Solved: admin context on fwsm

netternewbie · ‎12-04-2012

Hi Folks,

Sorry for the stupid question that will follow but I have just joined a networks team and will be working on two fwsm versions 4.0(8) in two 6500 routers. Now the fwsms seem to be virtualised with multiple contexts. The server team want a new context setup for a group of servers behind a vlan.

I presume I do this in the admin context first, something like this:

interface Vlan10

interface Vlan110

context New-Context

allocate-interface Vlan10

allocate-interface Vlan110

config-url disk:/New-Context

join-failover-group 1

Then I head into the context itself and start configuring it? However when I am in the current admin context and do a changeto context admin it seems to bring me to a new admin context:

admin# changeto context admin

admin/admin# sh run

admin/admin# sh running-config

This context just seems to have two Vlans and a BVI interface. Can anyone tell me the function of this context and why we have 2 admin contexts?

Also another important question is on which 6500 do I create the new context? Is the admin context active on one 6500 just like other contexts and will sync across or do I have to create the new context on both 6500s.

Sorry for these questions I am sure they are basic but I have basically been landed on this new team and need to get a good understanding of this.

Thanks,

Jouni Forss · ‎12-04-2012

Hi,

Never seen a BVI interface on FWSM. I guess its configured as a Transparent firewall. All of ours are in Routed mode so I'm afraid I'm not the best person to comment on configuring the device. I will try to give some general information related to what you asked.

Admin Context

It seems to me that your FWSM module has just been configured with the "hostname" of "admin" and you are in the context "admin"
The format in the command prompt in our case is "FWSM hostname/Context Name"
- FWSM# = System Context
  - Adding Vlans and Context and some general FWSM related settings
- FWSM/admin# = Admin Context (only for administration of the FWSM)
  - Management settings for the FWSM and other general FWSM related settings
- FWSM/New-Context# = Random Customer Context
  - Context specific configurations

New Vlan interfaces, New Contexts

To my understanding you will have to first configure on the actual C6500 which Vlans you want to take to the FWSM.
The existing Vlan should be visible on the C6500 side with configuration lines starting with "firewall vlan-group"
- You can for example issue the command "show firewall vlan-group" or "show run | inc firewall"
After this you have to create the Vlan interfaces on the FWSM side (System Context where you can see all the different contexts and their allocated interfaces) (Been awhile since I configured the FWSM so the firewall vlan-group might already have added the interface on the FWSM side)
- interface Vlanxxx
- context
  - allocate-interface Vlanxxx
- changeto context
  - configure
To know the maximum amount of context you can configure on the FWSM use the following commands
- show version, for max context count on the license
- show context count, for currently used contexts (admin context doesnt count into this)

I guess you have a Active/Standby setup of the FWSMs?

You should only need to configure the new Context on the Active unit. Trying to configure something on the Standby unit should generate a warning message on the CLI that any configurations you issue after that wont be replicated to the other unit (since you are attempting to configure the Standby unit)

Naturally on the C6500 side you will have to configure the "same things" on both devices manually. I can't give any specific advice as I' not 100% sure on what kind of setup you have.

If you've just started with the FWSM I suggest asking advice from co-workers mainly. Also going through existing configurations by yourself will eventually give you insight how things work. Personally I kind of had to learn most of the things by myself but never really risked configuring something I didnt understand.

Hope this helps a bit. Please rate if it was helpfull and ask more if needed.

- Jouni

View solution in original post

Jouni Forss · ‎12-04-2012

Hi,

I suggest reading through a Cisco document about FWSM configuration called "Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide Using the CLI". There is probably several versions. You should also be able to find a Command Reference for the same FWSM software to get detailed information about any command and their uses.

Easiest way to get the document is just Google for them. You can then download them in PDF format from the Cisco site.

To be honest I have never had to configure ASA or FWSM as bridged so I'm not gonna say anything about that matter from either the FWSM or the C6500 side

It would seem that you have Active/Active failover.

Issue the command "show run context admin" and see on which group the "admin" context is regarding the Failover
You could also use the command "show failover" to see which FWSM is active for the context
Notice that the Active device could naturally be different for "admin" context compared to a possible "new context" if they are in different failover-groups. Also depending on if "preempt" has been configured under the failover-group configurations affects this

To check Failover configurations use the following commands

System context: "show failover" "show run failover"
Admin/New Context: "show failover"

Heres link to the Configuration Guide and Command Reference for FWSM 4.0

Configuration Guide: http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/fwsm_cfg.html

Command Reference:http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/command/reference/fwsm_ref.html

Please rate the answers if you have found the information helpfull

- Jouni

View solution in original post

Jouni Forss · ‎12-04-2012

Hi,

The "preempt" works in a samekind of way like the router HSRP preempt.

An example situation might be following

Active/Active failover pair with 2 FWSM and lets call them FWSM1 and FWSM2
2 Customer Contexts called SC1 and SC2
- SC1 is Active on FWSM1 and belongs to Failover Group 1
- SC2 is Active on FWSM2 and belongs to Failover Group 2
FWSM1 Fails because of power outage in the local datacenter
SC1 context becomes Active on FWSM2 because of Failover happening
FWSM1 recovers from power outage and the Failover comes up between the 2 FWSMs
After the configured 300 seconds SC1 will again become Active on its original hardware which is FWSM1

In other words, "preempt" (and the related timer) defines that the Context will return as Active to the original FWSM device after its has been up for the configured timer value. (Unless I have mistaken)

- Jouni

View solution in original post

Jouni Forss · ‎12-04-2012

Hi,

Never seen a BVI interface on FWSM. I guess its configured as a Transparent firewall. All of ours are in Routed mode so I'm afraid I'm not the best person to comment on configuring the device. I will try to give some general information related to what you asked.

Admin Context

It seems to me that your FWSM module has just been configured with the "hostname" of "admin" and you are in the context "admin"
The format in the command prompt in our case is "FWSM hostname/Context Name"
- FWSM# = System Context
  - Adding Vlans and Context and some general FWSM related settings
- FWSM/admin# = Admin Context (only for administration of the FWSM)
  - Management settings for the FWSM and other general FWSM related settings
- FWSM/New-Context# = Random Customer Context
  - Context specific configurations

New Vlan interfaces, New Contexts

To my understanding you will have to first configure on the actual C6500 which Vlans you want to take to the FWSM.
The existing Vlan should be visible on the C6500 side with configuration lines starting with "firewall vlan-group"
- You can for example issue the command "show firewall vlan-group" or "show run | inc firewall"
After this you have to create the Vlan interfaces on the FWSM side (System Context where you can see all the different contexts and their allocated interfaces) (Been awhile since I configured the FWSM so the firewall vlan-group might already have added the interface on the FWSM side)
- interface Vlanxxx
- context
  - allocate-interface Vlanxxx
- changeto context
  - configure
To know the maximum amount of context you can configure on the FWSM use the following commands
- show version, for max context count on the license
- show context count, for currently used contexts (admin context doesnt count into this)

I guess you have a Active/Standby setup of the FWSMs?

You should only need to configure the new Context on the Active unit. Trying to configure something on the Standby unit should generate a warning message on the CLI that any configurations you issue after that wont be replicated to the other unit (since you are attempting to configure the Standby unit)

Naturally on the C6500 side you will have to configure the "same things" on both devices manually. I can't give any specific advice as I' not 100% sure on what kind of setup you have.

If you've just started with the FWSM I suggest asking advice from co-workers mainly. Also going through existing configurations by yourself will eventually give you insight how things work. Personally I kind of had to learn most of the things by myself but never really risked configuring something I didnt understand.

Hope this helps a bit. Please rate if it was helpfull and ask more if needed.

- Jouni

netternewbie · ‎12-04-2012

Hi JouniForss,

Thanks for the brilliant detailed answer. I think you have hit the nail on the head with most things.

Spot on, it seems our system context is called admin which is causing me confusion and this is where I add conexts. Clears this up nicely.

Yes it does seem we are in transparent/bridged mode. Not sure of the difference between transparent and routed mode?

Again you are right I need to config 6500 first. So vlan 10 already exists and then I create a vlan 110 the fwsm vlan then I add them as follows:

svclc vlan-group ? 101,102,103,110

firewall vlan-group ? 1,2,3,10

Yes again you are right then I go to the system context and create the context in here like you have shown. I found out the system context is actually live on one of the 6500's as I tried to do a conf t on the system context of the other 6500 and got the warning CLI message.

Just wondering more on the Active/Standby setting. This seems to be what we have. We have a group 1 and a group 2 and one FWSM seems to handle group one and the other seems to handle group 2. So are our FWSMs actually Active/Active?

Or what command do I use to show this and to make sure failover is working and contexts are sync'ing?

Thanks.

Jouni Forss · ‎12-04-2012

Hi,

I suggest reading through a Cisco document about FWSM configuration called "Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide Using the CLI". There is probably several versions. You should also be able to find a Command Reference for the same FWSM software to get detailed information about any command and their uses.

Easiest way to get the document is just Google for them. You can then download them in PDF format from the Cisco site.

To be honest I have never had to configure ASA or FWSM as bridged so I'm not gonna say anything about that matter from either the FWSM or the C6500 side

It would seem that you have Active/Active failover.

Issue the command "show run context admin" and see on which group the "admin" context is regarding the Failover
You could also use the command "show failover" to see which FWSM is active for the context
Notice that the Active device could naturally be different for "admin" context compared to a possible "new context" if they are in different failover-groups. Also depending on if "preempt" has been configured under the failover-group configurations affects this

To check Failover configurations use the following commands

System context: "show failover" "show run failover"
Admin/New Context: "show failover"

Heres link to the Configuration Guide and Command Reference for FWSM 4.0

Configuration Guide: http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/fwsm_cfg.html

Command Reference:http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/command/reference/fwsm_ref.html

Please rate the answers if you have found the information helpfull

- Jouni

netternewbie · ‎12-04-2012

Thanks JouniForss,

Yes it seems we have active/active failover the system context is a member of group 1 so is active on one 6500. So I need to configure my new context on this 6500. We have preempt 300 is configured under each failover group. What exactly does this mean?

admin# sh running-config failover

failover

failover lan unit primary

failover lan interface FLINK Vlan901

failover link SLINK Vlan902

failover interface ip FLINK 192.168.1.1 255.255.255.252 standby 192.168.1.2

failover interface ip SLINK 192.168.2.1 255.255.255.252 standby 192.168.2.2

failover group 1

preempt 300

failover group 2

secondary

preempt 300

admin#

Jouni Forss · ‎12-04-2012

Hi,

The "preempt" works in a samekind of way like the router HSRP preempt.

An example situation might be following

Active/Active failover pair with 2 FWSM and lets call them FWSM1 and FWSM2
2 Customer Contexts called SC1 and SC2
- SC1 is Active on FWSM1 and belongs to Failover Group 1
- SC2 is Active on FWSM2 and belongs to Failover Group 2
FWSM1 Fails because of power outage in the local datacenter
SC1 context becomes Active on FWSM2 because of Failover happening
FWSM1 recovers from power outage and the Failover comes up between the 2 FWSMs
After the configured 300 seconds SC1 will again become Active on its original hardware which is FWSM1

In other words, "preempt" (and the related timer) defines that the Context will return as Active to the original FWSM device after its has been up for the configured timer value. (Unless I have mistaken)

- Jouni

netternewbie · ‎12-06-2012

Thanks Again JouniForss,

Last questions I promise. when I do a write mem on the system context or any context I take it I just need to do it on the router thats active and not hop over and do it on the standby 6500 as well? Presume it sync's across and saves.

Also I am confused about this BVI line:

interface BVI10

ip address 192.168.0.251 255.255.255.0 standby 192.168.0.250

This line also exists on the standby context. I am confused as to where IP address 192.168.0.250 actually lives if you get me?

I thought the standby router would be like this:

interface BVI10

ip address 192.168.0.250 255.255.255.0 standby 192.168.0.251

Similar in design to HSRP.

Jouni Forss · ‎12-06-2012

Hi,

Provided the Failover is working and up, you only need to issue "write mem" on the Active unit/context.

Think there is also a command called "write standby" which copies the whole configuration to the standby unit. The command "write mem" saves the changes you have made to both units and usually should be enough.

Notice the following things while saving configurations

When you create new contexts and new Vlans on the FWSM side, remember to issue "write mem" in System Context (FWSM#).
When only make changes inside a Context, save the configuration in the context (FWSM/New-Context#)

If you for example just make a new Context with new Vlan interface and only save configurations under the Context and the FWSM happens to reboot, the System Context configurations will be missing from the FWSM. (In other words the Context wont be there when the FWSM has booted and would have to be configured again even though you might have saved its configuration under the actual New-Context)

In a Failover pair the units have indentical configurations. Usually the only difference between the units can be found in the "failover" configuration line which defines primary/secondary unit.

The IP address configurations simply means that the first IP address belongs to the Active unit and the standy IP address to the Standby unit.

Take this situation for example

Cisco ASA failover pair in Active/Standby mode
- ASA1 and ASA2
- ASA1 is default Primary hardware and ASA2 is default Secondary hardware
Interface "outside" configured with the following "ip address" command
- ip address 1.1.1.1 255.255.255.0 standby 1.1.1.2
While ASA1 is Active it will use the IP address 1.1.1.1
While ASA2 is Standby it will use the IP address 1.1.1.2
If the ASA2 were to become Active it would take over the IP address 1.1.1.1
- When ASA1 would recover to normal operation and would be Standby it would then have the IP address 1.1.1.2
So to sum it up, the firewalls state (Active or Standby?) defines which IP address its using in the configuration line "ip address x.x.x.x y.y.y.y standby z.z.z.z"

Don't worry about asking more questions. Will try to answer them if I can.

- Jouni