Skip to main content

 

 

Cisco Defense Orchestrator

Configure a Bridge Group

A bridge group is a virtual interface that groups one or more interfaces. The main reason to group interfaces is to create a group of switched interfaces. Thus, you can attach workstations or other endpoint devices directly to the interfaces included in the bridge group. You do not need to connect them through a separate physical switch, although you can also attach a switch to a bridge group member.

The group members do not have IP addresses. Instead, all member interfaces share the IP address of the Bridge Virtual Interface (BVI). If you enable IPv6 on the BVI, member interfaces are automatically assigned unique link-local addresses.

You typically configure a DHCP server on the bridge group interface (BVI), which provides IP addresses for any endpoints connected through member interfaces. However, you can configure static addresses on the endpoints connected to the member interfaces if you prefer. All endpoints within the bridge group must have IP addresses on the same subnet as the bridge group IP address.

Note: For ISA 3000, the device comes pre-configured with bridge group BVI, named inside, which includes all data interfaces except for the outside interface. Thus, the device is pre-configured with one port used for linking to the Internet or other upstream network, and all other ports enabled and available for direct connections to endpoints. If you want to use an inside interface for a new subnet, you must first remove the needed interfaces from BVI.

FTDs managed by Firepower Device Manager only support one bridge group; therefore, CDO can only manage that one bridge group and cannot create additional bridge groups on the device.

After you create a bridge group on CDO, you will not know the bridge group ID until after the configuration is deployed to the FTD. FTD assigns the bridge group ID, for example, BVI1. If the interface is deleted and a new bridge group is created, the new bridge group receives an incremented number, for example, BVI2. 

Before you Begin

Configure the interfaces that will be members of the bridge group. Specifically, each member interface must meet the following requirements:

  • The interface must have a name.
  • The interface cannot have any IPv4 or IPv6 addresses defined for it, either static or served through DHCP. If you need to remove the address from an interface that you are currently using, you might also need to remove other configurations for the interface, such as static routes, DHCP server, or NAT rules, that depend on the interface having an address. If you try to add an interface with an IP address to a bridge group, CDO will warn you. If you continue to add the interface to the bridge group, CDO will remove the IP address from the interface configuration. 
  • BVI can have either VLAN interfaces or other routed interfaces as a member interface, but you cannot have both as member interfaces on a single BVI.
  • You must remove the interface from its security zone (if it is in a zone), and delete any NAT rules for the interface, before you can add it to a bridge group.
  • Enable and disable the member interfaces individually. Thus, you can disable any unused interfaces without needing to remove them from the bridge group. The bridge group itself is always enabled.

Note: You cannot configure bridge groups on Firepower 2100 series or Firepower Threat Defense Virtual devices.

Configure the Name of the Bridge Group Interface and Select the Bridge Group Members

In this procedure you give the bridge group interface (BVI) a name and select the interfaces to add to the bridge group:

  1. From the main navigation bar in CDO, click Devices & Services
  2. Select the device for which you want to create a bridge group. 
  3. Do one of the following:
  • Select the BVI bridge group and click Edit in the Actions pane. 
  • Click the plus button blue_cross_button.png and select Bridge Group Interface.

Note: You can create and configure a single bridge group. If you already have a bridge group defined, you should edit that group instead of trying to create a new one. If you need to create a new bridge group, you must first delete the existing bridge group.

  1. Configure the following:
  • Logical Name—You must give the bridge group a name. It can be up to 48 characters. Alphabetic characters must be lower case. For example, inside or outside. Without a name, the rest of the interface configuration is ignored.

Note: If you change the name, the change is automatically reflected everywhere you used the old name, including security zones, syslog server objects, and DHCP server definitions. However, you cannot remove the name until you first remove all configurations that use the name, because you typically cannot use an unnamed interface for any policy or setting.

  • (Optional) Description—The description can be up to 200 characters on a single line, without carriage returns.
  1. Click the Bridge Group Member tab. A bridge group can have up to 64 interfaces or subinterfaces to a single bridge group. 
  • Check an interface to add it to the bridge group. 
  • Uncheck an interface you want to remove from the bridge group.
  1. Click Save.

The BVI now has a name and member interfaces. Continue with the following tasks to configure the bridge group interface. You are not performing these tasks for the member interfaces themselves:

Configure the IPv4 Address for the BVI

  1. Select the device for which you want to create a bridge group. 
  2. Select the BVI in the list of interfaces and click Edit in the Actions pane. 
  3. Click the IPv4 Address tab to configure the IPv4 address.
  4. Select one of the following options from the Type field:
  • Static—Choose this option if you want to assign an address that should not change. Type in the bridge group's IP address and the subnet mask. All attached endpoints will be on this network. For models with a pre-configured bridge group, the default for the BVI “inside” network is 192.168.1.1/24 (i.e. 255.255.255.0). Ensure that the address is not already used on the network.

If you configured high availability, and you are monitoring this interface for HA, also configure a standby IP address on the same subnet. The standby address is used by this interface on the standby device. If you do not set the standby IP address, the active unit cannot monitor the standby interface using network tests; it can only track the link state.

Note: If there is a DHCP server configured for the interface, you are shown the configuration. You can edit or delete the DHCP address pool. If you change the interface IP address to a different subnet, you must either delete the DHCP server, or configure an address pool on the new subnet, before you can save the interface changes. See Configuring DHCP Server.

  • Dynamic (DHCP)—Choose this option if the address should be obtained from the DHCP server on the network. This is not the typical option for bridge groups, but you can configure it if needed. You cannot use this option if you configure high availability. Change the following options if necessary:
    • Route Metric—If you obtain the default route from the DHCP server, the administrative distance to the learned route, between 1 and 255. The default is 1.
    • Obtain Default Route—Check this option to get the default route from the DHCP server. You would normally select this option, which is the default.
  1. Continue with one of the following procedures:

Configure the IPv6 Address for the BVI

  1. Click the IPv6 Address tab to configure IPv6 addressing for the BVI.
  2. Configure these aspects of IPv6 addressing: 
  3. Enable IPv6 processing-To enable IPv6 processing and to automatically configure the link-local address when you do not configure the global address, slide the State slider to blue. The link local address is generated based on the interface MAC addresses (Modified EUI-64 format).

Note: Disabling IPv6 does not disable IPv6 processing on an interface that is configured with an explicit IPv6 address or that is enabled for autoconfiguration.

  1. Suppress RA—Whether to suppress router advertisements. The Firepower Threat Defense device can participate in router advertisements so that neighboring devices can dynamically learn a default router address. By default, router advertisement messages (ICMPv6 Type 134) are periodically sent out each IPv6 configured interface.

Router advertisements are also sent in response to router solicitation messages (ICMPv6 Type 133). Router solicitation messages are sent by hosts at system startup so that the host can immediately auto-configure without needing to wait for the next scheduled router advertisement message.

You might want to suppress these messages on any interface for which you do not want the FTD device to supply the IPv6 prefix (for example, the outside interface).

  1. Static Address/Prefix—If you do not use stateless auto configuration, enter the full static global IPv6 address and network prefix. For example, 2001:0DB8::BA98:0:3210/48. For more information on IPv6 addressing, see IPv6 Addressing.
  2. Standby IP Address—If you configure high availability, and you are monitoring this interface for HA, also configure a standby IPv6 address on the same subnet. The standby address is used by this interface on the standby device. If you do not set the standby IP address, the active unit cannot monitor the standby interface using network tests; it can only track the link state.
  3. Continue with one of the following procedures:

Configure Advanced Interface Options

You configure most advanced options on bridge group member interfaces, but some are available for the bridge group interface itself.

  1. The advanced settings have defaults that are appropriate for most networks. Edit them only if you are resolving network issues.
  2. Click OK.
  3. Click Save and deploy the changes to the Firepower device. See Deploy Configuration Changes from CDO to FTD for more information. 

What to do next

  • Ensure that all member interfaces that you intend to use are enabled.
  • Configure a DHCP server for the bridge group. See Configure DHCP Server.
  • Add the member interfaces to the appropriate security zones. 
  • Ensure that policies, such as identity, NAT, and access, supply the required services for the bridge group and member interfaces.