Cisco Catalyst 6500 Series Configuration Manual page 31
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Chapter 1
Introduction to the Firewall Services Module
Stateful Inspection Feature
All traffic that goes through the firewall is inspected using the Adaptive Security Algorithm (ASA) and
is either allowed through or dropped. A simple packet filter can check for the correct source address,
destination address, and ports, but it does not check that the packet sequence or flags are correct. A filter
also checks every packet against the filter, which can be a slow process.
A stateful firewall like the FWSM, however, takes into consideration the state of a packet:
•
Note
•
OL-6392-01
Is this a new connection?
If it is a new connection, the firewall has to check the packet against ACLs and perform other tasks
to determine if the packet is allowed or denied. To perform this check, the first packet of the session
goes through the "session management path," and depending on the type of traffic, it might also pass
through the "control plane path."
The session management path is responsible for the following tasks:
Performing the ACL checks
–
–
Performing route lookups
–
Allocating NAT translations (xlates)
Establishing sessions in the "fast path"
–
Some packets that require Layer 7 inspection (the packet payload must be inspected or altered) are
passed on to the control plane path. Layer 7 inspection engines are required for protocols that have
two or more channels: a data channel, which uses well-known port numbers, and a control channel,
which uses different port numbers for each session. These protocols include FTP, H.323, and SNMP.
The FWSM performs session management path and fast path processing on three specialized
networking processors (NPs). The control plane path processing is performed in a
general-purpose processor that also handles traffic directed to the FWSM and configuration and
management tasks.
Is this an established connection?
If the connection is already established, the firewall does not need to re-check packets; most
matching packets can go through the fast path in both directions. The fast path is responsible for the
following tasks:
–
IP checksum verification
Session lookup
–
TCP sequence number check
–
NAT translations based on existing sessions
–
Layer 3 and Layer 4 header adjustments
–
The following types of traffic go through the fast path:
Established TCP or UDP connections
–
For UDP, which does not have sessions, the FWSM creates UDP connection state information
so that it can also use the fast path.
ICMP control packets
–
Data packets for protocols that require Layer 7 inspection
–
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
Features
1-5
Advertisement
Table of Contents
Troubleshooting
Related Manuals for Cisco Catalyst 6500 Series
Related Products for Cisco Catalyst 6500 Series
- Cisco 6503 - Catalyst Firewall Security Sys
- Cisco 6503-E - Catalyst Chassis With Supervisor Engine 32 Switch
- Cisco 6504-E - Catalyst Chassis With Supervisor Engine 32 Switch
- Cisco 6506 - Catalyst Chassis Switch
- Cisco 6513 - Catalyst Switch
- Cisco Catalyst 6509
- Cisco Catalyst 6513-E
- Cisco Catalyst 6500-E Series