Skip to main content

 

 

Cisco Defense Orchestrator

Configure Firepower VLAN Subinterfaces and 802.1Q Trunking

VLAN subinterfaces let you divide a physical interface into multiple logical interfaces that are tagged with different VLAN IDs. An interface with one or more VLAN subinterfaces is automatically configured as an 802.1Q trunk. Because VLANs allow you to keep traffic separate on a given physical interface, you can increase the number of interfaces available to your network without adding additional physical interfaces or devices.

Create subinterfaces if you attach the physical interface to a trunk port on a switch. Create a subinterface for each VLAN that can appear on the switch trunk port. If you attach the physical interface to an access port on the switch, there is no point in creating a subinterface.

Note: You cannot configure IP addresses on bridge group member interfaces, although you can modify advanced settings as needed. 

Before You Begin

Prevent untagged packets on the physical interface. If you use subinterfaces, you typically do not also want the physical interface to pass traffic, because the physical interface passes untagged packets. Because the physical interface must be enabled for the subinterface to pass traffic, ensure that the physical interface does not pass traffic by not naming the interface. If you want to let the physical interface pass untagged packets, you can name the interface as usual.

Procedure

  1. On the Devices & Services page, click the device whose interfaces you want to configure and click Interfaces in the Management pane at the right.
  2. On the Interfaces page, select the physical interface you want to configure and in the Actions pane at the right, click + New Subinterface.

Notice that the Parent Interface field shows the name of the physical interface for which you are creating this subinterface. You cannot change the parent interface after you create the subinterface.

  1. Give the subinterface a logical name and, optionally, a description. Without a logical name, the rest of the interface configuration is ignored.

Note: If you change the name, the change is automatically reflected everywhere you used the old name, including security zones, syslog server objects, and DHCP server definitions. However, you cannot remove the name until you first remove all configurations that use the name, because you typically cannot use an unnamed interface for any policy or setting.

  1. Configure the VLAN ID and Subinterface ID:
  •  VLAN ID —Enter a VLAN ID between 1 and 4094 that will be used to tag the packets on this subinterface.
  •  Subinterface ID —Enter the subinterface ID as an integer between 1 and 4294967295. The number of subinterfaces allowed depends on your platform. You cannot change the subinterace ID after you create the subinterface.

Continue with Configure IPv4 Addressing for the Subinterface and Configure IPv6 Addressing for the Subinterface.

Configure IPv4 Addressing for the Subinterface 

  1. In the "Adding Subinterface" dialog, click the IPv4 Address tab.
  2. Select one of the following options from the Type field:
  • Static—Choose this option if you want to assign an address that should not change.

​Enter in the interface's IP address and the subnet mask for the network attached to the interface. For example, if you attach the 10.100.10.0/24 network, you could enter 10.100.10.1/24. Ensure that the address you enter is not the network ID or the broadcast address for the network and the address is not already used on the network.

  • Enter a Standby IP Address and Subnet Mask only if this interface is being used in a high availability pair of devices.
  • Dynamic (DHCP)—Choose this option if the address should be obtained from the DHCP server on the network. Change the following options if necessary:
    • Obtain Default Route—Whether to get the default route from the DHCP server. You would normally check this option.
    • DHCP Route Metric—If you obtain the default route from the DHCP server, enter the administrative distance to the learned route, between 1 and 255. 

See Configuring DHCP Server.

Note: If there is a DHCP server configured for the interface, you are shown the configuration. You can edit or delete the DHCP address pool. If you change the interface IP address to a different subnet, you must either delete the DHCP server, or configure an address pool on the new subnet, before you can save the interface changes. 

  1. Click Create if you are done or continue with one of these procedures:

Configure IPv6 Addressing for the Subinterface 

  1. Click the IPv6 Address tab.
  2. Enable IPv6 processing-To enable IPv6 processing and to automatically configure the link-local address when you do not configure the global address, move the State slider to blue. The link-local address is generated based on the interface MAC addresses (Modified EUI-64 format).

Note: Disabling IPv6 does not disable IPv6 processing on an interface that is configured with an explicit IPv6 address or that is enabled for auto configuration.

  1. Address Auto Configuration—Check this option to have the address automatically configured. IPv6 stateless auto configuration will generate a global IPv6 address only if the link on which the device resides has a router configured to provide IPv6 services, including the advertisement of an IPv6 global prefix for use on the link. If IPv6 routing services are not available on the link, you will get a link-local IPv6 address only, which you cannot access outside of the device's immediate network link. The link local address is based on the Modified EUI-64 interface ID.
  2. Suppress RA-Check this box if you want to suppress router advertisements. The Firepower Threat Defense device can participate in router advertisements so that neighboring devices can dynamically learn a default router address. By default, router advertisement messages (ICMPv6 Type 134) are periodically sent out each IPv6 configured interface.

Router advertisements are also sent in response to router solicitation messages (ICMPv6 Type 133). Router solicitation messages are sent by hosts at system startup so that the host can immediately autoconfigure without needing to wait for the next scheduled router advertisement message.

You might want to suppress these messages on any interface for which you do not want the Firepower Threat Defense device to supply the IPv6 prefix (for example, the outside interface).

  1. Link-Local Address-If you want to use the address as link local only, enter it in the Link-Local Address field. Link local addresses are not accessible outside the local network. 

Note: A link-local address should start with FE8, FE9, FEA, or FEB, for example fe80::20d:88ff:feee:6a82. Note that we recommend automatically assigning the link-local address based on the Modified EUI-64 format. For example, if other devices enforce the use of the Modified EUI-64 format, then a manually-assigned link-local address may cause packets to be dropped.

  1. Standby Link-Local Address-Configure this address if your interface connects a high availability pair of devices. 
  2. Static Address/Prefix—If you do not use stateless autoconfiguration, enter the full static global IPv6 address and network prefix. For example, 2001:0DB8::BA98:0:3210/48. For more information on IPv6 addressing, see IPv6 Addressing, on page 136.
  3. Standby IP Address-If you configure high availability, and you are monitoring this interface for HA, also configure a standby IPv6 address on the same subnet. The standby address is used by this interface on the standby device. If you do not set the standby IP address, the active unit cannot monitor the standby interface using network tests; it can only track the link state.
  4. Click Create if you are done or continue with one of these procedures:

Enable the Physical Interface 

  1. To enable the subinterface, slide the State slider, associated with the subinterface's logical name to blue. 
  2. Return to the Devices & Services page and Preview and Deploy these changes to your device when you are ready to deploy them. See Deploy Configuration Changes from Defense Orchestrator to FTD.
  • Was this article helpful?