Brksec 3580

#CiscoLive
Firepower Threat Defense

Virtual Routing and
Forwarding (VRF)
Luis Silva Benavides – Customer Success Specialist

@LuisSilva_1990
BRKSEC-3580
#CiscoLive
Cisco Webex App
Questions?
Use Cisco Webex App to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install the Webex App or go directly to the Webex space Enter your personal notes here
4 Enter messages/questions in the Webex space
Webex spaces will be moderated https://ciscolive.ciscoevents.com/ciscolivebot/#BRKSEC-3580
by the speaker until June 17, 2022.
#CiscoLive BRKSEC-3580 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
About your • Costa Rica / Texas
Speaker • 13+ years of experience
• TAC, Advanced Services, CSS
• CCIE Security / CISSP®
Customer Success
Specialist
BRKSEC-3580 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
• Introduction
• Virtual Routing and Forwarding
• Configuring VRF
Agenda • Configuring Routing Protocols
• Troubleshooting VRF
• Conclusion
Introduction
Virtual Routing
and Forwarding
Why Virtual Routers/Routing?
• Separate Routing/Forwarding tables
• VRF-Lite
• Overlapping IP address
• Multi-Virtual Router Support (FXOS + VRF =Multi-Context use cases)
Advantages (FTD Version 6.6+)
• Routing segregation on FTD
• Overlapping IP address on FTD interfaces
• Connection events (ingress/egress virtual router)
VRF Support
Device Maximum Virtual Routers
ASA 10-20
Firepower 1000* 5-10 *1010 (7.2+)
Firepower 2100 10-40
Virtual FTD 30
ISA 3000 10 (7.0+)
Configuration Guide No License required
Routing Policies
Policies Global VRF User VRF
Static Route ✓ ✓
OSPFv2 ✓ ✓
OSPFv3 ✓ X
RIP ✓ X
BGPv4 ✓ ✓
BGPv6 ✓ ✓ (7.1+)
IRB (BVI) ✓ ✓
EIGRP ✓ X
Overlapping Networks – Feature Support
Policies Non-Overlapping Overlapping Networks
Routing & IRB ✓ ✓
AVC ✓ ✓
SSL Decryption ✓ ✓
Intrusion and Malware
Detection (IPS and File ✓ ✓
Policy)
VPN ✓ ✓
Malware Event Analysis
(Host Profiles, IoC, File ✓ X
Trajectory)
Threat Intelligence (TID) ✓ X
Use case #1 – Service Provider
• Separate routing tables
VRF_A VRF_B
Customer B
Customer A
• Overlapping Networks
• Non-Overlapping Networks
ISP
Use case #2 – Enterprise
• Connectivity between VRFs (Route Leaking)
VRF_A VRF_B
Department B
Department A
• Overlapping Networks • Static Routes
• Non-Overlapping Networks • NAT
Company • BGP (7.1+)
Use case #3 – Multi-Instance and VRF
• Connectivity between VRFs in a Multi-Instance Environment
VRF_A VRF_B
Department B
Department A
FTD Instance
• Overlapping Networks • Static Routes
• Non-Overlapping Networks • NAT
• BGP (7.1+)
Firepower4100/9300
Configuring VRF
Demo 1: VRF configuration on FMC
VRF configuration on FMC
Subtitle
• Device > Device Management > FTD
Subtitle
• Routing > Manage Virtual Routers > Add Virtual Router
• Add a new Virtual Router
• Assign interfaces to VRF
• Verify VRF assignment under “Interfaces”
• Deploy changes
• Deploy changes
Access Control Policy VRF- Aware
NAT Policy VRF- Aware
NAT Policy VRF- Aware
NAT Policy VRF- Aware – Overlapping Networks
Demo 2: Configuring VRF on FDM
VRF configuration on FDM
• Routing > View Configuration
Subtitle
• Routing > Add Multiple Virtual Routers
• Create First Custom Virtual Router
• Add a new Virtual Router and assign interfaces
• Deploy changes
• Verified deployed changes
Configuring Routing
Protocols
Demo 3: Configuring Static
Routing on FMC
Static Routing on FMC
• Routing > Desired VRF > Static Route
• Save > Deploy Changes
• Deploy > Deploy Changes
Static Routing on FMC – Verify Configuration
• VRF_Sales > _Routes
Demo 4 : Configuring BGP on
FMC
Border Gateway Protocol (BGP) on FMC
• Routing > General Settings> BGP
• Routing > Desired VRF> BGP > IPv4
• Routing > Desired VRF> BGP > IPv4 > Neighbor
• Routing > Manage Virtual Routers> Desired VRF > Route | BGP
Summary
Demo 5: Configuring OSPF on FMC
OSFP on FMC
• Routing > Desired VRF> OSPF
OSFP on FMC
• Add a Neighbor
OSFP on FMC
• Save and deploy changes
OSFP on FMC
• Routing > Manage Virtual Routers > route | OSPF Summary
Demo 6: Configuring
BGP on FDM
Border Gateway Protocol (BGP) on FDM
• Routing > BGP General Settings
• Create BGP General Settings Object
• BGP General Settings
BGP Object
• Save and Deploy changes
• Verify routing table and BGP neighbor
Demo 7: Configuring OSPF on FDM
OSPF on FDM
• Create OSPF Object
OSPF on FDM
• Configure OSPF Object
OSPF on FDM
• Verify routing table
Troubleshooting VRF
Troubleshooting - Commands
Configuration Verification
Global VRF User- Defined VRF All VRF

Show run route
Show run route
Show run route all
vrf <name>
Show run router

Show run router
vrf <name>
Show run router bgp|ospf Show run router bgp|ospf
Show run router bgp|ospf vrf <name> all
Troubleshooting - Commands
Troubleshooting Verification
Global VRF User- Defined VRF All VRF

Show route Show route
Show route
static|ospf|bgp static|ospf|bgp
static|ospf|bgp
vrf <name> all
Show bgp|ospf vrf <name>
Show bgp|ospf [sub-
[sub-commands]
commands]
Troubleshooting Scenario #1 - BGP
• BGP won’t come up
VRF_Sales
10.10.10.0/24
.221 .32
AS 65536
AS 65536
Demo 8: Troubleshooting
Scenario #1 - BGP
Troubleshooting Scenario #2
• Connectivity between VRFs (Route Leaking)
VRF_Sales VRF_Engineering
172.16.10.3/24
172.16.20.3/24
Demo 9: Troubleshooting Scenario #2
Troubleshooting Scenario #2 – Route Leak
packet-tracer input engineering icmp 172.16.2.3 8 0 172.16.1.3
Phase: 3
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 0.0.0.0 using egress ifc Sales(vrfid:1)
Phase: 4
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Sales,Engineering) source static Sales_Net Sales_Net destination static Eng_Network Eng_Network route-
lookup
NAT divert to egress interface Sales(vrfid:1)
Untranslate 172.16.1.3/0 to 172.16.1.3/0
packet-tracer input engineering icmp 172.16.2.3 8 0 172.16.1.3
Phase: 18
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Config:
Found next-hop 172.16.1.3 using egress ifc Sales(vrfid:1)
Result:
input-interface: Engineering(vrfid:2)
input-status: up
input-line-status: up
output-interface: Sales(vrfid:1)
output-status: up
output-line-status: up
Action: allow
Conclusion
• Enhanced FTD’s routing
capabilities.
• Secure way of segmenting
routing table and expands our
FTD deployment options
Conclusions
• Take advantage of Meet the
expert
• Let's deploy it!
Technical Session Surveys
• Attendees who fill out a minimum of four
session surveys and the overall event
survey will get Cisco Live branded socks!
• Attendees will also earn 100 points

in the Cisco Live Game for every
survey completed.
• These points help you get on the

leaderboard and increase your chances
of winning daily and grand prizes.
• Visit the Cisco Showcase
for related demos
• Book your one-on-one

Meet the Engineer meeting
• Attend the interactive education

with DevNet, Capture the Flag,
Continue and Walk-in Labs
your education • Visit the On-Demand Library

for more sessions at
www.CiscoLive.com/on-demand
Pay for Learning with
Cisco Learning Credits
Cisco Learning and Certifications (CLCs) are prepaid training
vouchers redeemed directly
From technology training and team development to Cisco certifications and learning with Cisco.
plans, let us help you empower your business and career. www.cisco.com/go/certs
Learn Train Certify

Cisco U. Cisco Training Bootcamps Cisco Certifications and
IT learning hub that guides teams Intensive team & individual automation Specialist Certifications
and learners toward their goals and technology training programs Award-winning certification
program empowers students
Cisco Digital Learning Cisco Learning Partner Program and IT Professionals to advance
Subscription-based product, technology, Authorized training partners supporting their technical careers
and certification training Cisco technology and career certifications
Cisco Guided Study Groups
Cisco Modeling Labs Cisco Instructor-led and 180-day certification prep program
Network simulation platform for design, Virtual Instructor-led training with learning and support
testing, and troubleshooting Accelerated curriculum of product,
technology, and certification courses Cisco Continuing
Cisco Learning Network Education Program
Resource community portal for Recertification training options
certifications and learning for Cisco certified individuals
Here at the event? Visit us at The Learning and Certifications lounge at the World of Solutions
Thank you
#CiscoLive
#CiscoLive

Brksec 3580

Uploaded by

Copyright:

Available Formats

Brksec 3580

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brksec 3580

Uploaded by

Copyright:

Available Formats

#CiscoLive

Firepower Threat Defense

Luis Silva Benavides – Customer Success Specialist

4 Enter messages/questions in the Webex space

Webex spaces will be moderated https://ciscolive.ciscoevents.com/ciscolivebot/#BRKSEC-3580

by the speaker until June 17, 2022.

Firepower 1000* 5-10 *1010 (7.2+)

Firepower 2100 10-40

Firepower 3100 15-100

Firepower 4100 60-100

Firepower 9300 60-100

ISA 3000 10 (7.0+)

Configuration Guide No License required

• Overlapping Networks • Static Routes

• Non-Overlapping Networks • NAT

Company • BGP (7.1+)

• Overlapping Networks • Static Routes

• Non-Overlapping Networks • NAT

• Routing > Desired VRF > Static Route

• Save > Deploy Changes

• Deploy > Deploy Changes

• Routing > General Settings> BGP

• Routing > BGP General Settings

• Create BGP General Settings Object

• BGP General Settings

• Verify routing table and BGP neighbor

• Create OSPF Object

• Configure OSPF Object

• Verify routing table

Global VRF User- Defined VRF All VRF

Show run router

Global VRF User- Defined VRF All VRF

packet-tracer input engineering icmp 172.16.2.3 8 0 172.16.1.3

• Let's deploy it!

• Attendees will also earn 100 points

• These points help you get on the

• Book your one-on-one

• Attend the interactive education

your education • Visit the On-Demand Library

Learn Train Certify

You might also like

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.