IOS Transparent Firewalling Simplifies Your Network

By Charlie Schluting | Sep 5, 2008 | Print this Page
http://www.enterprisenetworkingplanet.com/netsp/article.php/3769801/IOS-Transparent-Firewalling-Simplifies-Your-Network.htm

Charlie SchlutingAdding a firewall is normally a disruptive activity that involves creating multiple subnets where there may have only been one previously. With the new Transparent Firewall in IOS 12.3, you can erect new walls without redesigning anything. In this article we’ll explain the differences and limitations, and then we’ll show you how.

The concept of a transparent firewall is simple: the switch or router slips in and inspects the packet wherever you tell it to. The network interface addresses on your routers do not need to be changed, and the connecting systems do not need to be moved. With a transparent firewall you can allow some devices on the network to traverse the firewall, but deny access to others.

Often times a new firewall setup involves relocating hosts into security classifications, because you may wish to group together similar threat-levels in a more highly filtered subnet. Standard firewall setups throw trusted hosts behind their trusted interfaces, and the externally facing interface is hostile. So, when a Layer 3 firewall is installed, the entire network needs to be uprooted and reconfigured.

How it Works

Cisco’s Layer 2 (transparent) firewall acts as a transparent bridge. The firewall part comes in when it snarfs each packet through context-based access controls (CBAC) and ACLs that you’ve configured on the Layer 2 interface.

Bridged interfaces still act the same, even if firewalling is enabled. They still run STP by default, they still learn MAC addresses, and they still forward frames. One neat trick Cisco has implemented, however, is the ability to have what I’m going to call hybrid ports. A user can configure Integrated Routed Bridging (IRB), which will allow bridging on some ports, but also create an IP interface for routing, called a Bridged Virtual Interface (BVI). The switch will know if a packet is supposed to be bridged or switched based on the IP destination. Yes, this implies that a packet could be subject to both the transparent firewall rules and the Layer 3 ACLs you may have defined, that is, if the packet is destined for a non-attached subnet.

Configuring a Transparent Firewall

It’s easy: configure transparent firewalling the same as you would a normal firewall, with the ip inspect command. Once bridge interfaces and BVIs are configured, that is.

To configure BVIs, you must first configure a bridge group, which will bridge together multiple interfaces. In the following example, I’ve chosen to call the bridge group number “1.”

Router(config)# bridge 1 protocol ieee
Router(config)# interface ethernet0
Router(config-if)# bridge-group 1
Router(config-if)# interface ethernet1
Router(config-if)# bridge-group 1

Then, to configure the BVI, you must tell the device to add a router IP to bridge group 1, give it an IP address that’s visible to the bridged network, and enable it.

Router(config)# bridge irb
Router(config)# bridge 1 route ip
Router(config)# interface BVI1
Router(config-if)# ip address 10.0.0.11 255.255.255.0
Router(config-if)# no shut

At this point, you now have a bridge group. The configuration and status can be seen with the command show bridge-group. Next, we must configure some inspection rules. We’ll enable inspection for TCP on ethernet0, and then configure an ACL.

Router(config)# ip inspect name test tcp
Router(config)# interface ethernet0
Router(config-if)# ip inspect test in

Now, some sort of access-list needs to be created before we can enable it on the Layer 2 interface.

Router(config)# access-list 101 permit host 10.0.0.51 any any
Router(config)# access-list 101 deny ip any any
Router(config)# access-list 102 permit 10.0.0.0 0.0.0.255 any
Router(config)# access-list 102 permit tcp any any eq ssh
Router(config)# access-list 102 deny ip any any

We’ve created two, actually. List 101 will be applied to the external interface, and is configured to allow outside people to talk to host 10.0.0.51 (assuming the ACL is applied “in” on the interface). List 102 is configured to allow only SSH outbound from inside the 10.0.0.0/24 network.

Now we simply need to apply the ACL to the Layer 2 interfaces:

Router(config)# interface ethernet0
Router(config-if) ip access-group 102 in
Router(config)# interface ethernet1
Router(config-if) ip access-group 101 in

Also, the Cisco documents recommend that you configure DHCP pass-through, so that DHCP packets traverse the firewall even if a global deny is configured. The command is:

ip inspect L2-transparent dhcp-passthrough

Caveats

Of course, nothing works 100 percent the way you’d like it to. Here are a few important limitations to be aware of:

  • Be sure to allow ICMP, specifically TTL Exceeded messages
  • Only IP packets are inspected by the transparent firewall
  • Spanning tree BPDUs are not inspected when bridging (IRB) is configured
  • If you skip configuring BVI, you cannot route with the device at all, and you must disable ip routing for bridging to work
  • BVI is required if more than two interfaces are in a bridge group
  • If inspection is not configured on any interface in a bridge group, the IP ACL on the BVI is not active
  • Transparent firewalling only works with 802.1q VLAN trunks; it doesn’t support ISL

Finally, to troubleshoot your firewall rules, don’t forget about debug mode. Don’t enable debugging for everything — that will quickly take down a router — just enable debugging for the transparent firewall feature:

debug ip inspect L2-transparent

The show debug command should tell you that L2 firewall debugging is on:

L2 Inspection:
INSPECT L2 firewall debugging is on

Be mindful about implementing these changes during production hours, however. Often times adding Layer 2 interfaces to groups will cause interfaces to become disabled, until you’re done configuring them. Especially if you don’t intend on creating a BVI, but then add more than two interfaces to a bridge group, everything will stop working. Things will go smoothly if you read the Cisco documents thoroughly before implementing a transparent firewall for the first time, and don’t forget to review the caveats I’ve listed above.

There you have it; a simple way to firewall off portions of your network without renumbering hosts or making other routing changes.


Charlie Schluting is the author of Network Ninja, a must-read for every network engineer.