At minimum, you must enable a physical interface to use it. You would also typically name it and configure IP addressing. You would not configure IP addressing if you intend to create VLAN subinterfaces if you are configuring a passive mode interface, or if you intend to add the interface to a bridge group.
Note: You cannot configure IP addresses on bridge group member interfaces or passive interfaces, although you can modify advanced settings, that are not related to IPv6 addressing, as needed.
You can disable an interface to temporarily prevent transmission on the connected network. You do not need to remove the interface's configuration.At this time, Cisco Defense Orchestrator (CDO) can only configure routed interfaces and bridge groups. CDO lists passive interfaces but you cannot reconfigure them as active interfaces from CDO.
- On the Devices & Services page, click the device whose interfaces you want to configure and click Interfaces in the Management pane at the right.
- On the Interfaces page, select the physical interface you want to configure.
- In the Actions pane at the right, click Edit.
- Give the physical interface a Logical Name and, optionally, a Description. Unless you configure subinterfaces, the interface should have a name.
Note: If you change the name, the change is automatically reflected everywhere you used the old name, including security zones, syslog server objects, and DHCP server definitions. However, you cannot remove the name until you first remove all configurations that use the name, because you typically cannot use an unnamed interface for any policy or setting.
- Pick one of these options:
- If you intend to add sub-interfaces:
If you intend to configure subinterfaces for this physical interface, you are probably done. Click Save and continue with Configure Firepower VLAN Subinterfaces and 802.1Q Trunking. Otherwise, continue.
Note: Even when configuring subinterfaces, it is valid to name the interface and supply IP addresses. This is not the typical setup, but if you know that is what you need, you can configure it.
- If you do not intend to add a sub-interface, continue with either or both, Configure IPv4 Addressing for the Physical Interface and Configure IPv6 Addressing for the Physical Interface.
Configure IPv4 Addressing for the Physical Interface
Warning! After you configure and save a DHCP address pool, the DHCP address pool is bound to the interface's configured IP address(es). If you edit the interface's subnet mask after you configure a DHCP address pool, deployments to the FTD device fail. Also, if you edit the DHCP address pool in the FDM console and read the configuration from FDM to CDO, the read fa
- In the "Editing Physical Interface" dialog, click the IPv4 Address tab.
- Select one of the following options from the Type field:
- Static—Choose this option if you want to assign an address that should not change. Enter in the interface's IP address and the subnet mask for the network attached to the interface. For example, if you attach the 10.100.10.0/24 network, you could enter 10.100.10.1/24. Ensure that the address you enter is not the network ID or the broadcast address for the network and the address is not already used on the network.
- Standby IP Address and Subnet Mask - If you configured high availability, and you are monitoring this interface for HA, also configure a standby IP address on the same subnet. The standby address is used by this interface on the standby device. If you do not set the standby IP address, the active unit cannot monitor the standby interface using network tests; it can only track the link state.
- (Optional) DHCP Address Pool - Enter a a single DHCP Server IP address, or an IP address range. The range of IP addresses must be on the same subnet as the selected interface and cannot include: the IP address of the interface itself, the broadcast address, or the subnet network address. Specify the start and end address for the pool, separated by a hyphen. To temporarily disable this DHCP server, edit the server in the DHCP Servers section of the Firepower Threat Defense Device Settings page.
- Dynamic (DHCP)—Choose this option if the address should be obtained from the DHCP server on the network. Change the following options if necessary:
- Obtain Default Route—Whether to get the default route from the DHCP server. You would normally check this option.
- DHCP Route Metric—If you obtain the default route from the DHCP server, enter the administrative distance to the learned route, between 1 and 255.
Note: If there is a DHCP server configured for the interface, you are shown the configuration. You can edit or delete the DHCP address pool. If you change the interface IP address to a different subnet, you must either delete the DHCP server, or configure an address pool on the new subnet, before you can save the interface changes.
- Click Save if you are done or continue with one of these procedures:
- Configure IPv6 Addressing for the Physical Interface if you intend to assign an IPv6 address to this interface as well as an IPv4 address.
- Configure Advanced Interface Options. The advanced settings have defaults that are appropriate for most networks. Edit them only if you are resolving network issues.
- If you saved the interface, and you don't want to continue advanced interface options, continue to Enable the Physical Interface.
Configure IPv6 Addressing for the Physical Interface
- In the "Editing Physical Interface" dialog, click the IPv6 Address tab.
- State-To enable IPv6 processing and to automatically configure the link-local address when you do not configure the global address, click the State slider to enable it. The link-local address is generated based on the interface MAC addresses (Modified EUI-64 format).
Note: Disabling IPv6 does not disable IPv6 processing on an interface that is configured with an explicit IPv6 address or that is enabled for auto configuration.
- Address Auto Configuration—Check this option to have the address automatically configured. IPv6 stateless autoconfiguration will generate a global IPv6 address only if the link on which the device resides has a router configured to provide IPv6 services, including the advertisement of an IPv6 global prefix for use on the link. If IPv6 routing services are not available on the link, you will get a link-local IPv6 address only, which you cannot access outside of the device's immediate network link. The link local address is based on the Modified EUI-64 interface ID.
Although RFC 4862 specifies that hosts configured for stateless autoconfiguration do not send Router Advertisement messages, the FTD device does send Router Advertisement messages in this case. Select Suppress RA to suppress messages and conform to the RFC.
- Suppress RA-Check this box if you want to suppress router advertisements. The Firepower Threat Defense device can participate in router advertisements so that neighboring devices can dynamically learn a default router address. By default, router advertisement messages (ICMPv6 Type 134) are periodically sent out each IPv6 configured interface.
Router advertisements are also sent in response to router solicitation messages (ICMPv6 Type 133). Router solicitation messages are sent by hosts at system startup so that the host can immediately autoconfigure without needing to wait for the next scheduled router advertisement message.
You might want to suppress these messages on any interface for which you do not want the Firepower Threat Defense device to supply the IPv6 prefix (for example, the outside interface).
- Link-Local Address-If you want to use the address as link local only, enter it in the Link-Local Address field. Link local addresses are not accessible outside the local network. You cannot configure a link-local address on a bridge group interface.
Note: A link-local address should start with FE8, FE9, FEA, or FEB, for example fe80::20d:88ff:feee:6a82. Note that we recommend automatically assigning the link-local address based on the Modified EUI-64 format. For example, if other devices enforce the use of the Modified EUI-64 format, then a manually-assigned link-local address may cause packets to be dropped.
- Standby Link-Local Address-Configure this address if the interface connects a high availability pair of devices. Enter the link-local address of the interface on the other FTD, to which this interfaces is connected.
- Static Address/Prefix—If you do not use stateless autoconfiguration, enter the full static global IPv6 address and network prefix. For example, 2001:0DB8::BA98:0:3210/48. For more information on IPv6 addressing, see IPv6 Addressing for Firepower Interfaces.
- Standby IP Address-If you configure high availability, and you are monitoring this interface for HA, also configure a standby IPv6 address on the same subnet. The standby address is used by this interface on the standby device. If you do not set the standby IP address, the active unit cannot monitor the standby interface using network tests; it can only track the link state.
- Click Save if you are done or continue with one of these procedures:
Enable the Physical Interface
- Select the interface you want to enable.
- Slide the State slider at the top right of the window, associated with the interface's logical name to blue.
- Return to the Devices & Services page and Preview and Deploy these changes to your device when you are ready to deploy them. See Deploy Configuration Changes from Defense Orchestrator to FTD.