Re: Creating S2S Connection Hub and Spoke

rtarson98 · ‎01-04-2025

I am working on building out the S2S tunnels and I noticed that the internal IPs of the remote site show as the "unsafe" outside WAN Zone. I am now trying to find a better solution to identify the traffic and do it the right way to separate the traffic from being blocked or filtered to much via the Access Rules. To reduce the amount of policy object that it would need to go through and go straight to what it needs. I was looking at the pre-filter and looking at adding a tunnel rule but from reading documentation I don't believe that is what I am looking for.

Right now I have 13 sites in total I am connecting. I have 2 peer to peer connections that talk only to the server vlans with no intrusion policy as things are heavily shared such as nutanix infrastructure requires for Disaster recovery. Then I have our "Remote stores"/client to server on a hub and spoke with intrusion policy and certain services. I have also a geoblock rule blocking all but usa and canada enabled top level which also causing an issue because its blocking traffic due to it not being able to identify whether it was USA or not.

Here is the part I need someone to help talk me through. So I am going to setup a Route based VTI using hub and spoke topology but my ftd device doesnt seem to show as available hub. I then started reading documentation that dynamic VTI is need. So went to my interfaces and saw the dynamic option is greyd.

Not exactly sure if its limitation with the FTD or if it has to be doing with a pre-req that I am missing for this to work. If thats the case then most likely I will need a VTI for each location and go that way? Also is this the best way to separate traffic to be able to filter correctly by the interface in use?

MHM Cisco World · ‎01-05-2025

I send you PM check it

MHM

Rob Ingram · ‎01-05-2025

@rtarson98 DVTI are supported from 7.3 and VTI from 6.7. Are you using a FMC version 7.3 or newer, but the FTD is an older version that does not support DVTI?

More information on DVTI:-
https://secure.cisco.com/secure-firewall/v7.3/docs/dynamic-virtual-template-interface-dvti
https://integratingit.wordpress.com/2024/03/25/ftd-dynamic-vti/

To segment the VPN traffic, when you create the security zone and add VTI interfaces to it, you can define access control rules referencing the zone to control traffic over the VTI tunnel.

rtarson98 · ‎01-05-2025

Thank you I am running on 7.2.8, I am upgrading the FTD device now to play with it. From my readings that is what I am planning on doing I just noticed that the requirements for Route based hub and spoke wasnt being meet because I did not have a DVTI

Rob Ingram · ‎01-05-2025

@rtarson98 yes, Dynamic (DVTI) would not be available on 7.2.8. I would skip 7.3 and go to 7.4.2 which is the Cisco recommended version.

rtarson98 · ‎01-06-2025

Maybe you can help so I am looking at both articles you sent they both do /24 subnet mask for the loopback interface.

However MHM send me a cisco article going over the setup for DVTI and they say to make a /32 for the loopback. I am under the understanding from research loopback should be a /24 to support spokes. I dont know if you can clarify whether my loopback should be a /24 or a /32?

Rob Ingram · ‎01-06-2025

@rtarson98 yes, that's correct the Cisco guide uses a /24 on the loopback, however this other Cisco guide uses a /32 for the loopback interface. https://secure.cisco.com/secure-firewall/v7.3/docs/loopback-interface#ip-unnumbered-for-virtual-tunnel-interfaces The DVTI is borrowing the IP address from the loopback interface and does not check the mask afaik.

The guide you refer to is not posted publically so I am unable to compare.

rtarson98 · ‎01-06-2025

this is the guide in reference forgot to add the link: https://www.cisco.com/c/en/us/support/docs/security-vpn/security-vpn/220322-configure-dvti-with-multi-sa-on-secure-f.html