DocsYouTube ChannelDevNetCisco Defense Orchestrator DocsFirewall How To Community
Guides

Scenario 6 - VRF Support for DVTI

Suggest Edits

Virtual Route Forwarding (VRF) enables customers to separate out routing and forwarding domains for ease of operations. VRFs were first introduced in version 6.6. In version 7.2, we introduced Dynamic Virtual Tunnel Interfaces for ease of building VPN tunnels. In this version, we add the ability to associate a DVTI with a VRF to help with network segmentation.

📘

Lab Tasks

These are the tasks in the scenario below. If you are familiar with the Secure Firewall you may do these on your own, or for step-by-step instructions see below.

  • Task 1 - Configure DVTIs on NGFW1
  • Task 2 - Configure VRFs on NGFW1
  • Task 3 - Configure SVTI on NGFW2
  • Task 4 - Configure SVTI on NGFW3
  • Task 5 - Configure VPN Topologies
  • Task 6 - Verification

Task 1 - Configure DVTIs on NGFW1

  1. Using the Quick Launch or the Google Chrome browser connect to the FMC web UI.
    Login as admin/C1sco12345. These credentials should be pre-populated in the browser.
  1. Go to Device > Device Management and click the pencil (edit) icon next to NGFW1.
  2. Click on Add Interfaces > Loopback Interface to add a new loopback interface.
    1. In the pop up box, configure the following details:
      1. In the General Tab
        1. Name: L12
        2. Loopback ID: 12
      2. In the IPv4 Tab
        1. IP Address: 172.16.12.1/32
    2. Click on OK to save the interface.

  3. Click on Add Interfaces > Loopback Interface to add another loopback interface.
    1. In the pop up box, configure the following details:
      1. In the General Tab
        1. Name: L13
        2. Loopback ID: 13
      2. In the IPv4 Tab
        1. IP Address: 172.16.13.1/32
    2. Click on OK to save the interface.
  4. Click on Add Interfaces > Virtual Tunnel Interface to add a VTI.
    1. In the pop up box, configure the following details:
      1. Tunnel Type: Dynamic
      2. Name: DVTI12
      3. Security Zone: In the drop-down, click New...
        1. Add a new zone named "DVTIZone12" and click OK.
      4. Template ID: 12
      5. Tunnel Source: GigabitEthernet0/0 (outside)
      6. Tunnel Source Address: 198.18.133.81 (outside interface IP address, available in the drop down once the tunnel source is selected)
      7. IP Address: Borrow IP (IP unnumbered) will be selected by default. From the drop down next to it, select Loopback12 (L12)
    2. Click on OK to save the DVTI.

📘

Note

For a DVTI, we cannot configure an IP address, a DVTI must borrow an IP address from an interface. Hence, "Borrow IP" option is selected by default and greyed out, since we cannot change this option.

  1. Click on Add Interfaces > Virtual Tunnel Interface to add another VTI.
    1. In the pop up box, configure the following details:
      1. Tunnel Type: Dynamic
      2. Name: DVTI13
      3. Security Zone: In the drop-down, click New...
        1. Add a new zone named "DVTIZone13" and click OK.
      4. Template ID: 13
      5. Tunnel Source: GigabitEthernet0/0 (outside)
      6. Tunnel Source Address: 198.18.133.81 (outside interface IP address, available in the drop down once the tunnel source is selected)
      7. IP Address: Borrow IP (IP unnumbered) will be selected by default. From the drop down next to it, select Loopback13 (L13)
    2. Click OK to save the DVTI.
  2. Click Save to save the changes

Task 2 - Configure VRFs on NGFW1

  1. You should still be editing the device NGFW1 (otherwise, go to Device > Device Management and click the pencil (edit) icon next to NGFW1). Go to the Routing tab.
  2. In the left bar, click on Manage Virtual Routers.
    1. Click on + Add Virtual Router to add a VRF.
      1. In the pop up box, enter the Name "VRF12".
      2. Click on OK to save the new VRF.
    2. A new page will open up to configure Virtual Router Properties.
      1. From the Available Interfaces section, select L12 and click on Add to move it to the Selected Interfaces section.
      2. Then select DVTI12, and click on Add to move it to the Selected Interfaces section.
  3. In the left bar, click on Manage Virtual Routers again.
    1. Click on + Add Virtual Router to add another VRF.
      1. In the pop up box, enter the Name "VRF13".
      2. Click on OK to save the new VRF.
    2. A new page will open up to configure Virtual Router Properties.
      1. From the Available Interfaces section, select L13 and click on Add to move it to the Selected Interfaces section.
      2. Then select DVTI13, and click on Add to move it to the Selected Interfaces section.
  4. Click on Save to save the changes.

Task 3 - Configure SVTI on NGFW2

  1. Go to Device > Device Management and click the pencil (edit) icon next to NGFW2.
  2. Click on Add Interfaces > Loopback Interface to add a new loopback interface.
    1. In the pop up box, configure the following details:
      1. In the General Tab
        1. Name: L12
        2. Loopback ID: 12
      2. In the IPv4 Tab
        1. IP Address: 172.16.12.2/32
    2. Click on OK to save the interface.
  3. Click on Add Interfaces > Virtual Tunnel Interface to add a VTI.
    1. In the pop-up box, configure the following details:
      1. Tunnel Type: Static
      2. Name: SVTI12
      3. Security Zone: In the drop-down, click New... .
        1. Add a new zone named "SVTIZone12" and click OK.
      4. Tunnel ID: 12
      5. Tunnel Source: GigabitEthernet0/0 (outside)
      6. Tunnel Source Address: 198.18.133.82 (outside interface IP address, available in the drop-down once the tunnel source is selected)
      7. IP Address: Click the radio button for Borrow IP (IP unnumbered) and from the drop-down list next to it, select Loopback12 (L12).
    2. Click OK to save the VTI .
  4. Click Save to save the changes

Task 4 - Configure SVTI on NGFW3

  1. Go to Device > Device Management and click the pencil (edit) icon next to NGFW3.
  2. Click on Add Interfaces > Loopback Interface to add a new loopback interface.
    1. In the pop-up box, configure the following details:
      1. In the General Tab
        1. Name: L13
        2. Loopback ID: 13
      2. In the IPv4 Tab
        1. IP Address: 172.16.13.2/32
    2. Click on OK to save the interface.
  3. Click on Add Interfaces > Virtual Tunnel Interface to add a VTI.
    1. In the pop-up box, configure the following details:
      1. Tunnel Type: Static
      2. Name: SVTI13
      3. Security Zone: In the drop-down, click New....
        1. Add a new zone named "SVTIZone13" and click OK.
      4. Tunnel ID: 13
      5. Tunnel Source: GigabitEthernet0/0 (outside)
      6. Tunnel Source Address: 198.18.133.83 (outside interface IP address, available in the drop-down once the tunnel source is selected)
      7. IP Address: Borrow IP (IP unnumbered) will be selected by default. From the drop-down next to it, select Loopback13 (L13).
    2. Click OK to save the VTI.
  4. Click on Save to save the changes.

Task 5 - Configure VPN Topologies

  1. Go to Devices > VPN > Site to Site and click on + Site to Site VPN.

    1. In the pop-up box, configure the following details:

      1. Topology Name: DVTI-1-2

      2. Select the Radio Button for "SD-WAN Topology".

      3. Select VPN Topology: Hub and Spoke

      4. Click on + next to Hub Nodes.

        1. In the pop-up box, configure the following details:
          1. Device: NGFW1
          2. Dynamic Virtual Tunnel Interface: DVTI12
          3. In the Advanced Settings, check the box "Send Virtual Tunnel Interface IP to the peers".
        2. Leave all other settings as default and click on OK.

      5. Click on + next to Spoke Nodes.

        1. In the pop up box, configure the following details:
          1. Device: NGFW2
          2. Statis Virtual Tunnel Interface: SVTI12
          3. In the Advanced Settings, make sure the box "Send Virtual Tunnel Interface IP to the peers" is checked (it is checked by default).
        2. Leave all other settings as default and click OK

      6. Click Save to save the Topology.

  2. Click on + Site to Site VPN again, to add another VPN topology.

    1. In the pop up box, configure the following details:

      1. Topology Name: DVTI-1-3

      2. Select the Radio Button for "Route Based (VTI)"

      3. Network Topology: Hub and Spoke

      4. Click on + next to Hub Nodes

        1. In the pop up box, configure the following details:
          1. Device: NGFW1
          2. Dynamic Virtual Tunnel Interface: DVTI13
          3. In the Advanced Settings, check the box "Send Virtual Tunnel Interface IP to the peers".
        2. Leave all other settings as default and click on OK.

      5. Click on + next to Spoke Nodes..

        1. In the pop up box, configure the following details:
          1. Device: NGFW3
          2. Statis Virtual Tunnel Interface: SVTI13
          3. In the Advanced Settings, make sure the box "Send Virtual Tunnel Interface IP to the peers" is checked (it is checked by default).
        2. Leave all other settings as default and click on OK.

      6. Click on Save to save the Topology.

  3. Click on Deploy to deploy the changes to all three firewalls.

📘

Note

You will get a warning "The changes to Virtual Routers may cause traffic disruption." This is expected as we have configured new VRFs. Click on the "Ignore Warnings" checkbox and click on Deploy to deploy the changes.

Task 6 - Verification

  1. Connect to the CLI of NGFW1. The credentials will be pre-populated.

  2. Connect to the diagnostic cli by using the system support diagnostic-cli command.

    1. Use the enable command to log into enable mode (privileged mode) and leave the password as blank.

  3. Use the show vrf command to see the configured VRFs and the interfaces associated with them.

  4. Use the show route command to check the routes in the global routing table. We will not see the two loopback and DVTI interfaces in the routing table.

  5. Use the show route vrf <vrf name> command to check the routes for both VRFs. We will see the routes for respective loopback and DVTI interfaces.

  1. Check connectivity using the following ping commands:

    1. Global Router:

      1. ping 172.16.12.2 - This ping will fail
      2. ping 172.16.13.2 - This ping will also fail

    2. VRF12:

      1. ping vrf VRF12 172.16.12.2 - This ping will succeed
      2. ping vrf VRF12 172.16.13.2 - This ping will fail

    3. VRF13:

      1. ping vrf VRF13 172.16.12.2 - This ping will fail
      2. ping vrf VRF13 172.16.13.2 - This ping will succeed

👍

Success

This concludes the lab for VRF Support for DVTI.

Updated 6 months ago

What’s Next
© 2024 Cisco Systems, Inc.
Title of the document The current suggested release is 7.4.2 Release 7.7 is live! Reminder that 7.7 firewalls are Snort 3 only