Top 4 commands you should know on Cisco FTD

From architecture perspective, Cisco ASA and FTD (Firepower Threat Defense) operate in different ways. ASA operate at Layer 3/4, whereas FTD operate at Layer 7. Even the CLI behaves in such different ways. So, will look at most important commands which are to be used on Cisco FTD devices.

01. CLI mode for Advanced troubleshooting

By default, you will see something like this.

But in order to run additional commands, you will have to access the CLI. In order to access the CLI, you can simply execute the command system support diagnostic-cli

02. Firepower eXtensible Operating System (FXOS) CLI

On Firepower 2100, 4100, and 9300 series devices, FXOS is the operating system that controls the overall chassis. Depending on the model, you use FXOS for configuration and troubleshooting. From FXOS, you can enter the Firepower Threat Defense CLI using the connect ftd command.

you may either use connect ftd or connect fxos

Continue reading “Top 4 commands you should know on Cisco FTD”

03. FTD Packet Tracer Utility

The packet tracer will generate virtual packets and it will trigger a packet flow based on your requirement. The command would look like below

packet-tracer input “source interface” “protocol type” “source” “source_subnet” “ICMP code_if ICMP is used” “destination” “destination_subnet”

Once you execute the above command, you will be presented with the end results. 

04. Run live packet captures on selcted interfaces

First of all, you need to enable packet capture on the selcted interface. 

capture “capture_name” interface “source_interface_name” match “protocol” “source_IP Address” “destination_IP Address”

and then you can see the packet capture by executing the command show capture “name_of_the_capture”

finally, if you are done with the packet capture. you can simply delete the existing captures by executing the command no capture “name_of_the_capture”


Private VLANs (PVLAN)

VLAN provides network isolation and layer 2. Typical VLAN would have a single subnet and all the devices within the VLAN can communicate with each other. But what if you want to put multiple devices within a subnet and do not wish to communicate with each other ? The answer would be the use of Private VLANs (PVLANs).

How it works

PVLANs are actually a set of VLANs. There is a Primary VLAN and one or more Secondary VLANs. 

Primary VLAN – Same as a typical VLAN and the networks are promiscuous, as they will always communicate with each other

Secondary VLAN – These networks are associated with the Primary VLAN and they keep seperated with each other

In Secondary VLANs, there are two types of Networks 

  • Community VLAN – In a community VLAN, the devices will communicate with each other. But the Inter community VLAN does not take place. [ex: Community A and Community B VLANs will have no communication]
  • Isolated VLAN – In an Isolated VLAN, the devices will not communicate with each other. They also have no Inter commuication with Community VLANs.

All the devices can connect to the Primary VLAN. So this allows the devices to share Internet connectivity. Basically, this will act as the default gateway. 

Ports in the Primary VLAN are known as the Promiscuous Ports (P-Ports). Layer 3 switches are placed here and can have SVI (Switch Virtual Interface) configured in the Primary VLAN.

Ports in the Secondary VLANs are known as the Host Ports , as the name suggests these ports are being used to connect the end points (devices).

The below Diagram provides a good explanation

Continue reading “Private VLANs (PVLAN)”

Graphical representation and the configuration

[Kevin Wallace Training, LLC]