• Documentation
• Prerequisite and code download links
• Goal
• Requirement
• Limitations
• Supported ISR and UCS-E Model
• Supported ISRG2 and UCS-E Blades:
• Supported ISR4K and UCS-E Blades:
• Topology
• Simple topology
• Detailed topology
• How Firepower Works
• Step by Step Configuration
• Configure CIMC
• Setting up ESXi
• Relevant Switch and Router Config
• Outputs

 

 

Documentation

This configuration example is meant to be interpreted with the aid of the documentation from the configuration guide attached to this document.

IOS-XE guide: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_utd/configuration/xe-3s/sec-data-utd-xe-3s-book.html#concept_0AC4C1AE8D714F1C9533FD3B383EC8AF

UCS-E configuration guide: http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/e/2-0/gs/guide/b_2_0_Getting_Started_Guide.html

Firepower Virtual Appliance and Defense Center Data Sheet: https://na8.salesforce.com/sfc/p/#80000000dRH9KXPLJqkSwWBoW3e_vtLbnXOyiNg=

Firepower 3D System Virtual Installation Guide 5.3: http://www.cisco.com/c/en/us/support/security/ngips-virtual-appliance/tsd-products-support-series-home.html

FireSIGHT or Defense Center configuration guide: http://www.cisco.com/c/en/us/support/security/defense-center-virtual-appliance/tsd-products-support-series-home.html

UCS-E Troubleshooting guide: http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/e/ts/guide/e_series_ts.html

 

Prerequisite and code download links

ISR must run XE image 3.14 or above. Download here: http://software.cisco.com/download/release.html?mdfid=284389362&flowid=71903&softwareid=282046477&release=3.12.2S&relind=AVAILABLE&rellifecycle=ED&reltype=latest

Firepower virtual sensor image download here: https://software.cisco.com/download/release.html?mdfid=286259690&softwareid=286271056&release=5.3.0.8&relind=AVAILABLE&rellifecycle=&reltype=latest

FireSIGHT Management Center image download link: https://software.cisco.com/download/release.html?mdfid=286259687&softwareid=286271056&release=5.4.1.6&relind=AVAILABLE&rellifecycle=&reltype=latest

ESXi 5.0 or above. You can download VMWare customized image for Cisco here:

https://my.vmware.com/web/vmware/details?downloadGroup=CISCO-ESXI-5.1.0-GA-25SEP2012&productId=284

UCS-E140D and UCS-E160 Images: http://software.cisco.com/download/release.html?mdfid=284479266&softwareid=284480160&release=2.1.0&flowid=34485

UCS-E140S Images: http://software.cisco.com/download/release.html?mdfid=284479227&softwareid=284480160&release=2.1.0&flowid=34482

UCS-E120S Images: http://software.cisco.com/download/release.html?mdfid=286231777&flowid=50083&softwareid=284480160&release=2.2.2&relind=AVAILABLE&rellifecycle=&reltype=latest

BDI Doc in IOS-XE: http://www.cisco.com/c/en/us/td/docs/routers/asr1000/configuration/guide/chassis/asrswcfg/bdi.html

 

Goal

Is to implement Firepower on the UCS-E blade on ISR 4K or G2 in IPS mode using the Front Panel Port on the UCS-E blade

Requirement

Firepower sensor VM requirement is 4X4X40 (4 GB RAM, 4 vCPUs and 40 GB drive space). ESXi takes up 11 GB of space. So clearly a 50 GB drive is not sufficient.

Limitations

• Restrictions for Bridge Domain Interfaces
• Only 4096 bridge domain interfaces are supported per system.
• Bridge domain interfaces do not support the following features:
• Bidirectional Forwarding Detection (BFD) protocol
• Netflow
• QOS
• Network-Based Application Recognition (NBAR) or Advanced Video Coding (AVC)
• ZBF Refer: CSCui86271
• For a BDI, the maximum transmission unit (MTU) size can be configured between 1500 and 9216 bytes.
• Cryptographic VPNs are not supported in combination with BDI.
• MPLS is not supported on bridge domain interfaces.
• PPP over Ethernet (PPPoE)
• NAT

Supported ISR and UCS-E Model

 

Supported ISRG2 and UCS-E Blades:

ISR Platform	Cisco UCS EN120E	Cisco UCS EN140N	Cisco UCS EN120S and E140S	Cisco UCS E140D and E160D-M2	Cisco UCS E160D-M1 and E180D
1921	1	No	No	No	No
1941	1	No	No	No	No
2901	2	No	No	No	No
2911	2	No	1	No	No
2921	2	No	1	1	No
2951	2	No	2	1	No
3925	2	No	2	1	1
3945	2	No	4	1	1
3925E	1	No	2	1	1
3945E	1	No	4	1	1

 

Supported ISR4K and UCS-E Blades:

ISR Platform	Cisco UCS EN120E	Cisco UCS EN140N	Cisco UCS EN120S and E140S	Cisco UCS E140D and E160D-M2	Cisco UCS E160D-M1 and E180D
4321	No	2	No	No	No
4331	No	2*	1	No	No
4351	No	3*	2	1	1
4431	No	3	No	No	No
4451	No	3*	2	1	1

 

EN140N Module should have sufficient disk drive available to install Firepower Sensor VM.  We have tested with 100 GB drive.

Topology

Simple topology

Detailed topology

How Firepower Works

1. LAN to WAN traffic that needs to be inspected arrive on the front panel port of the UCS-E blade. Allowed packet upon Firepower sensor inspection, egress out via the backplane out the WAN interface.
2. WAN to LAN traffic ingress on router's WAN interface, forwarded to the backplane, get inspected by Firepower and egress out the front panel port on the UCS-E.

Step by Step Configuration

Configure CIMC

Refer the steps here: https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/200366-Configure-FirePOWER-Services-on-an-ISR-D.html#anc13

Upgrade CIMC to the latest firmware

For XE image 3.14 and above CIMC should be running 2.3 or above

For ISR IOS image 15.5(1)T and above CIMC should be running 2.3 or above

Launch CIMC GUI on the browser from the laptop with the default userID and pasword.

userID: admin and password: password

Download the latest CIMC HUU and upgrade the BIOS, CIMC and other firmware components per this link: http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/e/2-0/gs/guide/b_2_0_Getting_Started_Guide/b_2_0_Getting_Started_Guide_chapter_01010.html#task_B4052C8757D74555A073C0BD759B211D

Setting up ESXi

Refer this link: https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/200366-Configure-FirePOWER-Services-on-an-ISR-D.html#anc16

Follow the above link to install the following as well:

Install VSphere Client

Setting up Firepower and FireSIGHT VMs

Configure VSwitch interfaces on ESXi

It is very important to click on properties for Vswitch1 and Vswitch2 and make sure to enable the following:

1. All VLANs or atleast the one vlan that has to go through the sensor.
   

Click on the properties for the vswitch and add all vlans.

1. Accept "Promiscuous Mode" for both SF-Inside and SF-Outside interfaces.

If the above is not done, then traffic will not traverse the sensor from the inside to the outside.

Spin a FireSIGHT VM and configure it

Add the FireSIGHT to the Sensor VM

Add the Sensor to the FireSIGHT

Add license to the FireSIGHT Management Center

Relevant Switch and Router Config

We increase the spanning tree port cost so that the front panel port will be preferred to receive the LAN side traffic. If the Firepower VM crashes or is shut down, then, traffic will be automatically received by the router's G0/0/1 port but traffic will be processed without being scanned by the Firepower sensor VM.

Switch

Router

Enable Rapid Spanning Tree on the Switch spanning-tree mode rapid-pvst spanning-tree extend system-id spanning-tree vlan 100,200 hello-time 1 spanning-tree vlan 100,200 forward-time 4 ! Port connected to the UCS-E Front Panel Ge 2 Port interface GigabitEthernet1/0/1  switchport mode trunk   spanning-tree cost 10 ! Port connected to the routers G0/0/1 Port interface GigabitEthernet1/0/24  switchport mode trunk  spanning-tree cost 100 !

Inside Interface Configuration no ip address here. BDI interface has the IP address interface GigabitEthernet0/0/1  no ip address  negotiation auto  service instance 100 ethernet   encapsulation dot1q 100   rewrite ingress tag pop 1 symmetric   bridge-domain 100  !  service instance 200 ethernet   encapsulation dot1q 200   rewrite ingress tag pop 1 symmetric   bridge-domain 200  ! This interface is to route management traffic to ESXi and Firepower Sensor (notice the static routes below) interface ucse0/1/0  ip unnumbered BDI100  no negotiation auto  switchport mode trunk  no mop enabled  no mop sysid We only need to vlan 200 on the outside of the sensor as only vlan 200 traffic will come in via the front panel port for inspection.  interface ucse0/1/1  no ip address  negotiation auto  switchport mode trunk  no mop enabled  no mop sysid  service instance 200 ethernet   encapsulation dot1q 200   rewrite ingress tag pop 1 symmetric   bridge-domain 200 BDI Interface for vlan 100  interface BDI100  ip address 10.129.16.1 255.255.255.0 BDI Interface to terminate vlan 200 on the outside of the FP sensor interface BDI200  ip address 10.129.17.1 255.255.255.0 Route statements for FP-Sensor and ESXI management ip route 10.129.16.6 255.255.255.255 ucse0/1/0 ip route 10.129.16.8 255.255.255.255 ucse0/1/0

In this example there is only one vlan traffic (200) that is sent to the sensor for inspection. In case another vlan gets added to the inside network, we need to add a corresponding BDI interface and also create a service instance on the router.

Outputs

Output from the Switch when Firepower VM is up and running

Switch#show spanning-tree vlan 100

VLAN0100
  Spanning tree enabled protocol rstp
  Root ID    Priority    32868
             Address     188b.4555.6780
             This bridge is the root
             Hello Time   1 sec  Max Age 20 sec  Forward Delay  4 sec

  Bridge ID  Priority    32868  (priority 32768 sys-id-ext 100)
             Address     188b.4555.6780
             Hello Time   1 sec  Max Age 20 sec  Forward Delay  4 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi1/0/1             Desg FWD 4         128.1    P2p
Gi1/0/2             Desg FWD 4         128.2    P2p
Gi1/0/14            Desg FWD 19        128.14   P2p
Gi1/0/15            Desg FWD 19        128.15   P2p
Gi1/0/24            Desg FWD 4         128.24   P2p


Switch#show spanning-tree vlan 200

VLAN0200
  Spanning tree enabled protocol rstp
  Root ID    Priority    32968
             Address     188b.4555.6780
             This bridge is the root
             Hello Time   1 sec  Max Age 20 sec  Forward Delay  4 sec

  Bridge ID  Priority    32968  (priority 32768 sys-id-ext 200)
             Address     188b.4555.6780
             Hello Time   1 sec  Max Age 20 sec  Forward Delay  4 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi1/0/1             Desg FWD 4         128.1    P2p
Gi1/0/10            Desg FWD 19        128.10   P2p Edge
Gi1/0/12            Desg FWD 4         128.12   P2p Edge
Gi1/0/13            Desg FWD 4         128.13   P2p Edge
Gi1/0/24            Desg FWD 4         128.24   P2p

Output from the Router when the Firepower sensor is up and running

Router#show spanning-tree vlan 100

G1:VLAN0100
  Spanning tree enabled protocol rstp
  Root ID    Priority    32868
             Address     188b.4555.6780
             Cost        100
             Port        2 (GigabitEthernet0/0/1)
             Hello Time   1 sec  Max Age 20 sec  Forward Delay  4 sec

  Bridge ID  Priority    32868  (priority 32768 sys-id-ext 100)
             Address     5c83.8f49.d9f2
             Hello Time   1 sec  Max Age 20 sec  Forward Delay  4 sec
             Aging Time 0

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/0/1             Root FWD 100       128.2    P2p

Router#sh spanning-tree vlan 200

G1:VLAN0200
  Spanning tree enabled protocol rstp
  Root ID    Priority    32968
             Address     188b.4555.6780
             Cost        10
             Port        18 (ucse0/1/1)
             Hello Time   1 sec  Max Age 20 sec  Forward Delay  4 sec

  Bridge ID  Priority    32968  (priority 32768 sys-id-ext 200)
             Address     5c83.8f49.d9f2
             Hello Time   1 sec  Max Age 20 sec  Forward Delay  4 sec
             Aging Time 0

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/0/1             Altn BLK 100       128.2    P2p
uc0/1/1             Root FWD 10        128.18   P2p

As you can see in the above output. G0/0/1 is in Altn BLK state. Packets will only come in and leave using the uc0/1/1 port which is in Root FWD state.

Output from the Switch when the Firepower sensor is shut down

Switch#show spanning-tree vlan 100

VLAN0100
  Spanning tree enabled protocol rstp
  Root ID    Priority    32868
             Address     188b.4555.6780
             This bridge is the root
             Hello Time   1 sec  Max Age 20 sec  Forward Delay  4 sec

  Bridge ID  Priority    32868  (priority 32768 sys-id-ext 100)
             Address     188b.4555.6780
             Hello Time   1 sec  Max Age 20 sec  Forward Delay  4 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi1/0/1             Desg FWD 4         128.1    P2p
Gi1/0/2             Desg FWD 4         128.2    P2p
Gi1/0/14            Desg FWD 19        128.14   P2p
Gi1/0/15            Desg FWD 19        128.15   P2p
Gi1/0/24            Desg FWD 4         128.24   P2p


Switch#show spanning-tree vlan 200

VLAN0200
  Spanning tree enabled protocol rstp
  Root ID    Priority    32968
             Address     188b.4555.6780
             This bridge is the root
             Hello Time   1 sec  Max Age 20 sec  Forward Delay  4 sec

  Bridge ID  Priority    32968  (priority 32768 sys-id-ext 200)
             Address     188b.4555.6780
             Hello Time   1 sec  Max Age 20 sec  Forward Delay  4 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi1/0/1             Desg FWD 4         128.1    P2p
Gi1/0/10            Desg FWD 19        128.10   P2p Edge
Gi1/0/12            Desg FWD 4         128.12   P2p Edge
Gi1/0/13            Desg FWD 4         128.13   P2p Edge
Gi1/0/24            Desg FWD 4         128.24   P2p

Output from the Router when the Firepower sensor is shut down

Router#show spanning-tree vlan 100

G1:VLAN0100
  Spanning tree enabled protocol rstp
  Root ID    Priority    32868
             Address     188b.4555.6780
             Cost        100
             Port        2 (GigabitEthernet0/0/1)
             Hello Time   1 sec  Max Age 20 sec  Forward Delay  4 sec

  Bridge ID  Priority    32868  (priority 32768 sys-id-ext 100)
             Address     5c83.8f49.d9f2
             Hello Time   1 sec  Max Age 20 sec  Forward Delay  4 sec
             Aging Time 0

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/0/1             Root FWD 100       128.2    P2p

Router#show spanning-tree vlan 200

G1:VLAN0200
  Spanning tree enabled protocol rstp
  Root ID    Priority    32968
             Address     188b.4555.6780
             Cost        100
             Port        2 (GigabitEthernet0/0/1)
             Hello Time   1 sec  Max Age 20 sec  Forward Delay  4 sec

  Bridge ID  Priority    32968  (priority 32768 sys-id-ext 200)
             Address     5c83.8f49.d9f2
             Hello Time   1 sec  Max Age 20 sec  Forward Delay  4 sec
             Aging Time 0

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/0/1             Root FWD 100       128.2    P2p
uc0/1/1             Desg FWD 10        128.18   P2p