NGFW routed mode - Cisco Routers Tutorial

- Now that you have the next-generation firewall up and ready in your lab environment, you have to actually choose a mode to actually think about, well what the heck are we actually going to choose? Find out next right here on ITProTV. - You're watching ITProTV. (upbeat music) - That's right We are jumping in, and we are going to be talking about of course the next-generation firewall. And something called "Routed Mode" that should actually tease us a little bit more, and the person that's going to help us out Anthony Sequeira. All right where are we going to begin? - Yeah, so Ronnie we deployed a next-generation firewall into our environment. And we didn't pause to think about the mode. And that was with good reason. There's only one mode when we are deploying to AWS and that is routed mode. So we didn't really even have an option to think about. (laughing) So we need to back up a little bit here, and we need to discuss this "routed mode" in more detail. And then no surprise in the next episode we'll go ahead and we'll tackle the transparent mode. The routed mode of operation is, I kind of think of it as like the "typical mode". This is what students would expect if they are old school, when it comes to their firewalls. And this is what we mean. We mean that the firewall is seen as a next hop type of device. It's seen as like a gateway device. And I think the best way to visualize this is with an illustration. So I've got one there for us. We can see the next-generation firewall right there in the middle of that topology. And we noticed that there is the gigabit 0/0 interface, and we have named this interface "inside" and notice it's in the 10.1.2 subnet. In fact, no coincidence. That's the addressing that we used in our AWS. Isn't it? And then on the outside we see there's gigabit 0/1. We've named that interface "outside" and we can see it is in the 10.1.3 subnet. By the way, there is a third subnet in play here. And that is the "management subnet" but oftentimes we won't even show that management subnet. Because we know it's exclusively used for management purposes in our case it's 10.1.1 subnet. Notice too this illustration, it's kind of a common design. And the next-generation firewall is in the network here, and it's probably doing DHCP on its inside interface. And so all of the workstations on the inside are getting their IP address information from the next-generation firewall. And they're using the next-generation firewall as their default gateway. But what is the next-generation firewall doing? Well, it is actually connected to the quote "real" default gateway on the network. It's that router on the outside, and when it needs to forward traffic to the internet it can use that default gateway that it's connected to on the outside. So that's kind of a common deployment. Now, while routed mode is shown here we just have to remember that there is this alternative mode called "transparent mode" that we could utilize in a non AWS deployment. And still something for us to consider though is that we can do different types of interfaces on the routed mode device. So there's something that we'll study together called an "inline interface". There's something called a "passive interface" we often associate these with transparent mode. But I just wanted to impress upon you that we do have some kind of mix and match capabilities here when it comes to the routed mode. As a matter of fact, let me show you this topology and this is very, very certification relevant. So for those of you that are here preparing for the certification exam, pay attention. So notice what's happening here. Our next-generation firewall routed mode devices can do something called IRB. Now this always brings a smile to my face because my recording studio is located in Indian Rocks Beach, Florida. - Yeah. - Which we affectionately term IRB. And you'll see everyone driving around here with their IRB stickers. But that is not what we're talking about here. We're talking about "Integrated Routing and Bridging". So Ronnie, what we've got in this topology as you can see, is we've got multiple inside interfaces. So I've got inside one and inside two on the 0/0 and 0/2 interfaces respectfully. And do you notice something about those interfaces? They are in the same subnet. - Okay. - So notice that kind of looks like transparent mode. So we are kind of taking advantage here of the best of both worlds. We have the outside interface in one subnet, but then we've got our multiple inside interfaces in a single subnet. And to make this work, we have to I repeat "we have to" create a "Bridge Virtual Interface" on the next-generation firewall. We have to name that bridge virtual interface. And so I've named mine "inside". And then notice it gets an IP address in this case 10.1.2.20/24. And notice that is an IP address in the subnet space of those interfaces that we have bridged together. So there's a nice look at an IRB type configuration on the next-generation firewall. - Now, correct me if I'm wrong here coming from let's say, the Encore if we talk about the idea of VRF is this almost an analogous concept, or is this something completely different? - I suppose it is similar to the VRF concept. Isn't it? In that we, we have a lot of flexibility in how we set these interfaces. And what's really cool Ronnie is that in the BVI, we can do the full checks of the traffic as it is going from let's say the inside interface one to the inside interface two. So we've still got the various security checks going on. And then of course we can do the classic "routed mode checks" as traffic is moving from the BVI from the virtual bridge group there to the outside interfaces, we can do the firewall checks. So it's really about flexibility. - Okay. - And in that regard, it does remind me of the VRF capability where we can really carve up the device exactly how we need to. I thought what we would do too is let's just kind of remind ourselves about our deployment and let's take a look at that. Now there is one thing I went and did behind the scenes in AWS. And I want to go ahead and show you that just so you realize there's kind of nothing up our sleeves here. If you go, if we go into our virtual private cloud you remember we had our subnets and the subnets that we created of course were the management subnet, the inside subnet and the outside subnet. When we built this infrastructure, we went ahead and we took the management subnet and we associated it with a route table. Remember that? And that route table that we created for that management subnet it's right here. We went in and we associated the management subnet with that routing table. And then as far as the routes go inside of there we made sure that we tied in the default gateway with a default route, and I'll move that up so you can see it even better down at the bottom there. So the management subnet has internet access. Doesn't it? And so what I did was I attached a route table. I did this preparing for today's episode. I went in and I attached a route table to the inside interface, the inside subnet, excuse me and then the outside subnet. And you can see what I did the inside route table does not have internet access, right? So it is a subnet that truly is protected by the next-generation firewall. And it in and of itself does not have internet access. The outside subnet, I went and attached a route table to and I gave the outside subnet internet access. So I just wanted to emphasize that inside of AWS you can add these route tables and you can decide what subnets get internet connectivity and what don't. And you can really mirror an actual type of topology that you would find in a, you know medium sized business, right? So here we have the outside subnet with the ability to access the internet just like we would in a typical topology. So I just really wanted to emphasize how you can start playing with the AWS topology that you're deployed to to mirror as accurately as you can your actual production network. And don't forget that the whole point of the Cisco devices inside of AWS is not for practice labbing. Like we're doing it's so that you could actually use these devices to protect your AWS infrastructure. So you say, all right, I know Amazon gives us some built in tools to protect our cloud but we want to use these Cisco tools. So they're there for you to really utilize to protect your cloud. So if we slide over to the FMC this is the FMC that we spun up inside of AWS. Notice we have an alert here, and that is that there's an issue with the appliance heartbeat. So it's freaking out a little bit here that the device that we registered inside of the FMC. Let's go over to device management. It's kind of getting worried that that device is not available. And of course that's because I had to wait and this console was freaked out about it. We had to spin up the next-generation firewall. We can see that everything's taken care of itself here. We can see that green check mark over there to indicate that the next-generation firewall has now come online and we're receiving its heartbeats here at the FMC. Notice, also Ronnie, if, if, if you look closely there what does it say to us? It tells us right in that main display that we are in routed mode. - Right. - And again, we're not surprised that's the default mode. And that was the only option for our AWS deployment. So we are in that routed mode. Now, one of the challenges though is that this next-generation firewall has been deployed and the interfaces for data they're disabled. Yeah they're, they're not doing anything. So let's change that and really pay attention because we've got some certification relevant things to share with you here. If I click the pencil, notice that we can go into the you know, edit mode of the next-generation firewall. And here we can see the physical interfaces and notice there's no green check mark they're disabled. So if I go to the pencil icon on the first interface 0/0 I can go ahead and not name it my name, how about naming it "inside"? And then I can enable this interface. I can give a description. Look at the mode options passive, erspan. We'll be talking a lot more about these in upcoming episodes. I'm not going to do anything special with the mode here, and I'm not even going to assign this to a security zone notice that is not required. We could add it to a security zone, but not required. But one thing that I need to do obviously is go over to the IPv4 and this interface. Remember we want to keep everything congruent with what we set up in AWS. So this interface is 10.1.2.50 And of course we can double check that against AWS. If I go in and I go up to the EC2 service, under running instances there's our two instances that are running the FMC and the next-generation firewall. If I select the next-generation firewall it shows me the interfaces that are connected and the private IPS that I got. And we can see the 10.1.2.50 is the IP address that we set up for that inside interface. So there's our 10.1.2.50 just like we had set up through AWS. So just to review, I've given the IP over on the general I've named it and enabled it. I'm going to say "okay". And it says invalid value of IP address. Ah yeah. When you're giving the IP address you also give the mask in prefix notation. So there we go 10.1.2.50/24 I say okay. It updates the interface. And then please know this workflow. We have to save this. Now, Ronnie this couldn't be any more, kind of deceiving. In fact watch this Ronnie, what a lot of students will do is they will save that change. And then they see this sync device. And so they say yes let me sync this device. And wouldn't you guess, that your next-generation firewall now is up to date and is in routed mode. And it has that one interface all set up. - Yeah. - You would really, yeah you would really think that wouldn't you Ronnie? And the fact is it isn't, so yeah we save these changes and yes we can sync interfaces but we're truly not making any changes to the device until we actually deploy our changes. So these changes are kind of like in a staging area, if you will. So before we deploy, while we're here let's just go and fix up that remaining interface. So this is going to be named "outside". It's going to be enabled. And from an IPV4 perspective, it's going to be 10.1.3.50/24. And we're going to say, okay, we're going to save. And now Ronnie, with the interfaces addressed and enabled. And I like how we get kind of a summary here. Now I can go up to the deploy menu go to the option called deployment. And we can see all of these changes. We could even preview them here and we will select this and choose deploy, and then the deploy button. So now we are actually deploying those changes out to the device. And you can see you'll get status messages about that. And this works out perfectly because one of the tasks that we'll go ahead and assign for our next episode is to come in and verify that the deployment has actually worked as we planned. So Ronnie, pretty close look there and close discussion with lots of content in this episode. Our students may want to watch this twice if they're brand new to the firepower devices cuz we actually did quite cover quite a bit there. - All right. Well as you actually did see there it is the next-generation firewall in routed mode. Something that will actually choose by default and we actually do have our lab environment inside of AWS. But there is more to come as Anthony said. So we'll actually see that in the very next episode on the other details. But signing off ITProTV I'm your host, Ronnie Wong. - And I'm Anthony Sequeira. - Stay tune right here for more of your Cisco security SNCF show. - Thank you for watching ITProTV. (upbeat music)