Next-Generation Firewall
Virtual Wire Interfaces
Table of Contents
Virtual Wire Interfaces
Virtual wires bind two interfaces within a firewall, enabling you to easily install a
firewall into a topology that requires no switching or routing by those interfaces.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
In a virtual wire deployment, you install a firewall
transparently on a network segment by binding two firewall ports
(interfaces) together. The virtual wire logically connects the two
interfaces; hence, the virtual wire is internal to the firewall.
Use a virtual wire deployment only when you want to seamlessly integrate a firewall into a
topology and the two connected interfaces on the firewall don't need to do any switching
or routing. For these two interfaces, the firewall is considered a bump in the
wire.
A virtual wire deployment simplifies firewall installation and
configuration because you can insert the firewall into an existing
topology without assigning MAC or IP addresses to the interfaces,
redesigning the network, or reconfiguring surrounding network devices.
The virtual wire supports blocking or allowing traffic based on
virtual LAN (VLAN) tags, in addition to supporting security policy
rules, App-ID, Content-ID, User-ID, decryption, LLDP, active/passive
and active/active HA, QoS, zone protection (with some exceptions),
non-IP protocol protection, DoS protection, packet buffer protection,
tunnel content inspection, and NAT.
Each virtual wire interface is directly connected to a Layer
2 or Layer 3 networking device or host. The virtual wire interfaces
have no Layer 2 or Layer 3 addresses. When one of the virtual wire
interfaces receives a frame or packet, it ignores any Layer 2 or
Layer 3 addresses for switching or routing purposes, but applies
your security or NAT policy rules before passing an allowed frame
or packet over the virtual wire to the second interface and on to the
network device connected to it.
You wouldn’t use a virtual wire deployment for interfaces that need to support switching, VPN
tunnels, or routing because they require a Layer 2 or Layer 3 address. A virtual wire
interface doesn’t use an Interface Management profile, which controls services such as
HTTP and ping and therefore requires the interface have an IP address.
All firewalls shipped from the factory have two Ethernet ports
(ports 1 and 2) preconfigured as virtual wire interfaces, and these
interfaces allow all untagged traffic.
If you’re using Security Group Tags (SGTs) in a Cisco TrustSec network, it’s a
best practice to deploy inline firewalls in either Layer 2 or virtual wire mode.
Firewalls in Layer 2 or virtual wire mode can inspect and provide threat prevention for
the tagged traffic.
If you don’t intend to use the preconfigured virtual wire, you must delete that configuration
to prevent it from interfering with other settings you configure on the firewall. See
Set Up Network Access for External
Services.
Port Speeds of Virtual Wire Interfaces
Different firewall models provide various numbers of copper and fiber optic ports,
which operate at different speeds. A virtual wire can bind two Ethernet ports of the
same type (both copper or both fiber optic), or bind a copper port with a fiber
optic port. By default, the Link Speed of copper ports on the
firewall is set to auto, which means the firewall
automatically negotiates their speed and transmission mode (Link
Duplex). When you configure virtual wires, you can also
select a specific Link Speed and Link
Duplex but the values for these settings must be the same for both
ports in any single virtual wire. Configure a virtual wire using two ports that
operate at the same speed, whether they are both copper, both fiber optic, or one
copper and one fiber optic.
LLDP over a Virtual Wire
Virtual wire interfaces can use LLDP
to discover neighboring devices and their capabilities, and LLDP allows neighboring
devices to detect the presence of the firewall in the network. LLDP makes
troubleshooting easier especially on a virtual wire, where the firewall would
typically go undetected by a ping or traceroute passing through the virtual wire.
LLDP provides a way for other devices to detect the firewall in the network. Without
LLDP, it's practically impossible for network management systems to detect the
presence of a firewall through the virtual link.
Aggregated Interfaces for a Virtual Wire
You can Configure an Aggregate Interface Group of virtual wire interfaces, but
virtual wires don’t use LACP. If you configure LACP on devices that connect the
firewall to other networks, the virtual wire will pass LACP packets transparently
without performing LACP functions.
On a virtual wire, the firewall can pass Cisco LACP traffic only when the links are
not aggregated on the firewall. On a virtual wire, if the links are aggregated, then
the firewall could forward the packets to the wrong port in Aggregated Ethernet,
which will cause LACP not to function between peers.
For aggregate interface groups to function
properly, ensure all links belonging to the same LACP group on the same side of the
virtual wire are assigned to the same zone.
Virtual Wire Support of High Availability
If you configure the firewall to perform path monitoring for High Availability using a virtual wire
path group, the firewall attempts to resolve ARP for the configured destination IP
address by sending ARP packets out both of the virtual wire interfaces. The
destination IP address that you're monitoring must be on the same subnetwork as one
of the devices surrounding the virtual wire.
Virtual wire interfaces support both active/passive and active/active HA. For an
active/active HA deployment with a virtual wire, the scanned packets must be
returned to the receiving firewall to preserve the forwarding path. Therefore, if a
firewall receives a packet that belongs to the session that the peer HA firewall
owns, it sends the packet across the HA3 link to the peer.
You can configure the passive firewall in an HA pair to enable peer devices on either
side of the firewall to prenegotiate LLDP and LACP over a virtual wire before an HA
failover occurs. Such a configuration for LACP and LLDP Pre-Negotiation for Active/Passive
HA speeds up HA failovers.
Zone Protection for a Virtual Wire Interface
You can apply zone protection to a virtual wire interface, but because virtual wire
interfaces don’t perform routing, you can’t apply Packet Based Attack Protection to packets
coming with a spoofed IP address, nor can you suppress ICMP TTL Expired error
packets or ICMP Frag Needed packets.
By default, a virtual wire interface forwards all non-IP traffic it receives.
However, you can apply a Zone Protection profile with Protocol Protection to block or allow
certain non-IP protocol packets between security zones on a virtual wire.
VLAN-Tagged Traffic
Virtual wire interfaces by default allow all untagged traffic. You can, however, use
a virtual wire to connect two interfaces and configure either interface to block or
allow traffic based on the virtual LAN (VLAN) tags. VLAN tag 0 indicates untagged
traffic.
You can also create multiple subinterfaces, add them into different zones, and then
classify traffic according to a VLAN tag or a combination of a VLAN tag with IP
classifiers (address, range, or subnet) to apply granular policy control for
specific VLAN tags or for VLAN tags from a specific source IP address, range, or
subnet.