Virtual Wire Interfaces
Table of Contents
Expand all | Collapse all
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
Virtual Wire Interfaces
Virtual wires bind two interfaces within a firewall,
allowing you to easily install a firewall into a topology that requires
no switching or routing by those interfaces. You can apply security
policy rules, NAT, QoS, and other policies to virtual wire interfaces,
In a virtual wire deployment, you install a firewall
transparently on a network segment by binding two firewall ports
(interfaces) together. The virtual wire logically connects the two
interfaces; hence, the virtual wire is internal to the firewall.
Use a virtual wire deployment only when you want to seamlessly integrate a firewall into a
topology and the two connected interfaces on the firewall don't need to do any switching
or routing. For these two interfaces, the firewall is considered a bump in the
wire.
A virtual wire deployment simplifies firewall installation and
configuration because you can insert the firewall into an existing
topology without assigning MAC or IP addresses to the interfaces,
redesigning the network, or reconfiguring surrounding network devices.
The virtual wire supports blocking or allowing traffic based on
virtual LAN (VLAN) tags, in addition to supporting security policy
rules, App-ID, Content-ID, User-ID, decryption, LLDP, active/passive
and active/active HA, QoS, zone protection (with some exceptions),
non-IP protocol protection, DoS protection, packet buffer protection,
tunnel content inspection, and NAT.

Each virtual wire interface is directly connected to a Layer
2 or Layer 3 networking device or host. The virtual wire interfaces
have no Layer 2 or Layer 3 addresses. When one of the virtual wire
interfaces receives a frame or packet, it ignores any Layer 2 or
Layer 3 addresses for switching or routing purposes, but applies
your security or NAT policy rules before passing an allowed frame
or packet over the virtual wire to the second interface and on to the
network device connected to it.
You wouldn’t use a virtual wire deployment for interfaces that
need to support switching, VPN tunnels, or routing because they
require a Layer 2 or Layer 3 address. A virtual wire interface doesn’t
use an interface management profile, which controls services such
as HTTP and ping and therefore requires the interface have an IP
address.
All firewalls shipped from the factory have two Ethernet ports
(ports 1 and 2) preconfigured as virtual wire interfaces, and these
interfaces allow all untagged traffic.
If you’re using security group tags (SGTs)
in a Cisco TrustSec network, it’s a best practice to deploy inline
firewalls in either Layer 2 or virtual wire mode. Firewalls in Layer
2 or virtual wire mode can inspect and provide threat prevention
for the tagged traffic.
If you don’t intend to use the preconfigured virtual wire,
you must delete that configuration to prevent it from interfering
with other settings you configure on the firewall. See Set Up Network Access for External
Services.