Cisco Cisco Firepower Management Center 4000

Control

Series 3

You can add virtual routers from the Virtual Routers tab of the Device Management page. You can also 
add routers as you configure routed interfaces.

You can assign only routed and hybrid interfaces to a virtual router. If you want to create a virtual router 
before you configure the interfaces on your managed devices, you can create an empty virtual router and 
add interfaces to it later.

To maximize TCP security, you can enable strict enforcement, which blocks connections where the 
three-way handshake was not completed. Strict enforcement also blocks:

non-SYN TCP packets for connections where the three-way handshake was not completed

non-SYN/RST packets from the initiator on a TCP connection before the responder sends the 
SYN-ACK

non-SYN-ACK/RST packets from the responder on a TCP connection after the SYN but before the 
session is established

SYN packets on an established TCP connection from either the initiator or the responder

Note that if you change the configuration of a Layer 3 interface to a non-Layer 3 interface or remove a 
Layer 3 interface from the virtual router, the router may fall into an invalid state. For example, if it is 
used in DHCPv6, it may cause an upstream and downstream mismatch. Any changes you make to an 
existing virtual router may interrupt traffic on the device.

To edit an existing virtual router, click the edit icon (

) next to the router.

You can configure virtual routers in several different ways beyond the general options. See the following 
sections for more information about these configurations:

Name

The name of the virtual router.

Interfaces

A list of all routed interfaces that are assigned to the virtual router. Disabling an 
interface from the Interfaces tab removes it.

Protocols

The protocols currently in use by the virtual router, which is one of the following:

Static

Static, RIP

Static, OSPF