A network engineer is extending a user segment through an FTD device for traffic inspection without creating another IP subnet. How is this accomplished on an FTD device in routed mode?
A.
by assigning an inline set interface
B.
by using a BVI and creating a BVI IP address in the same subnet as the user segment
C.
by leveraging the ARP to direct traffic through the firewall
D.
by bypassing protocol inspection by leveraging pre-filter rules
Using an inline set interface is a valid approach in some cases, but for extending a user segment through an FTD (Firepower Threat Defense) device in routed mode without creating another IP subnet, the recommended method is using a BVI (Bridge Virtual Interface).
An inline set typically involves pairs of interfaces used for transparent or bridged mode, where traffic passes through the FTD device without routing, mainly used for intrusion prevention.
In routed mode, using a BVI allows the device to bridge two or more interfaces at Layer 2 while still inspecting traffic at Layer 3 and 4. This allows you to maintain the same IP subnet across these interfaces.
I think the key word is inspection , since you can extend subnet in inline and Bridg group ,
but the answer is '"A" since the inline set interface is used for inspection .
Extending a user segment without creating another segment. I believe only inline set can do it. Because it does not need to setup another IP address. Since the segment is already here, if we use BVI, it still needs to configure IP address and it would not be allowed as there is the same IP segment on one existing interface.
The key here is Extend, so B. You can Have here BVI with no name and in that way the BVI acts as transparent firewall. So with that you have extended LAN network, the Gateway stays the same ( ex. GW is 192.168.1.1 and BVI is 192.168.1.2) so nothing changes for users. If you go with Inline, you do not extend network, Inline only has inline par interfaces and that does not extend the LAN
I think B is correct. but your explanation is little not clear. Gateway should be 192.168.1.1 for BVI in your case because BVI is the gateway IP address.
B. by using a BVI and creating a BVI IP address in the same subnet as the user segment.
A Bridged Virtual Interface (BVI) can be configured on an FTD device in routed mode to extend a user segment without the need to create another IP subnet. The BVI is configured with an IP address in the same subnet as the user segment, and the user segment is then connected to one of the switch ports on the FTD device. The BVI is then configured to bridge the traffic between the user segment and the FTD device's inside network, allowing the FTD device to inspect the traffic passing through it.
In: https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/transparent_or_routed_firewall_mode_for_firepower_threat_defense.html
Its stated that "The firewall mode only affects regular firewall interfaces, and not IPS-only interfaces such as inline sets or passive interfaces. IPS-only interfaces can be used in both firewall modes. See Inline Sets and Passive Interfaces for Firepower Threat Defense for more information about IPS-only interfaces. Inline sets might be familiar to you as "transparent inline sets," but the inline interface type is unrelated to the transparent firewall mode described in this chapter or the firewall-type interfaces."
So Inline Interfaces have nothing to do with this deployment
"without creating another IP subnet". A BVI requires a subnet interface. Inline set acts like layer 2 but can be set up in a FTD in routed mode. No need for creating additionel IP-addresses or l3-interfaces. See "Inline IPS Interfaces" on CBT nuggets, Skill:
Cisco Firepower IPS/IDS.
However B can also work if you use an existing network as BVI. But then you need to create extensive ACPs between the bridge groups. This one is super tricky but I'd still go with A.
BVI uses the same ip subnet. For example, if connected devices are 192.168.0.2 and 3 /24 and want to add one more user segment, the subnet can be stayed same 192.168.0.0/24 and make BVI interface on FTD (192.168.0.1/24) so segment can be added without adding additional subnet. check this link especially diagram for ROUTE MODE BVI https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/transparent_or_routed_firewall_mode_for_firepower_threat_defense.html
Correct answer is A. "Inline Set, with optional Tap mode—An inline set acts like a bump on the wire, and binds two interfaces together to slot into an existing network. This function allows the FTD to be installed in any network environment without the configuration of adjacent network devices." https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/inline_sets_and_passive_interfaces_for_firepower_threat_defense.html
yeah.. BVI supports both transparent and routed. check this link https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/transparent_or_routed_firewall_mode_for_firepower_threat_defense.html
Bridge group interfaces can be deployed in Routed and Transparent firewall mode. However in transparent mode, each bridge group is separate and cannot communicate
with each other.
The firewall mode only affects regular firewall interfaces, and not IPS-only interfaces such as inline sets or passive interfaces. IPS-only interfaces can be used in both firewall modes.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
14a1949
21 hours, 52 minutes agoMohammad_h_tarawneh
4 months, 3 weeks agosquirrelzzz
5 months, 3 weeks agogc999
1 year, 6 months agoBbb78
1 year, 7 months agoInitial14
1 year, 9 months agogwb
11 months, 1 week agoJoe_Blue
1 year, 10 months agoBaumb
1 year, 11 months agoWeyland
2 years, 2 months agoWeyland
2 years, 2 months agogwb
11 months, 1 week agoBorZol
2 years, 4 months agoabdulmalik_mail
2 years, 4 months agogwb
11 months, 1 week agoWeyland
2 years, 2 months agojaciro11
2 years, 5 months agoxziomal9
2 years, 7 months agokj2022
2 years, 8 months agojaruch8412
3 years, 1 month agoBorZol
2 years, 3 months ago4study
3 years, 1 month agoSarbi
3 years, 3 months ago