Understanding Cisco Secure Firewall Services Module 4.x Routing and Feature Enhancements
Several significant additions to the 4.x code enhance routing and other features. Some of these additions include Enhanced Interior Gateway Routing Protocol (EIGRP) routing, route health injection, and some additional security features and application inspection enhancements.
EIGRP has been a long-awaited feature for the Firewall Services Module (FWSM). With EIGRP support, the FWSM can be integrated into an existing EIGRP network, minimizing the need to redistribute routing information into other routing protocols. This reduces the complexity of managing multiple routing processes and simplifies the network design, especially within the datacenter.
Redistribution of routes between routing protocols can be difficult because each routing protocol exercises different methods to classify routes (cost). For example, RIP uses hop-count, OSPF uses a metric (single value), and EIGRP uses bandwidth and delay by default. When routing information is exchanged, the methods used to classify them are also lost. Consequently, routing loops can easily occur if you redistribute a route into one process, change the cost, and inject the route back into the first routing process. Use caution if you find yourself in this situation.
EIGRP is supported only in single-context mode and allows only one single EIGRP routing process. Unlike Routing Information Protocol (RIP) and Open Shortest Path First (OSPF), which cannot be enabled simultaneously, EIGRP and RIP or EIGRP and OSPF can be. Where additional security is required, when connecting to the Internet or other untrusted connections, an EIGRP process can be used on the inside and another routing process can be used on the outside.
Using Figure 25-1, the following example shows how EIGRP is configured to exchange routing information with the local network and extend the default route learned from the OSPF process exchanged on the outside interface to the local network. In the event the router on the outside stops forwarding the default route to the FWSM, the FWSM will remove the route from the local routing table, consequently removing the default route in the local network.
Figure 25-1 EIGRP and OSPF Route Redistribution
To enhance the security for the routing information exchanged on the outside, OSPF Message Digest 5 (MD5) authentication has also been configured.
Example 25-1 shows the configuration of the FWSM (only the pertinent information is shown).
Example 25-1. EIGRP Route Redistribution
interface Vlan10 nameif Inside security-level 100 ip address 10.0.0.2 255.255.255.0 ! interface Vlan11 nameif Outside security-level 0 ip address 192.168.0.2 255.255.255.0 ospf message-digest-key 1 md5 <removed> router eigrp 1 no auto-summary network 10.0.0.0 255.255.255.0 redistribute ospf 1 metric 1000 2000 255 1 1500 ! ! router ospf 1 network 192.168.0.0 255.255.255.0 area 0 area 0 authentication message-digest log-adj-changes redistribute eigrp 1 subnets summary-address 10.0.0.0 255.0.0.0
As the output from the show route command shows in Example 25-2, the FWSM has learned about the routes from the local network via EIGRP. These routes are denoted with the letter "D," and the route from the outside has been learned via OSPF denoted with the letter "O."
Example 25-2. EIGRP Redistributed Routes
FWSM# show route D 10.2.0.0 255.255.255.0 [90/26880256] via 10.0.0.1, 1:42:35, Inside D 10.3.0.0 255.255.255.0 [90/27008256] via 10.0.0.1, 1:42:35, Inside D 10.1.1.0 255.255.255.0 [90/130816] via 10.0.0.1, 1:42:35, Inside O 10.0.0.0 255.0.0.0 is a summary, 1:42:43, Null0 C 10.0.0.0 255.255.255.0 is directly connected, Inside D 10.4.0.0 255.255.255.0 [90/27008256] via 10.0.0.1, 1:42:35, Inside C 192.168.0.0 255.255.255.0 is directly connected, Outside O*E2 0.0.0.0 0.0.0.0 [110/1] via 192.168.0.1, 0:38:26, Outside
The FWSM is exchanging routing information with the Multilayer Switch Feature Card (MSFC) associated with the inside interface, as the output from the show eigrp neighbors command reveals in Example 25-3.
Example 25-3. EIGRP Neighbors
FWSM# show eigrp neighbors EIGRP-IPv4 neighbors for process 1 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 10.0.0.1 Vl10 12 02:59:38 1 200 0 63
The OSPF adjacency has been established with the router on the outside interface, as the output from the show ospf neighbor command reveals in Example 25-4.
Example 25-4. OSPF Neighbor
FWSM# show ospf neighbor Neighbor ID Pri State Dead Time Address Interface 192.168.100.1 1 FULL/BDR 0:00:33 192.168.0.1 Outside
In Example 25-5, the last two lines from the show ospf interface command also indicate that the neighbor adjacency is using MD5.
Example 25-5. OSPF Interfaces
FWSM# show ospf interface Outside is up, line protocol is up Internet Address 192.168.0.2 mask 255.255.255.0, Area 0 Process ID 1, Router ID 10.0.0.2, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 10.0.0.2, Interface address 192.168.0.2 Backup Designated router (ID) 192.168.100.1, Interface address 192.168.0.1 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 0:00:03 Index 1/1, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 3, maximum is 6 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 192.168.100.1 (Backup Designated Router) Suppress hello for 0 neighbor(s) Message digest authentication enabled Youngest key id is 1
The challenges of complex redistribution scenarios from EIGRP to OSPF or RIP on adjacent routers are now eliminated with the capability of supporting EIGRP natively on the FWSM. Running EIGRP through the FWSM should be reserved for passing routing information internal to the network—for example, within the datacenter. This minimizes the impact of attacks targeting routing protocols.
The addition of EIGPR support makes the integration of the FWSM into networks taking advantage of the EIGRP routing protocol substantially easier, by not requiring the redistribution between routing protocols. When required, you still have the capability to redistribute routing information between routing protocols on the FWSM, but use caution that you do not cause a routing loop.