Virtual Route Forwarding (VRF) enables customers to separate out routing and forwarding domains for ease of operations. VRFs were first introduced in version 6.6 and Dynamic Virtual Tunnel Interfaces were introduced in 7.3. In this version, we add the ability to associate a DVTI with a VRF to help with network segmentation. While version 7.6, introduces the ability to configure a SD-WAN Topology straight from a startup wizard.

📘

Lab Tasks

These are the tasks in the scenario below. If you are familiar with the Secure Firewall you may do these on your own, or for step-by-step instructions see below.

• Task 1 - Configure DVTIs on NGFW1
• Task 2 - Configure VRFs on NGFW1
• Task 3 - Configure VPN Topologies
• Task 4 - Verification

Task 1 - Configure DVTIs on NGFW1

1. Using the Quick Launch or the Google Chrome browser connect to the FMC web UI.
   Login as admin/C1sco12345. These credentials should be pre-populated in the browser.

2. Go to Device > Device Management and click the pencil (edit) icon next to NGFW1.
   

3. Click on Add Interfaces > Loopback Interface to add a new loopback interface.

   1. In the pop up box, configure the following details:
      1. In the General Tab
         1. Name: L12
         2. Loopback ID: 12
         3. In the IPv4 Tab
            1. IP Address: 172.16.12.1/32
   2. Click on OK to save the interface.
      
      

4. Click Add Interfaces > Loopback Interface to add another loopback interface.

   1. In the pop up box, configure the following details:
      1. In the General Tab
         1. Name: L13
         2. Loopback ID: 13
      2. In the IPv4 Tab
         1. IP Address: 172.16.13.1/32
   2. Click on OK to save the interface.
   

5. Click Add Interfaces > Virtual Tunnel Interface to add a VTI.

   1. In the pop up box, configure the following details:
      1. Tunnel Type: Dynamic
      2. Name: DVTI12
      3. Security Zone: In the drop-down, click New...
         1. Add a new zone named "DVTIZone12" and click OK.
      4. Template ID: 12
      5. Tunnel Source: GigabitEthernet0/0 (outside)
      6. Tunnel Source Address: 198.18.133.81 (outside interface IP address, available in the drop down once the tunnel source is selected)
      7. IP Address: Borrow IP (IP unnumbered) will be selected by default. From the drop down next to it, select Loopback12 (L12)
   2. Click OK to save the DVTI.
      

📘

Note

For a DVTI, we cannot configure an IP address, a DVTI must borrow an IP address from an interface. Hence, "Borrow IP" option is selected by default and greyed out, since we cannot change this option.

6. Click Add Interfaces > Virtual Tunnel Interface to add another VTI.
   1. In the pop up box, configure the following details:
      1. Tunnel Type: Dynamic
      2. Name: DVTI13
      3. Security Zone: In the drop-down, click New...
         1. Add a new zone named "DVTIZone13" and click OK.
      4. Template ID: 13
      5. Tunnel Source: GigabitEthernet0/0 (outside)
      6. Tunnel Source Address: 198.18.133.81 (outside interface IP address, available in the drop down once the tunnel source is selected)
      7. IP Address: Borrow IP (IP unnumbered) will be selected by default. From the drop down next to it, select Loopback13 (L13)
   2. Click OK to save the DVTI.
7. Click Save to save the changes made to the interfaces.

Task 2 - Configure VRFs on NGFW1

1. You should still be editing the device NGFW1 (otherwise, go to Device > Device Management and click the pencil (edit) icon next to NGFW1). Go to the Routing tab.
2. In the left bar, click on Manage Virtual Routers.
   1. Click + Add Virtual Router to add a VRF.
      
      1. In the pop up box, enter the Name "VRF12".
      2. Click on OK to save the new VRF.
         
   2. A new page will open up to configure Virtual Router Properties.
      1. From the Available Interfaces section, select L12 and click on Add to move it to the Selected Interfaces section.
      2. Then select DVTI12, and click on Add to move it to the Selected Interfaces section.
         
3. Add a second VRF by first clicking on Manage Virtual Routers in the left bar.
   1. Click on + Add Virtual Router to add another VRF.
      1. In the pop up box, enter the Name "VRF13".
      2. Click on OK to save the new VRF.
   2. A new page will open up to configure Virtual Router Properties.
      1. From the Available Interfaces section, select L13 and click on Add to move it to the Selected Interfaces section.
      2. Then select DVTI13, and click on Add to move it to the Selected Interfaces section.
         
4. Click on Save to save the changes.

Task 3 - Configure VPN Topologies using SDWAN Wizard

1. Navigate to Devices > VPN > Site to Site and click Add.

   
   

   

   1. In the pop-up box, configure the following details:

      1. Topology Name: DVTI-1-2.
      2. Ensure the Radio Button for SD-WAN Topology is selected.
      3. Ensure the radio button for Hub and Spoke is selected.
      4. Click Create.
      
      1. Click Add Hub on the right-most side of the widget.
      

      1. In the pop-up box, configure the following details:

         1. Device: NGFW1

         2. Dynamic Virtual Tunnel Interface: DVTI12

         3. Hub Gateway IP Address will be automatically filled.

         4. Click on the + icon next to the Spoke Tunnel IP Address Pool.

            
            

      2. Fill this below details to Add IPv4 Pool

         • Name: Hub12-Pool
         • IPv4 Address Range: 172.16.12.11 - 172.16.12.20
         • Mask: 255.255.255.0
         • Click Save.
         
         • Ensure the newly created Hub12-Pool is selected as the Spoke Tunnel IP Address Pool.
         • Click Add.

      3. Click Next to add Spokes.

         1. Click Add Spoke.

            1. Select NGFW2 from Device dropdown.
            2. Select outside from the VPN Interface dropdown.
            3. Leave the rest as default and click Save.
            
            

2. Click Next again.

   • The authentication type, Transform Sets and IKEv2 Policies are already filled. Review the settings and click Next.
   

3. For Spoke Tunnel Interface Security Zone: Click the + icon next to the drop down.

   1. Add a new zone named TunnelZone.
   2. Interface Type : Routed.
   3. Click Save.

4. Ensure TunnelZone is selected as the Spoke Tunnel Interface Security Zone.

5. Click the checkbox for Enable BGP on the VPN Overlay Topology.

   1. For Community Tag for Local Routes : Fill 99
   2. Check the Redistribute Connected Interfaces box.
   3. Leave everything else default.

6. Ensure your configuration matches what you see below and then click Next:

   

7. Click Finish.

8. Click Add again to add another VPN topology and perform the same steps as the previous SD-WAN Topology with the following configuration parameters:

   1. Topology Name : DVTI-1-3
   2. VPN Type : SD-WAN Topology and ensure Hub and Spoke is selected.
   3. Click Create.

9. Click Add Hub

   1. Device : NGFW1
   2. Dynamic Virtual Tunnel Interface(DVTI) : DVTI13
   3. Hub Gateway IP Address will be automatically filled.

10. Click on the + icon next to the Spoke Tunnel IP Address Pool and fill in the below details to the Add IPv4 Pool pop-up:

    1. Name: Hub13-Pool
    2. IPv4 Address Range: 172.16.13.11-172.16.13.20
    3. Mask: 255.255.255.0
    4. Click Save.
    5. Ensure the newly created Hub13-Pool is configured as the Spoke Tunnel IP Address Pool.
    6. Click Add.

11. Click Next.

    1. Click Add Spoke.

       1. Select NGFW3 from Device dropdown
       2. Select outside for VPN Interface.
       3. Leave the rest as default and clickSave.

12. Click Next and leave the authentication type, Transform Sets and IKEv2 Policies as default.

    1. Review the settings and click Next.

13. In the Spoke Tunnel Interface Security Zone dropdown, select TunnelZone.

14. Click the checkbox for Enable BGP on the VPN Overlay Topology.

    1. For Community Tag for Local Routes : Fill 99
    2. Click the checkbox next to Redistribute Connected Interfaces.
    3. Leave everything else default.
    4. Click Next.

15. Ensure your configuration matches what you see below and then click Finish:

    
    

Deployment

1. Click Deploy > Deploy All and wait for the changes to be pushed to the devices.

🚧

Wait!

You will get a warningThe changes to Virtual Routers may cause traffic disruption. This is expected as we have configured new VRFs. Click the checkbox next to "Ignore Warnings" and click Deploy to push the changes.

Verification via the CLI

1. Connect to the CLI of NGFW1 using the quick launch under the NGFW Console Access section. The credentials will be pre-populated.

2. Connect to the diagnostic cli by using the system support diagnostic-cli command.

   1. Use the enable command to log into enable mode (privileged mode) and leave the password as blank.
   

3. Use the show vrf command to see the configured VRFs and the interfaces associated with them.

4. Use the show route command to check the routes in the global routing table. We will not see the two loopback and DVTI interfaces in the routing table.

5. Use the show route vrf <vrf name> command to check the routes for both VRFs. We will see the routes for respective loopback and DVTI interfaces.

6. Check connectivity using the following ping commands:

   1. Global Router:

      1. ping 172.16.12.11 - This ping will fail
      2. ping 172.16.13.11 - This ping will also fail
      
      

   2. VRF12:

      1. ping vrf VRF12 172.16.12.11 - This ping will succeed
      2. ping vrf VRF12 172.16.13.11 - This ping will fail
      

   iii. VRF13:

   a. ping vrf VRF13 172.16.12.11 - This ping will fail
   b. ping vrf VRF13 172.16.13.11 - This ping will succeed

👍

Success

In the next scenarios you will do the same verification using the SD-WAN Summary Dashboard as well as the Site to Site VPN Dashboard.

👍

Tell us how we are doing

We are doing our best to ensure the scenarios in this lab guides are useful, clear and work as expected.

Please share your thoughts to help us improve or fix any problems you may run into..

Click here to provide your feedback or report an issue with this guide