Cisco Systems 535 User Manual
CHA PTER
PIX 535
This chapter describes the installation of the PIX 535, and includes the following sections:
• PIX 535 Product Overview, page 7-1
• Installing the PIX 535, page 7-5
• PIX 535 Feature Licenses, page 7-6
• Installing Failover, page 7-8
• Installing LAN-Based Failover, page 7-9
• Replacing a Lithium Battery, page 7-10
• Installing a Memory Upgrade, page 7-11
• Installing a Circuit Board in the PIX 535, page 7-14
• Installing the PIX 535 DC Model, page 7-21
7
PIX 535 Product Overview
Note The PIX 535 chassis cover should not be removed. The user-serviceable components are accessed by a
removable tray at the back panel of each model. If you need to remove the PIX 535 chassis cover for any
reason, use the related information in the “Removing and Replacing the PIX 515/515E Chassis Cover”
section on page 4-13 as a guideline.
78-15170-03
Cisco PIX Security Appliance Hardware Installation Guide
7-1
PIX 535 Product Overview
Chapter 7 PIX 535
Figure 7-1 shows the front view of the PIX 535.
Figure 7-1 PIX 535 Front Panel
CISCO SECURITY PIX 535
POWER
ACTIVE
FIREWALL
S
E
R
IE
S
61915
Figure 7-2 shows the rear view of the PIX 535.
Figure 7-2 PIX 535 Rear Panel
S
T
A
T
U
S
S
T
A
T
U
S
61916
The PIX 535 has a fixed RJ-45 Console connector and a DB-15 Failover cable connector the USB port
is not used at the present time.
Figure 7-3 shows the PIX 535 front panel LEDs.
.
Figure 7-3 PIX 535 Front Panel LEDs
POW
ER ACTIVE
7-2
POWER
ACTIVE
Cisco PIX Security Appliance Hardware Installation Guide
CISCO SECURITY PIX 535
FIREWALL
S
E
R
IE
S
61918
78-15170-03
Chapter 7 PIX 535
PIX 535 Product Overview
Table 7-1 lists the states of the PIX 535 front panel LEDs.
Table 7-1 PIX 535 Front Panel LEDs
LEDs State Description
POWER On Unit has power.
ACT On On when the unit is the active failover unit. If failover is present the light
is on when the unit is the active unit.
Off Off when the unit is in standby mode.
Figure 7-4 shows the PIX 535 rear panel LEDs.
Figure 7-4 PIX 535 Rear Panel LEDs
DB-15
failover
61919
Slot 1
Slot 0
RJ-45
USB
port
Slot 6Slot 8
Slot 7Console
Slot 5
Slot 4
Slot 2
Slot 3
Table 7-2 lists the states of the PIX 535 LEDs.
Table 7-2 PIX 535 Rear Panel LEDs
LEDs State Description
100 Mbps On 100 megabits per second 100BaseTX communication.
Off If the light is off during network activity, that port is using 10 megabits per
second data exchange.
ACT On Shows network activity.
LINK Shows that data is passing through that interface.
FDX On Shows that the connection uses full-duplex data exchange where data can
be transmitted and received simultaneously.
Off If this light is off, half duplex is in effect.
78-15170-03
Cisco PIX Security Appliance Hardware Installation Guide
7-3
PIX 535 Product Overview
PIX 535 Network Interface Description
There are three separate buses for the nine interface slots in the PIX 535. The interfaces are counted from
right to left on the PIX 535.
The slots and buses are configured as follows:
• Slots 0 and 1-64-bit/66 MHz Bus 0
• Slots 2 and 3-64-bit/66 MHz Bus 1
• Slots 4 to 8-32-bit/33 MHz Bus 2
For optimum performance and throughput for the interface circuit boards, use the following guidelines:
• A total of two 10/100 Fast Ethernet interfaces, and support for up to twelve additional 10/100 Fast
Ethernet or nine Gigabit Ethernet interfaces are configurable with the unrestricted license.
• For best performance, the PIX-1GE-66 (66 MHz) circuit boards should be installed in a 64bit/66
MHz card slot, before they are installed in a 32-bit/33 MHz card slot. You can install up to nine
PIX-1GE-66 circuit boards in the PIX 535. If it is necessary to install PIX-1GE-66 circuit boards in
a 32-bit/33 MHz card slot, it would be best to use these for interfaces with lower throughput
requirements.
• If Stateful Failover is enabled for PIX-1GE-66 traffic, the failover link must be PIX-1GE-66. The
amount of Stateful Failover information is proportional to the amount of traffic flowing through the
PIX security appliance and if not configured properly, loss of state information or 256-byte block
depletion can occur.
• The PIX-1FE circuit board (33 MHz) can be installed in any bus or slot (32-bit/33 MHz or 64-bit/66
MHz). Up to nine PIX-1FE circuit boards, or up to two PIX-4FE, circuit boards can be installed.
The PIX-1FE circuit boards should be installed in the 32-bit/33 MHz card slots first.
Chapter 7 PIX 535
• The PIX-4FE card can only be installed in a 32-bit/33 MHz card slot and must never be installed in
a 64-bit/66 MHz card slot. Installation of this circuit board in a 64-bit/66 MHz card slot can cause
the system to hang at boot time.
• The PIX-4FE-66 may be installed in any slot. If there is a shortage of 64-bit/66 MHz card slots (the
slots are being used for 1GE-66 or PIX-VACPLUS), the PIX-4FE-66 should be installed in 32-bit/33
MHz card slot.
Note On the PIX-4FE card, port 0 is on the top and port 3 is on the bottom.
• Do not mix the PIX-1FE circuit boards with the PIX-1GE-66 circuit boards on the same 64-bit/66
MHz bus (Bus 0 or Bus 1). The overall speed of the bus is reduced by the lower speed circuit board.
• The PIX-1GE circuit board is not recommended for use in the PIX 535, as it can severely degrade
performance. It is only capable of half the throughput of the PIX-1GE-66 circuit board. If this circuit
board is detected in the PIX 535, a warning about degraded performance will be issued.
• The VPN Accelerator (PIX-VPN-ACCEL) can only be installed in a 32-bit/33 MHz card slot.
• The VPN Accelerator Card+ (PIX-VACPLUS) should always be installed in a 64-bit/66 MHz card
slot. VPN performance will be degraded by roughly a factor of 4 if this recommendation is not
followed.
For more information on the number of interfaces for each of the PIX Firewall models, click here.
7-4
Cisco PIX Security Appliance Hardware Installation Guide
78-15170-03
Chapter 7 PIX 535
Table 7-3 lists the relative throughput of the Gigabit Ethernet combinations.
Table 7-3 Relative Throughput of Gigabit Ethernet Combinations
Gigabit Ethernet Card Bus Type
PIX-1GE-66 64/66 No 100%
PIX-1GE-66 64/66 Yes 50%
PIX-1GE-66 32/33 No 25%
PIX-1GE 64/66 No 50%
PIX-1GE 32/33 No 25%
Installing the PIX 535
This section includes the following topics:
• Before Installing the PIX 535, page 7-5
Installing the PIX 535
Shared with
33 MHz Device Speed
• Mounting the PIX 535, page 7-5
• PIX 535 Network Interface Installation, page 7-6
Before Installing the PIX 535
Observe the following before installing the PIX security appliance:
• Review the safety precautions outlined in the Regulatory Compliance and Safety Information
document.
• Place the PIX security appliance on a stable work surface.
Mounting the PIX 535
To mount the PIX 535 on a rack, perform the following steps:
Step 1 Attach the mounting brackets to the unit using the supplied screws.
Step 2 Attach the brackets to the holes near the front on both sides of the unit.
Step 3 Attach the unit to the equipment rack.
78-15170-03
Cisco PIX Security Appliance Hardware Installation Guide
7-5
PIX 535 Feature Licenses
PIX 535 Network Interface Installation
Note If your PIX security appliance model supports a failover configuration, complete the steps that follow
only on the active (primary) unit.
To connect interfaces to the PIX 535, perform the following steps:
Step 1 Connect the cable so that you have either a DB-9 or DB-25 connector on one end as required by the serial
port for your computer, and the other end is the RJ-45 connector.
Note Use the Console port to connect to a computer to enter configuration commands. Locate the
serial cable from the accessory kit. The serial cable assembly consists of a null modem cable
with RJ-45 connectors, and one DB-9 connector and a DB-25 connector.
Step 2 Connect the cable to the PIX 535 RJ-45 Console connector port and connect the other end of the cable
to the serial port connector on your computer.
Chapter 7 PIX 535
Step 3 Connect the inside, outside, or perimeter network cables to the interface ports. Starting from the right
and moving left, the connectors are Ethernet 0, Ethernet 1, Ethernet 2, and so forth. The maximum
number of allowed interfaces is 8. The inside or outside network connections can be made to any
available interface port on the PIX 535.
Note If you have a second PIX security appliance to use as a failover unit, install the failover feature
and cable as described in the “Installing Failover” section on page 7-8.
Caution Do not power on the failover units until the active unit is configured.
Step 4 When you are ready to start the PIX 535, power on the unit from the switch at the rear of the unit.
PIX 535 Feature Licenses
If you have the PIX-535-UR unrestricted feature license, the following options are available:
• If you have a second PIX 535 to use as a failover unit, install the failover feature and cable as
described in the “Installing Failover” section on page 7-8.
• If needed, install the PIX security appliance syslog server as described in the logging command page
in the command reference online at:
http://cisco.com/en/US/products/sw/secursw/ps2120/prod_command_reference_list.html
7-6
• If you need to install an optional circuit board, refer to the “Installing a Circuit Board in the
PIX 535” section on page 7-14.
• If you need to install additional memory, refer to the “Installing a Memory Upgrade” section on
page 7-11.
Cisco PIX Security Appliance Hardware Installation Guide
78-15170-03
Chapter 7 PIX 535
For information on upgrading feature licenses or downloading the latest software versions, refer to the
configuration guide online at:
http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_configuration_guides_list.html.
This section includes the following topics:
VPN Accelerator Card, page 7-7
VPN Accelerator Card+, page 7-7
VPN Accelerator Card
The VPN Accelerator Card (VAC) for the Cisco PIX security appliance series is a card that provides
high-performance, tunneling and encryption services suitable for site-to-site and remote access applications.
The VAC is integrated with PIX 535 unrestricted (UR) and failover (FO) bundles. You can also purchase the
VAC as a spare for use with PIX 535 units that have a restricted (R) license.
Note Installing a VAC and an 82557 based FE card on the PIX 535 could result in a system hang.
PIX 535 Feature Licenses
VPN Accelerator Card+
The VAC+ is a 64-bit/66 MHz PCI card that provides faster tunneling and encryption services for Virtual
Private Network (VPN) remote access, and site-to-site intranet and extranet applications, than the VAC.
Each VAC+ occupies a single PCI slot in the system. The VAC+ is supported on any chassis that runs
Version 6.3 software, has an appropriate license to run VPN software, and at least one PCI slot available.
While the VAC continues to be supported in Version 6.3, if both types of cards, the VAC and the VAC+,
are installed in a system running Version 6.3, the VAC card is ignored. The VAC+ runs at both
32-bit/33MHz and 64-bit/66 MHz, and does not slow down the bus when other 66 MHz cards are
installed. We strongly recommend that you install the VAC+ in a 64bit/66 MHz slot. Performance is degraded
if this recommendation is not followed.
The VAC+ driver supports the following:
• 3DES, DES, AES, SHA1, MD5 for (IPSec) ESP protocol (For AES, only the CBC mode and key
sizes of 128, 192, and 256 bits are supported).
• SHA1, MD5 for the (IPSec) AH protocol.
• Load sharing ESP and AH activity between up to three VAC+.
• Diffie-Hellman public key and shared secret generation.
• Any other crypto-related activity uses a software implementation.
78-15170-03
Cisco PIX Security Appliance Hardware Installation Guide
7-7
Installing Failover
Installing Failover
To set up a failover connection, perform the following steps:
Step 1 Power off both the primary and secondary units.
Note Both chassis must be the same model number, have at least as much RAM, have the same Flash
memory size, and be running the same software version. Note that the PIX-4FE and PIX-4FE-66
cards are considered equivalent and interchangeable. You can install a PIX-4FE in the primary
unit and a PIX-4FE-66 in the secondary unit, as long as you install them in the same slot number
of each chassis. For example, if you install a PIX-4FE in Slot 1 of the primary unit, you must
also install the PIX-4FE-66 in Slot 1 of the secondary unit.
Step 2 Locate the failover cable (shown in Figure 7-5). This cable is shipped separately from the PIX security
appliance. The cable is labeled “Primary” on one end and “Secondary” on the other.
Install the cable for the PIX 535 as shown in Figure 7-5.
Chapter 7 PIX 535
Figure 7-5 PIX 535 Failover Cable Connection
F
A
I
L
O
V
E
R
Y
R
A
M
I
R
P
Primary end
F
A
I
L
O
V
E
R
Y
R
A
D
N
O
C
E
S
12395
Secondary end
Step 3
Connect the Primary end of the failover cable to the first PIX security appliance, that is, the one you have
already configured.
Step 4 Connect the Secondary end of the failover cable to the standby unit.
Step 5 Connect a power cord to the power connector on the rear panel of each unit, and the other end of each
power cord to (preferably separate) power outlets.
Step 6 If you are using Stateful Failover, use one of the following types of connections, that is appropriate for
your system, between the dedicated interfaces on the PIX security appliance:
• Category 5 crossover cable directly connecting the primary unit to the secondary unit
7-8
• 100BaseTX full duplex on a dedicated switch or dedicated VLAN of a switch
• 1000BaseTX full duplex on a dedicated switch or dedicated VLAN of a switch
Note For Stateful Failover on the PIX 535, you must use a Gigabit Ethernet (GE) failover link with
GE interfaces.
Cisco PIX Security Appliance Hardware Installation Guide
78-15170-03
Loading...