6-9
Firepower 7000 Series Hardware Installation Guide
Chapter 6 Deploying Firepower Managed Devices
Deployment Options
When you deploy a virtual router on your managed device, you can use one appliance to connect multiple
networks to each other, and to the Internet.
Figure 6-3
Virtual Routers on a Managed Device
In this example, the managed device contains a virtual router to allow traffic to travel between the
computers on network 172.16.1.0/20 and the servers on network 192.168.1.0/24 (indicated by the blue
and green lines). A third interface on the virtual router allows traffic from each network to pass to the
firewall and back (indicated by the red and orange lines).
For more information, see Setting Up Virtual Routers in the
Firepower Management Center
Configuration Guide
.
Deploying with Hybrid Interfaces
You can create a
hybrid interface
on a managed device to route traffic between Layer 2 and Layer 3
networks using a virtual switch and a virtual router. This provides one interface that can both route local
traffic on the switch and route traffic to and from an external network. For best results, configure
policy-based NAT on the interface to provide network address translation on the hybrid interface. See
Deploying with Policy-Based NAT, page 6-11
A hybrid interface must contain one or more switched interfaces and one or more routed interfaces. A
common deployment consists of two switched interfaces configured as a virtual switch to pass traffic on
a local network and virtual routers to route traffic to networks, either private or public.
To create a hybrid interface, you first configure a virtual switch and virtual router, then add the virtual
switch and virtual router to the hybrid interface. A hybrid interface that is not associated with both a
virtual switch and a virtual router is not available for routing, and does not generate or respond to traffic.
Hybrid interfaces have the advantage of compactness and scalability. Using a single hybrid interface
combines both Layer 2 and Layer 3 traffic routing functions in a single interface, reducing the number
of physical appliances in the deployment and providing a single management interface for the traffic.
Use a hybrid interface where you need both Layer 2 and Layer 3 routing functions. This deployment can
be ideal for small segments of your deployment where you have limited space and resources.
When you deploy a hybrid interface, you can allow traffic to pass from your local network to an external
or public network, such as the Internet, while addressing separate security considerations for the virtual
switch and virtual router in the hybrid interface.