as the client issues the passive command to initiate the setup of the passive data connection. The server, which is the recipient of the data connection in passive mode, responds with the port number to which it is listening for the specific connection.
Examples
The following example sets the FTP mode to passive:
hostname(config)# ftp mode passiveRelated Commands
ftp-map
To identify a specific map for defining the parameters for strict FTP inspection, use the ftp-map command in global configuration mode. To remove the map, use the no form of this command.
ftp-map map_name
no ftp-map map_name
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the ftp-map command to identify a specific map to use for defining the parameters for strict FTP inspection. When you enter this command, the system enters the FTP map configuration mode, which lets you enter the different commands used for defining the specific map. Use the request-command deny command to prevent the FTP client from sending specific commands to the FTP server.
After defining the FTP map, use the inspect ftp strict command to enable the map. Then use the class-map, policy-map, and service-policy commands to define a class of traffic, to apply the inspect command to the class, and to apply the policy to one or more interfaces.
Examples
The following example shows how to identify FTP traffic, define an FTP map, define a policy, and apply the policy to the outside interface:
hostname(config)# class-map ftp-porthostname(config-cmap)# match port tcp eq 21hostname(config)# ftp-map inbound_ftphostname(config-ftp-map)# request-command deny put stou appehostname(config-ftp-map)# policy-map inbound_policyhostname(config-pmap)# class ftp-porthostname(config-pmap-c)# inspect ftp strict inbound_ftphostname(config-pmap-c)# exithostname(config-pmap)# exithostname(config)# service-policy inbound_policy interface outsideRelated Commands
