Firewalls - interface

interface

Set network interface speed and duplex.

interface hardware_id [hardware_speed] [shutdown]

clear interface
show interface

Syntax

hardware_id Set the interface type. Possible values are

ethernetn
gb-ethernetn
fddi0
fddi1
token-ringn

hardware_speed Network interface speed. Optional. Do not specify for FDDI interfaces.

Type Mbps Description
10baset 10 Ethernet half-duplex

10full 10 Ethernet full-duplex

100basetx 100 Ethernet half-duplex

100full 100 Ethernet full-duplex

1000sxfull 1000 Gigabit Ethernet full-duplex

1000basesx 1000 Gigabit Ethernet half-duplex

1000auto 1000 Gigabit Ethernet. Auto-negotiate full or half duplex. Deprecated.

auto Auto Set speed automatically. Only used with Intel 10/100 automatic speed sensing network interface cards. Deprecated.

aui 10 Ethernet half-duplex with an AUI cable interface.

bnc 10 Ethernet half-duplex with a BNC cable interface.

4mbps 4 token-ring

16mbps 16 token-ring

Usage

Set the speed and duplex settings of network interface boards. Configuration mode.
Use show_interface to view settings.
Use clear interface to clear all statistics except for the number of input bytes. Among the statistics cleared include the unicast rpf drops. This command no does not shut down interfaces.
The shutdown option allows you to disable an interface. When you first install firewall, all interfaces are shut down by default. You must explicitly enable an interface by entering the command without the shutdown option. If the shutdown option does not exist in the command, packets are passed by the driver to and from the card.
If the shutdown option does exist, packets are dropped in either direction. Inserting a new card defaults to the default interface command containing the shutdown option. (That is, if you add a new card and then enter the write memory command, the shutdown option is saved into Flash memory for the interface.) When upgrading from a previous version to the current version, interfaces are enabled.
The configuration of the interface affects buffer allocation (the firewall will allocate more buffers for higher line speeds). Buffer allocation can be checked with the show blocks command.
For firewall, set the Stateful Failover dedicated interface to 100 Mbps full duplex using the 100full option to the interface command.
The show interface command reports "line protocol down" for BNC cable connections and for 3Com cards.
Even though the default is to set automatic speed sensing for the interfaces with the interface hardware_id auto command, we recommend that you specify the speed of the network interfaces; for example, 10baset or 100basetx. This lets firewall operate in network environments that may include switches or other devices that do not handle auto sensing correctly.

Usage

When you use the interface token-ring command, also use the mtu command to set the block size depending on the interface speed.
After changing an interface command, use the clear xlate command.

show interface

View network interface information. This is one of the first commands you should use when establishing network connectivity after installing a firewall.
show interface interface ethernet0 "outside" is up, line protocol is up Hardware is i82559 ethernet, address is 00aa.0000.003b IP address 209.165.201.7, subnet mask 255.255.255.224 MTU 1500 bytes, BW 100000 Kbit half duplex 1184342 packets input, 1222298001 bytes, 0 no buffer Received 26 broadcasts, 27 runts, 0 giants 4 input errors, 0 CRC, 4 frame, 0 overrun, 0 ignored, 0 abort 1310091 packets output, 547097270 bytes, 0 underruns, 0 unicast rpf drops 0 output errors, 28075 collisions, 0 interface resets 0 babbles, 0 late collisions, 117573 deferred 0 lost carrier, 0 no carrier input queue (curr/max blocks): hardware (128/128) software (0/1) output queue (curr/max blocks): hardware (0/2) software (0/1)

Interface status Includes name and type of interface (Ethernet, fddi or token-ring)

line protocol is up Working cable is plugged into the network interface. If the cable is incorrect or not plugged into the interface connector, a "line protocol down" is displayed.

Hardware Number of blocks present on the input hardware queue, and the maximum number of blocks previously present on that queue.

address MAC address. Intel cards start with "i" and 3Com cards with "3c."

MTU Maximum Transmission Unit. Largest physical packet size, measured in bytes, that a network can transmit.

nn packets input Indicates that packets are being received in the firewall.

nn packets output Indicates that packets are being sent from the firewall.

Line duplex status Half duplex indicates that the network interface switches back and forth between sending and receiving information.
Full duplex indicates that the network interface can send or receive information simultaneously.

Line speed 10baset is listed as 10,000 Kbit; 100basetx is listed as 100,000 Kbit.

runts Packets with less information than expected.

giants Packets with more information than expected.

input errors Input errors

CRC Cyclic redundancy check. Packets that contain corrupted data.

frame Frame errors

overrun Occur when the network interface card is overwhelmed and cannot buffer received information before more needs to be sent.

ignored Provided for future use. Not checked. The firewall does not ignore frames.

abort Provided for future use. Not checked. The firewall does not abort frames.

underruns Occur when the firewall is overwhelmed and cannot get data fast enough to the network interface card.

no buffer The firewall is out of memory or slowed down due to heavy traffic and cannot keep up with the received data.

output errors (maximum collisions). The number of frames not transmitted because the configured maximum number of collisions was exceeded. This counter should only increment during heavy network traffic.

collisions (single and multiple collisions). The number of messages retransmitted due to an Ethernet collision. This usually occurs on an overextended LAN (Ethernet or transceiver cable too long, more than two repeaters between stations, or too many cascaded multiport transceivers). A packet that collides is counted only once by the output packets.

interface resets The number of times an interface has been reset. If an interface is unable to transmit for three seconds, firewall resets the interface to restart transmission. During this interval, connection state is maintained. An interface reset can also happen when an interface is looped back or shut down.

babbles Unused. ("babble" means that the transmitter has been on the interface longer than the time taken to transmit the largest frame.)

late collisions The number of frames that were not transmitted because a collision occurred outside the normal collision window. A late collision is a collision that is detected late in the transmission of the packet. Normally, these should never happen. When two Ethernet hosts try to talk at once, they should collide early in the packet and both back off, or the second host should see that the first one is talking and wait.
If you get a late collision, a device is jumping in and trying to send the packet on the Ethernet while the firewall is partly finished sending the packet. The firewall does not resend the packet, because it may have freed the buffers that held the first part of the packet. This is not a real problem because networking protocols are designed to cope with collisions by resending packets. However, late collisions indicate a problem exists in the network. Common problems are large repeated networks and Ethernet networks running beyond the specification.

deferred The number of frames that were deferred before transmission due to activity on the link.

lost carrier The number of times the carrier signal was lost during transmission.

no carrier Unused.

input queue The input (receive) hardware and software queue.

(curr/max blocks): software Number of blocks present on the input software queue, and the maximum number of blocks previously present on that queue.

(curr/max blocks): hardware Number of blocks present on the output hardware queue, and the maximum number of blocks previously present on that queue.

unicast rpf drops When packets sent to a single network destination using reverse path forwarding are dropped.
Interrupt vector It is acceptable for interface cards to have the same interrupts because firewall uses interrupts to get Token Ring information, but polls Ethernet cards.

¹Status counters are only valid for Ethernet interfaces.
GigaBit Ethernet

Gigabit Ethernet cards do not display show interface status counters.
The clear interface command works with all interface types except Gigabit Ethernet.
For Fast Ethernet and Gigabit Ethernet interfaces, the current and maximum count for the number of blocks on the input (receive) queue will always be the same. Currently the count is 128 for Fast Ethernet and 63 for Gigabit Ethernet. The number of blocks on the receive queue is always fixed.

Examples

The following example assigns names to each interface, enables auto detection for the interface parameters, and then shows interface activity:
show interface interface ethernet0 "outside" is up, line protocol is up Hardware is i82557 ethernet, irq 10, address is 0060.7380.2f16 IP address 209.165.201.1, subnet mask 255.255.255.224 MTU 1500 bytes, BW 100000 Kbit half duplex 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 1 packets output, 0 bytes, 0 underruns, 0 unicast rpf drops 0 output errors, 28075 collisions, 0 interface resets 0 babbles, 0 late collisions, 117573 deferred 0 lost carrier, 0 no carrier interface token-ring0 "inside" is up, line protocol is up Hardware is o3137 token-ring, irq 9, address is 0000.8326.72c6 IP address 10.0.0.1, subnet mask 255.0.0.0 MTU 8192 bytes, BW 16000 Kbit, Ring-speed: 16Mbps 116 packets input, 27099 bytes, 0 no buffer Received 116 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 116 frame, 0 overrun, 0 ignored, 0 abort 3 packets output, 150 bytes, 0 underruns, 0 unicast rpf drops 0 output errors, 28075 collisions, 0 interface resets 0 babbles, 0 late collisions, 117573 deferred 0 lost carrier, 0 no carrier interface ethernet1 "DMZ" is up, line protocol is up Hardware is i82557 ethernet, irq 9, address is 00a0.c95d.0282 IP address 127.0.0.1, subnet mask 255.255.255.0 MTU 1500 bytes, BW 10000 Kbit half duplex 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns, 0 unicast rpf drops 0 output errors, 28075 collisions, 0 interface resets 0 babbles, 0 late collisions, 117573 deferred 0 lost carrier, 0 no carrier

cbos#show interface IP Address Mask eth0 10.0.0.1 255.255.255.0 vip0 0.0.0.0 255.255.255.0 vip1 0.0.0.0 255.255.255.0 vip2 0.0.0.0 255.255.255.0 wan0 Physical Port: Trained Dest IP Address Mask wan0-0 209.98.0.21 255.255.255.255

Interface status	Includes name and type of interface (Ethernet, fddi or token-ring)
line protocol is up	Working cable is plugged into the network interface. If the cable is incorrect or not plugged into the interface connector, a "line protocol down" is displayed.
Hardware	Number of blocks present on the input hardware queue, and the maximum number of blocks previously present on that queue.
address	MAC address. Intel cards start with "i" and 3Com cards with "3c."
MTU	Maximum Transmission Unit. Largest physical packet size, measured in bytes, that a network can transmit.
nn packets input	Indicates that packets are being received in the firewall.
nn packets output	Indicates that packets are being sent from the firewall.
Line duplex status	Half duplex indicates that the network interface switches back and forth between sending and receiving information. Full duplex indicates that the network interface can send or receive information simultaneously.
Line speed	10baset is listed as 10,000 Kbit; 100basetx is listed as 100,000 Kbit.
runts	Packets with less information than expected.
giants	Packets with more information than expected.
input errors	Input errors
CRC	Cyclic redundancy check. Packets that contain corrupted data.
frame	Frame errors
overrun	Occur when the network interface card is overwhelmed and cannot buffer received information before more needs to be sent.
ignored	Provided for future use. Not checked. The firewall does not ignore frames.
abort	Provided for future use. Not checked. The firewall does not abort frames.
underruns	Occur when the firewall is overwhelmed and cannot get data fast enough to the network interface card.
no buffer	The firewall is out of memory or slowed down due to heavy traffic and cannot keep up with the received data.
output errors	(maximum collisions). The number of frames not transmitted because the configured maximum number of collisions was exceeded. This counter should only increment during heavy network traffic.
collisions	(single and multiple collisions). The number of messages retransmitted due to an Ethernet collision. This usually occurs on an overextended LAN (Ethernet or transceiver cable too long, more than two repeaters between stations, or too many cascaded multiport transceivers). A packet that collides is counted only once by the output packets.
interface resets	The number of times an interface has been reset. If an interface is unable to transmit for three seconds, firewall resets the interface to restart transmission. During this interval, connection state is maintained. An interface reset can also happen when an interface is looped back or shut down.
babbles	Unused. ("babble" means that the transmitter has been on the interface longer than the time taken to transmit the largest frame.)
late collisions	The number of frames that were not transmitted because a collision occurred outside the normal collision window. A late collision is a collision that is detected late in the transmission of the packet. Normally, these should never happen. When two Ethernet hosts try to talk at once, they should collide early in the packet and both back off, or the second host should see that the first one is talking and wait. If you get a late collision, a device is jumping in and trying to send the packet on the Ethernet while the firewall is partly finished sending the packet. The firewall does not resend the packet, because it may have freed the buffers that held the first part of the packet. This is not a real problem because networking protocols are designed to cope with collisions by resending packets. However, late collisions indicate a problem exists in the network. Common problems are large repeated networks and Ethernet networks running beyond the specification.
deferred	The number of frames that were deferred before transmission due to activity on the link.
lost carrier	The number of times the carrier signal was lost during transmission.
no carrier	Unused.
input queue	The input (receive) hardware and software queue.
(curr/max blocks): software	Number of blocks present on the input software queue, and the maximum number of blocks previously present on that queue.
(curr/max blocks): hardware	Number of blocks present on the output hardware queue, and the maximum number of blocks previously present on that queue.
unicast rpf drops	When packets sent to a single network destination using reverse path forwarding are dropped.
Interrupt vector	It is acceptable for interface cards to have the same interrupts because firewall uses interrupts to get Token Ring information, but polls Ethernet cards.