Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1867
Views
15
Helpful
7
Replies

connect multiple sites VPN with Firepower ( design )

Hisoma Sama
Level 1
Level 1

‎06-12-2021 01:36 AM

Hi

 

i have some clients site where all will be connected to one switch and connect to main site with firepower which managed with FMC

 

whats the best design in this scenario 

 

my thoughts will be using /30 subnet from client side to firepower

 

middle switch will be separate vlan to each client  

 

from firepower side since there is only one cable connect to middle switch will use subinterface 

then site-to-site VPN

 

is this the best design or there is something better

 

0 Helpful
7 Replies 7

Karsten Iwen
VIP
VIP

‎06-12-2021 02:33 AM

If you are in control of the addressing, I would always use at least a /29. That gives you more flexibility if you want to add a HA-device at a later time.

From your description, I do not see why you would need a sub-interface on the devices. The main-interface should do it perfectly fine.

With only one cable (and without using any extra switch) you will likely run version 6.7 to be able to manage the FTD on the Data-Interface.

Hisoma Sama
Level 1
Level 1
In response to Karsten Iwen

‎06-12-2021 02:39 AM

Hi Karsten

 

thanks for your reply 

 

i didnt get how I can make it without subinterface as there are different client each will have different IP ( can you advise more into this)

0 Helpful

Karsten Iwen
VIP
VIP
In response to Hisoma Sama

‎06-12-2021 02:56 AM

Then I actually don't really get what you are trying to achieve.

Hisoma Sama
Level 1
Level 1
In response to Karsten Iwen

‎06-12-2021 03:07 AM

sorry my mistake for not describing well 

 

check photo attached i have different client to connect site-to-site vpn to HQ site

each client is different and should not have access to each other only to HQ site

 

 

Capture.JPG

0 Helpful

Karsten Iwen
VIP
VIP
In response to Hisoma Sama

‎06-12-2021 03:31 AM

Ok, this is actually what I understood. With this design you can do L3 routing on the "Site D" switch and put each link to sites A, B and C in it's own Access-VLAN. The FTDs don't need a sub interface with that. You only need a sub interface if you want to use a trunk between the Switch and the Sites.

For the access-control that no client can access-other clients, you typically configure the Access-List on each FTD accordingly.

Hisoma Sama
Level 1
Level 1
In response to Karsten Iwen

‎06-12-2021 03:57 AM

i was more thinking that the trunk will be between SW and FP

so subinterface from FP side as it will be trunk

 

is there any pros/cons for this? 

0 Helpful

Karsten Iwen
VIP
VIP
In response to Hisoma Sama

‎06-12-2021 06:11 AM

Using an Access-interface to a single customer is more "typical", it's slightly more config on the firewall-side for trunk but should be ok in general.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card