- Read Me First
- Zone-Based Policy Firewalls
- Zone-Based Policy Firewall IPv6 Support
- VRF-Aware Cisco IOS XE Firewall
- Layer 2 Transparent Firewalls
- Nested Class Map Support for Zone-Based Policy Firewall
- Zone Mismatch Handling
- Configuring Firewall Stateful Interchassis Redundancy
- Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls
- Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT
- Interchassis High Availability Support in IPv6 Zone-Based Firewalls
- Firewall Box to Box High Availability Support for Cisco CSR1000v Routers
- Firewall Stateful Inspection of ICMP
- Firewall Support of Skinny Client Control Protocol
- Configuring the VRF-Aware Software Infrastructure
- IPv6 Zone-Based Firewall Support over VASI Interfaces
- Protection Against Distributed Denial of Service Attacks
- Configuring Firewall Resource Management
- IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
- Configurable Number of Simultaneous Packets per Flow
- LISP and Zone-Based Firewalls Integration and Interoperability
- Firewall High-Speed Logging
- TCP Reset Segment Control
- Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall
- Enabling ALGs and AICs in Zone-Based Policy Firewalls
- Configuring Firewall TCP SYN Cookie
- Object Groups for ACLs
- Cisco Firewall-SIP Enhancements ALG
- MSRPC ALG Support for Firewall and NAT
- Sun RPC ALG Support for Firewalls and NAT
- vTCP for ALG Support
- ALG—H.323 vTCP with High Availability Support for Firewall and NAT
- FTP66 ALG Support for IPv6 Firewalls
- SIP ALG Hardening for NAT and Firewall
- SIP ALG Resilience to DoS Attacks
- Zone-Based Firewall ALG and AIC Conditional Debugging and Packet Tracing Support
- Finding Feature Information
- Restrictions for IPv6 Zone-Based Firewall Support over VASI Interfaces
- Information About IPv6 Zone-Based Firewall Support over VASI Interfaces
- How to Configure IPv6 Zone-Based Firewall Support over VASI Interfaces
- Configuration Examples for IPv6 Zone-Based Firewall Support over VASI Interfaces
- Additional References for Firewall Stateful Interchassis Redundancy
- Feature Information for IPv6 Zone-Based Firewall Support over VASI Interfaces
IPv6 Zone-Based Firewall Support over VASI Interfaces
This feature supports VRF-Aware Service Infrastructure (VASI) interfaces over IPv6 firewalls. This feature allows you to apply services such as access control lists (ACLs), Network Address Translation (NAT), policing, and zone-based firewalls to traffic that flows across two different virtual routing and forwarding (VRF) instances. VASI interfaces support the redundancy of Route Processors (RPs) and Forwarding Processors (FPs). VASI interfaces support IPv4 and IPv6 unicast traffic.
This module provides information about VASI interfaces and describes how to configure VASI interfaces.
- Finding Feature Information
- Restrictions for IPv6 Zone-Based Firewall Support over VASI Interfaces
- Information About IPv6 Zone-Based Firewall Support over VASI Interfaces
- How to Configure IPv6 Zone-Based Firewall Support over VASI Interfaces
- Configuration Examples for IPv6 Zone-Based Firewall Support over VASI Interfaces
- Additional References for Firewall Stateful Interchassis Redundancy
- Feature Information for IPv6 Zone-Based Firewall Support over VASI Interfaces
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for IPv6 Zone-Based Firewall Support over VASI Interfaces
Multiprotocol Label Switching (MPLS) traffic over VRF-Aware Software Infrastructure (VASI) interfaces is not supported.
IPv4 and IPv6 multicast traffic is not supported.
VASI interfaces do not support the attachment of queue-based features. The following commands are not supported on modular QoS CLI (MQC) policies that are attached to VASI interfaces:
Information About IPv6 Zone-Based Firewall Support over VASI Interfaces
VASI Overview
VRF-Aware Software Infrastructure (VASI) provides the ability to apply services such as, a firewall, IPsec, and Network Address Translation (NAT), to traffic that flows across different virtual routing and forwarding (VRF) instances. VASI is implemented by using virtual interface pairs, where each of the interfaces in the pair is associated with a different VRF instance. The VASI virtual interface is the next-hop interface for any packet that needs to be switched between these two VRF instances. VASI interfaces provide the framework to configure a firewall or NAT between VRF instances.
Each interface pair is associated with two different VRF instances. The pairing is done automatically based on the two interface indexes such that the vasileft interface is automatically paired to the vasiright interface. For example, in the figure below, vasileft1 and vasiright1 are automatically paired, and a packet entering vasileft1 is internally handed over to vasiright1.
On VASI interfaces, you can configure either static routing or dynamic routing with Internal Border Gateway Protocol (IBGP), Enhanced Interior Gateway Routing Protocol (EIGRP), or Open Shortest Path First (OSPF). IBGP dynamic-routing protocol restrictions and configurations are valid for IBGP routing configurations between VASI interfaces.
The following figure shows an inter-VRF VASI configuration on the same device.
A packet enters the physical interface that belongs to VRF 1 (Gigabit Ethernet 0/2/0.3).
Before forwarding the packet, a forwarding lookup is done in the VRF 1 routing table. Vasileft1 is chosen as the next hop, and the Time to Live (TTL) value is decremented from the packet. Usually, the forwarding address is selected on the basis of the default route in the VRF. However, the forwarding address can also be a static route or a learned route. The packet is sent to the egress path of vasileft1 and then automatically sent to the vasiright1 ingress path.
When the packet enters vasiright1, a forwarding lookup is done in the VRF 2 routing table, and the TTL is decremented again (second time for this packet).
VRF 2 forwards the packet to the physical interface, Gigabit Ethernet 0/3/0.5.
The following figure shows how VASI works in a Multiprotocol Label Switching (MPLS) VPN configuration.
 Note | In the following figure, MPLS is enabled on the Gigabit Ethernet interface, but MPLS traffic is not supported across VASI pairs. |
A packet arrives on the MPLS interface with a VPN label.
The VPN label is stripped from the packet, a forwarding lookup is done within VRF 2, and the packet is forwarded to vasiright1. The TTL value is decremented from the packet.
The packet enters vasileft1 on the ingress path, and another forwarding lookup is done in VRF 1. The packet is sent to the egress physical interface in VRF1 (Gigabit Ethernet 0/2/0.3). The TTL is again decremented from the packet.
How to Configure IPv6 Zone-Based Firewall Support over VASI Interfaces
Configuring VRFs and Address Family Sessions
1.
enable
2.
configure terminal
3.
vrf definition
vrf-name
4.
address-family ipv6
5.
exit-address-family
6.
end
DETAILED STEPS
Configuring Class Maps and Policy Maps for VASI Support
1.
enable
2.
configure terminal
3.
ipv6 unicast-routing
4.
class-map type inspect match-any
class-map-name
5.
match protocol
name
6.
match protocol
name
7.
exit
8.
policy-map type inspect
policy-map-name
9.
class type inspect
class-map-name
10.
inspect
11.
exit
12.
class class-default
13.
end
DETAILED STEPS
Configuring Zones and Zone Pairs for VASI Support
1.
enable
2.
configure terminal
3.
zone security
zone-name
4.
exit
5.
zone-pair security
zone-pair-name
source
source-zone
destination
destination-zone
6.
service-policy type inspect
policy-map-name
7.
exit
8.
interface
type number
9.
vrf forwarding
vrf-name
10.
no ip address
11.
zone member security
zone-name
12.
ipv6 address
ipv6-address/prefix-length
13.
ipv6 enable
14.
negotiation auto
15.
exit
16.
interface
type number
17.
no ip address
18.
ipv6 address
ipv6-address/prefix-length
19.
ipv6 enable
20.
negotiation auto
21.
end
DETAILED STEPS
Configuring VASI Interfaces
1.
enable
2.
configure terminal
3.
interface
type
number
4.
vrf forwarding
vrf-name
5.
ipv6 address
ipv6-address/prefix-length
link-local
6.
ipv6 address
ipv6-address/prefix-length
7.
ipv6 enable
8.
no keepalive
9.
zone member security
zone-name
10.
exit
11.
interface
type number
12.
ipv6 address
ipv6-address/prefix-length
link-local
13.
ipv6 address
ipv6-address/prefix-length
14.
ipv6 enable
15.
no keepalive
16.
exit
17.
ipv6 route
ipv6-prefix/prefix-length interface-type interface-number ipv6-address
18.
ipv6 route vrf
vrf-name ipv6-prefix/prefix-length interface-type interface-number ipv6-address
19.
end
DETAILED STEPS
Configuration Examples for IPv6 Zone-Based Firewall Support over VASI Interfaces
Example: Configuring VRFs and Address Family Sessions
Device# configure terminal Device(config)# vrf definition VRF1 Device(config-vrf)# address-family ipv6 Device(config-vrf-af)# exit-address-family Device(config-vrf)# end
Example: Configuring Class Maps and Policy Maps for VASI Support
Device# configure terminal Device(config)# ipv6-unicast routing Device(config)# class-map type inspect match-any c-map Device(config-cmap)# match protocol icmp Device(config-cmap)# match protocol tcp Device(config-cmap)# match protocol udp Device(config-cmap)# exit Device(config)# policy-map type inspect p-map Device(config-pmap)# class type inspect c-map Device(config-pmap-c)# inspect Device(config-pmap-c)# exit Device(config-pmap)# class class-default Device(config-pmap-c)# end
Example: Configuring Zones and Zone Pairs for VASI Support
Device# configure terminal Device(config)# zone security in Device(config)# exit Device(config)# zone security out Device(config)# exit Device(config)# zone-pair security in-out source in destination out Device(config-sec-zone-pair)# service-policy type inspect p-map Device(config-sec-zone-pair)# exit Device(config)# interface gigabitethernet 0/0/0 Device(config-if)# vrf forwarding VRF1 Device(config-if)# no ip address Device(config-if)# zone member security in Device(config-if)# ipv6 address 2001:DB8:2:1234/64 Device(config-if)# ipv6 enable Device(config-if)# negotiation auto Device(config-if)# exit Device(config)# interface gigabitethernet 0/0/1 Device(config-if)# no ip address Device(config-if)# ipv6 address 2001:DB8:3:1234/64 Device(config-if)# ipv6 enable Device(config-if)# negotiation auto Device(config-if)# end
Example: Configuring VASI Interfaces
Device# configure terminal Device(config)# interface vasileft 1 Device(config-if)# vrf forwarding VRF1 Device(config-if)# ipv6 address FE80::8EB6:4FFF:FE6C:E701 link-local Device(config-if)# ipv6 address 2001:DB8:4:1234/64 Device(config-if)# ipv6 enable Device(config-if)# no keepalive Device(config-if)# zone-member security out Device(config-if)# exit Device(config)# interface vasiright 1 Device(config-if)# ipv6 address FE80::260:3EFF:FE11:6770 link-local Device(config-if)# ipv6 address 2001:DB8:4:1234/64 Device(config-if)# ipv6 enable Device(config-if)# no keepalive Device(config-if)# exit Device(config)# ipv6 route 2001::/64 vasileft 1 2001::/64 Device(config)# ipv6 route vrf vrf1 2001::/64 vasiright 1 2001::/64 Device(config)# end
Additional References for Firewall Stateful Interchassis Redundancy
Related Documents
|
Related Topic |
Document Title |
|---|---|
|
Cisco IOS commands |
|
|
Security commands |
|
Technical Assistance
|
Description |
Link |
|---|---|
|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for IPv6 Zone-Based Firewall Support over VASI Interfaces
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.Feature Name |
Releases |
Feature Information |
|---|---|---|
|
IPv6 Zone-Based Firewall Support over VASI Interfaces |
Cisco IOS XE Release 3.7S |
This feature supports VASI interfaces over IPv6 firewalls. This feature allows you to apply services such as access control lists (ACLs), Network Address Translation (NAT), policing, and zone-based firewalls to traffic that flows across two different virtual routing and forwarding (VRF) instances. VASI interfaces support the redundancy of Route Processors (RPs) and Forwarding Processors (FPs). VASI interfaces support IPv4 and IPv6 unicast traffic. No commands were introduced or modified for this feature. |
Feedback