FTD: Inline interface and routed interface in same VLAN?

Network Diver — Fri, 29 Nov 2024 09:13:15 GMT

Hi,

I'm thinking about follwing internet edge FTD setup for branch offices. Firewall pair FTD1a/b has two interfaces in public provider outside VLAN.

Interface "inline-outside" is an inline-set to threat protect access to AnyConnect VPN peer FTD2a/b because FTD still is lacking threat-protection for control-plane traffic. One would do IPS here and also block access via geolocation objects.
Interface "outside" is a routed interface for dynamic NAT and outbound internet access from internal network and office network.

The local AnyConnect VPN peer on FTD2a/b should be accessible from the local guest network, hence it can't be on the same firewall that provides outbound access (FTD1a/b). In the lab I did such a setup and am able to access from inside through FTD1a/b the outside IP of the device FTD2a/b behind the inline interface.

Is this a supported and common setup or am I walking here on uncharted territory full of boobie traps?

When looking on FMC connection events, I see that the unicast traffic that FTD1a/b receives from inside and should be sent to the router also is sent to the inline interface. Is this normal? I would expect only to see broadcast traffic from the same VLAN to be seen on the inline interface. The FMC management guide [1] states: "Inline interfaces receive all traffic unconditionally, but all traffic received on these interfaces is retransmitted out of an inline set unless explicitly dropped." So inline interface behaves like a hub and not a switch?

An alternative would be a FTD pair in transparent mode to do threat-protection of AnyConnect VPN peer, but then this would require one additional firewall pair.

Thanks in advance for enlightenment.

Regards,

Bernd

[1] https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/inline_sets_and_passive_interfaces_for_firepower_threat_defense.html

Re: FTD: Inline interface and routed interface in same VLAN?

Peter Koltl — Sat, 30 Nov 2024 20:18:01 GMT

Version 7.7 introduces geolocation based RAVPN filtering.

Re: FTD: Inline interface and routed interface in same VLAN?

Network Diver — Tue, 03 Dec 2024 12:35:05 GMT

FTD 7.7 is a long way to go. Current suggested release is 7.4.2. Also original question was more about having inline interface and routed interface in same VLAN causing troubles as also unicast traffic that should go to default gateway is being seen on the inline interface.

topic Re: FTD: Inline interface and routed interface in same VLAN? in Network Security

FTD: Inline interface and routed interface in same VLAN?

Re: FTD: Inline interface and routed interface in same VLAN?

Re: FTD: Inline interface and routed interface in same VLAN?