3-10
Firepower 7000 and 8000 Series Installation Guide
Chapter 3 Deploying Firepower Managed Devices
Deployment Options
Figure 3-4
Hybrid Interface on a Managed Device
In this example, computer A and computer B are on the same network and communicate using a Layer
2 virtual switch configured on the managed device (indicated by the blue and green lines). A virtual
router configured on the managed device provides Layer 3 access to the firewall. A hybrid interface
combines the Layer 2 and Layer 3 capabilities of the virtual switch and virtual router to allow traffic to
pass from each computer through the hybrid interface to the firewall (indicated by the red and orange
lines).
For more information, see Setting Up Hybrid Interfaces in the
Firepower Management Center
Configuration Guide
.
Deploying a Gateway VPN
License:
VPN
You can create a
gateway virtual private network
(gateway VPN) connection to establish a secure tunnel
between a local gateway and a remote gateway. The secure tunnel between the gateways protects
communication between them.
You configure the Firepower System to build secure VPN tunnels from the virtual routers of Cisco
managed devices to remote devices or other third-party VPN endpoints using the Internet Protocol
Security (IPSec) protocol suite. After the VPN connection is established, the hosts behind the local
gateway can connect to the hosts behind the remote gateway through the secure VPN tunnel. The VPN
endpoints authenticate each other with either the Internet Key Exchange (IKE) version 1 or version 2
protocol to create a security association for the tunnel. The system runs in either IPSec authentication
header (AH) mode or the IPSec encapsulating security payload (ESP) mode. Both AH and ESP provide
authentication, and ESP also provides encryption.
A gateway VPN can be used in a point-to-point, star, or mesh deployment:
•
Point-to-point deployments connect two endpoints with each other in a direct one-to-one
relationship. Both endpoints are configured as peer devices, and either device can initiate the
secured connection. At least one device must be a VPN-enabled managed device.
Use a point-to-point deployment to maintain your network security when a host at a remote location
uses public networks to connect to a host in your network.
•
Star deployments establish a secure connection between a hub and multiple remote endpoints (leaf
nodes). Each connection between the hub node and an individual leaf node is a separate VPN tunnel.
Typically, the hub node is the VPN-enabled managed device, located at the main office. Leaf nodes
are located at branch offices and initiate most of the traffic.
Use a star deployment to connect an organization’s main and branch office locations using secure
connections over the Internet or other third-party network to provide all employees with controlled
access to the organization’s network.