Skip to main content

 

 

Cisco Defense Orchestrator

Configure an FTD VLAN for Switch Port Mode

Be sure to read the limitations for switch port mode prior to configuration; see Switch Port Mode Interfaces for FTD for more information. 

Note: You can assign or edit a VLAN member to a physical interface at any time. Be sure to deploy the changes to the device after you confirm the new configuration. 

Create a VLAN Interface for Switch Port Mode

  1. On the Devices & Services page, click the device you want to configure interfaces for. 
  2. In the Management pane on the right, click Interfaces.
  3. On the Interfaces page, click the blue_cross_button.png button and choose VLAN Interface
  4. View the VLAN Members tab and select the desired physical interfaces.

Note: If you chose to add a member that references a VLAN interface configured for either Access or Native Trunk, you can only select one VLAN as a member. Physical interfaces that references a VLAN interface configured for Associated Trunk supports up to 20 interfaces as members. 

  1.  Configure the rest of the VLAN interface, as described in Configure a FTD VLAN.
  2. Click Save. Confirm that you want to reset the VLAN configuration and reassign an IP address to the interface.
  3. Review and deploy now the changes you made, or wait and deploy multiple changes at once.

Configure an Existing Physical Interface for Switch Port Mode

  1. On the Devices & Services page, click the device you want to configure interfaces for. 
  2. In the Management pane on the right, click Interfaces.
  3. On the Interfaces page, select the physical interface you want to modify. In the Action Pane on the right, click the edit icon edit.png.
  4. Interfaces configured for switch port mode do not support logical names. If the interface has a logical name, delete it. 
  5. Locate the Mode and use the drop-down menu to select Switch Port
  6. Configure the physical interface for switch port mode:
  • (Optional) Check the Protected Port check box to set this switch port as protected, so you can prevent the switch port from communicating with other protected switch ports on the same VLAN.
    You might want to prevent switch ports from communicating with each other if: the devices on those switch ports are primarily accessed from other VLANs; you do not need to allow intra-VLAN access; and you want to isolate the devices from each other in case of infection or other security breach. For example, if you have a DMZ that hosts three web servers, you can isolate the web servers from each other if you apply this option to each switch port. The inside and outside networks can both communicate with all three web servers, and vice versa, but the web servers cannot communicate with each other.
  • For the Usage Type, select Access or Trunk. See Switch Port Mode Interfaces for FTD to determine which port type you need. 
    • If you select Trunk, you must select one VLAN interface as the Native Trunk VLAN to forward untagged traffic and at least one Associated VLAN to forward tagged traffic. Click the blue_cross_button.png icon to view the existing physical interfaces. You can select up to 20 VLAN interfaces as associated VLANs. 
    • You can create a new VLAN interface set to Access mode by clicking Create new VLAN
  1. Click Save. Confirm that you want to reset the VLAN configuration and reassign an IP address to the interface.
  2. Review and deploy now the changes you made, or wait and deploy multiple changes at once.

Related Articles:

  • Was this article helpful?