A Cisco FTD has two physical interfaces assigned to a BVI. Each interface is connected to a different VLAN on the same switch. Which firewall mode is the Cisco FTD set up to support?
The Cisco FTD configured with two physical interfaces assigned to a BVI and connected to different VLANs on the same switch is set up to support the transparent firewall mode.
In transparent mode, the firewall operates at Layer 2, and does not modify the IP address or MAC address of the packets passing through it. In this mode, the firewall is transparent to the devices on either side of it, and can be inserted into the network without changing the IP addressing or topology.
Transparent Mode the FTD acts as a "bump in the wire" or a Layer 2 bridge between network segments. It does not route traffic (like in Routed Mode) but instead forwards traffic between interfaces based on Layer 2 information (MAC addresses). The use of a BVI allows the FTD to bridge traffic between the two physical interfaces while applying security policies.
D.
If you are passing traffic between multiple VLANs, those are separate networks entirely. In order for them to communicate, there needs to be routing in place.
About Transparent Firewall Mode:
Layer 2 connectivity is achieved by using a "bridge group" where you group together the inside and outside interfaces for a network, and the FTD device uses bridging techniques to pass traffic between the interfaces. Each bridge group includes a Bridge Virtual Interface (BVI) to which you assign an IP address on the network. You can have multiple bridge groups for multiple networks. In transparent mode, these bridge groups cannot communicate with each other.
https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/transparent_or_routed_firewall_mode_for_firepower_threat_defense.html
Actually, BVI can run in both routed and transparent. In this situation I think it is transparent. Here is what AI has to say about it:
On the Cisco Firepower Threat Defense (FTD) device, you can use a Bridge Virtual Interface (BVI) in both transparent and routed firewall modes. In transparent mode, Layer 2 connectivity is achieved by using a "bridge group" where you group together the inside and outside interfaces for a network, and the FTD device uses bridging techniques to pass traffic between the interfaces. Each bridge group includes a BVI to which you assign an IP address on the network¹. In routed mode, the FTD device routes between BVIs and regular routed interfaces. If you do not need clustering or EtherChannel member interfaces, you might consider using routed mode instead of transparent mode². Is there anything else you would like to know? 😊
A bridge group is a group of interfaces that the FTD device bridges instead of routes. All interfaces are on the same network. The bridge group is represented by a Bridge Virtual Interface (BVI) that has an IP address on the bridge network.
You can route between routed interfaces and BVIs, if you name the BVI. In this case, the BVI acts as the gateway between member interfaces and routed interfaces. If you do not name the BVI, traffic on the bridge group member interfaces cannot leave the bridge group. Normally, you would name the interface so that you can route member interfaces to the internet.
One use for a bridge group in routed mode is to use extra interfaces on the FTD device instead of an external switch. You can attach endpoints directly to bridge group member interfaces. You can also attach switches to add more endpoints to the same network as the BVI.
To me routed is the right answer because each interface is on a different VLAN, if you have a regular bump in the wire configuration like transparent mode you won't be able to route traffic to each other, so you will need to have a bridge group in routed mode.
yeah. technically possible. but not recommended. what if I change the question like that "Each interface is connected to a same VLAN on the same switch) - this is definietely transparent. but Q is asking a different vlan (usually different subnets), so my choice is D
Layer 2 Segmentation: VLANs provide layer 2 segmentation, meaning they separate broadcast domains. Each VLAN operates as if it were a separate physical network. Devices within the same VLAN can communicate directly with each other at the data link layer (using MAC addresses). while it’s technically possible for two VLANs to use the same IP subnet, it’s generally better to keep them separate to avoid potential issues.
This section is not available anymore. Please use the main Exam Page.300-710 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Joe_Blue
Highly Voted 2 years, 1 month agod0980cc
Most Recent 1 month, 2 weeks agoachille5
1 year agodevildog
7 months, 2 weeks agoBubu3k
1 year, 3 months agoaaInman
1 year, 8 months agoaaInman
1 year, 8 months agoSegaMasterSystemAdmin
1 year, 10 months agospambox730
1 year, 9 months agogwb
1 year, 1 month agosaad_SEIU
2 years ago