cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
320
Views
1
Helpful
3
Replies

BGP and Transparent IPS on 3120

tahscolony
Level 1
Level 1

I currently have a 7125 Firepower with dual inline sets. No IP's assigned to any interfaces, just the policy for Geoblocking and other protection. BGP does pass through it as it is inline with the routers and the ASA 5555-X which receives Default via BGP.

Since 7125 is EOL and the ASA will be EOL next year, I have a 3120 on an FMC broken down into 2 instances. One will be the Firewall replacement, and not part of this question, the other instance is transparent FTD with the same policy currently in use on the 7125 applied to the inline pair.  The main difference between the 7125 is that the inline pair is singular on the 3120 and will be between the main internet router and the rest of the public routers, so the question is will BGP be able to establish through the transparent inline pair on the FTD?   It is not configured as a firewall, but for Malware, URL and IPS.

Does it mirror the configuration of the 7125 in this setup?

 

1 Accepted Solution

Accepted Solutions

Yes, BGP should be able to establish through the transparent inline pair on the Firepower Threat Defense (FTD) in your described setup, provided that the FTD is configured correctly and not blocking the relevant BGP traffic. Here are some key points to ensure proper operation:

Key Points:

Transparent Mode: Ensure that the FTD is set to transparent mode. This mode allows the FTD to bridge traffic between two network segments without IP addressing, similar to how the 7125 operates.

Inline Pair: Make sure the inline pair is correctly configured. In your case, the inline pair should bridge traffic between the main internet router and the rest of the public routers.

Traffic Policies: Ensure that your security policies (Malware, URL, and IPS) applied to the FTD do not inadvertently block BGP traffic (TCP port 179). You may need to create an explicit rule to allow BGP traffic if it’s being inspected.

Inspection Bypass: Depending on the performance and the inspection capabilities, you might consider bypassing inspection for BGP traffic if it's not necessary to inspect it. This can help in ensuring minimal latency and avoiding unintended disruptions.

Default Configuration Mirroring: The configuration on the 7125, especially regarding what traffic is allowed and inspected, should be mirrored on the 3120 to ensure consistency. However, review and adjust configurations as necessary to suit the new hardware capabilities and features.

please do not forget to rate.

View solution in original post

3 Replies 3

ccieexpert
Spotlight
Spotlight

Yes the functionality is very similar and it is a pass through.. bump in the wire...so BGP should go through fine..

Yes, BGP should be able to establish through the transparent inline pair on the Firepower Threat Defense (FTD) in your described setup, provided that the FTD is configured correctly and not blocking the relevant BGP traffic. Here are some key points to ensure proper operation:

Key Points:

Transparent Mode: Ensure that the FTD is set to transparent mode. This mode allows the FTD to bridge traffic between two network segments without IP addressing, similar to how the 7125 operates.

Inline Pair: Make sure the inline pair is correctly configured. In your case, the inline pair should bridge traffic between the main internet router and the rest of the public routers.

Traffic Policies: Ensure that your security policies (Malware, URL, and IPS) applied to the FTD do not inadvertently block BGP traffic (TCP port 179). You may need to create an explicit rule to allow BGP traffic if it’s being inspected.

Inspection Bypass: Depending on the performance and the inspection capabilities, you might consider bypassing inspection for BGP traffic if it's not necessary to inspect it. This can help in ensuring minimal latency and avoiding unintended disruptions.

Default Configuration Mirroring: The configuration on the 7125, especially regarding what traffic is allowed and inspected, should be mirrored on the 3120 to ensure consistency. However, review and adjust configurations as necessary to suit the new hardware capabilities and features.

please do not forget to rate.

tahscolony
Level 1
Level 1

Excellent. I had a feeling I was on the right track. The FTD difference is in licensing, with AMP and URL, so was not sure if it would act the same as the current 7125. This should go pretty smoothly then.  I will add a BGP allow to the Mandatory, and have cleaned up some conflicts stemming from 6.4 to 7.4 versions.

Review Cisco Networking for a $25 gift card