Skip to main content

 

 

Cisco Defense Orchestrator

Configure an FTD VLAN

Configure a VLAN Interface

 You must first configure a VLAN interface if you intend to configure subinterfaces or switch ports. 

Note: An FTD device supports a maximum of 60 VLAN interfaces. 

  1. On the Devices & Services page, select the desired device you want to create a VLAN on. 
  2. In the Management pane at the right, click click Interfaces.
  3. On the Interfaces page, click the blue_cross_button.png button and choose VLAN Interface
  4. Configure the following:
  • (Optional) Logical Name—Set the name for the VLAN, up to 48 characters. Alphabetic characters must be lower case. If you do not want to route between the VLAN and other VLANs or firewall interfaces, then leave the VLAN interface name empty.

Note: If you do not enter a name, the MTU in the Advanced Options must be set to 1500. If you change the MTU to something other than 1500, the VLAN must be unnamed. 

  • (Optional) Description—The description can be up to 200 characters on a single line, without carriage returns.
  • (Optional) VLAN ID-Enter the VLAN ID between 1 and 4070 that will be used to tag the packets on this subinterface.

​​​​​​Note: VLAN interfaces are routed by default. If you add this VLAN interface to a bridge group at a later date, CDO automatically changes the mode to BridgeGroupMember. Similarly, if you change this VLAN interface to switch port mode, CDO automatically changes the mode to Switch Port.

  1. Click the IPv4 Address tab and select one of the following options from the Type field:
  • Static — Choose this option if you want to assign an address that should not change. Type in the interface's IP address and the subnet mask for the network attached to the interface. For example, if you attach the 10.100.10.0/24 network, you could enter 10.100.10.1/24. Ensure that the address is not already used on the network.

If you configured high availability, and you are monitoring this interface for HA, also configure a standby IP address on the same subnet. The standby address is used by this interface on the standby device. If you do not set the standby IP address, the active unit cannot monitor the standby interface using network tests; it can only track the link state.

Note: If there is a DHCP server configured for the interface, you are shown the configuration. You can edit or delete the DHCP address pool. If you change the interface IP address to a different subnet, you must either delete the DHCP server, or configure an address pool on the new subnet, before you can save the interface changes. See Configuring DHCP Server for more information.

  • Dynamic (DHCP)—Choose this option if the address should be obtained from the DHCP server on the network. You cannot use this option if you configure high availability. Change the following options if necessary:
    • Route Metric—If you obtain the default route from the DHCP server, the administrative distance to the learned route, between 1 and 255. The default is 1.
    • Obtain Default Route—Check this option to get the default route from the DHCP server. You would normally select this option, which is the default.
  1. (Optional) Click the IPv6 Address tab  and configure the following: 
  • Enable IPv6 processing—To enable IPv6 processing and to automatically configure the link-local address when you do not configure the global address, slide the State slider to blue. The link local address is generated based on the interface MAC addresses (Modified EUI-64 format).

Note: Disabling IPv6 does not disable IPv6 processing on an interface that is configured with an explicit IPv6 address or that is enabled for autoconfiguration.

  • Suppress RA—Whether to suppress router advertisements. The Firepower Threat Defense device can participate in router advertisements so that neighboring devices can dynamically learn a default router address. By default, router advertisement messages (ICMPv6 Type 134) are periodically sent out each IPv6 configured interface.

Router advertisements are also sent in response to router solicitation messages (ICMPv6 Type 133). Router solicitation messages are sent by hosts at system startup so that the host can immediately auto-configure without needing to wait for the next scheduled router advertisement message.

We suggest suppressing these messages on any interface for which you do not want the FTD device to supply the IPv6 prefix (for example, the outside interface).

  • Static Address/Prefix—If you do not use stateless auto configuration, enter the full static global IPv6 address and network prefix. For example, 2001:0DB8::BA98:0:3210/48. For more information on IPv6 addressing, see IPv6 Addressing.
  • Standby IP Address—If you configure high availability, and you are monitoring this interface for HA, also configure a standby IPv6 address on the same subnet. The standby address is used by this interface on the standby device. If you do not set the standby IP address, the active unit cannot monitor the standby interface using network tests; it can only track the link state.
  1. (Optional) Click the Advanced tab. 
  • Select Enable for HA Monitoring if you want the health of the interface to be a factor when the system decides whether to fail over to the peer unit in a high availability configuration.
    This option is ignored if you do not configure high availability. It is also ignored if you do not configure a name for the interface.
  • Select Management Only to make a data interface management only. 
    A management only interface does not allow through traffic, so there is very little value in setting a data interface as management only. You cannot change this setting for the Management/Diagnostic interface, which is always management only.
  • Modify the IPv6 Configuration settings. 
    • Enable DHCP for IPv6 address configuration—Whether to set the Managed Address Configuration flag in the IPv6 router advertisement packet. This flag informs IPv6 autoconfiguration clients that they should use DHCPv6 to obtain addresses, in addition to the derived stateless autoconfiguration address.
    • Enable DHCP for IPv6 non-address configuration—Whether to set the Other Address Configuration flag in the IPv6 router advertisement packet. This flag informs IPv6 autoconfiguration clients that they should use DHCPv6 to obtain additional information from DHCPv6, such as the DNS server address.
    • DAD Attempts—How often the interface performs Duplicate Address Detection (DAD), from 0 - 600. The default is 1. During the stateless autoconfiguration process, DAD verifies the uniqueness of new unicast IPv6 addresses before the addresses are assigned to interfaces. If the duplicate address is the link-local address of the interface, the processing of IPv6 packets is disabled on the interface. If the duplicate address is a global address, the address is not used. The interface uses neighbor solicitation messages to perform Duplicate Address Detection. Set the value to 0 to disable duplicate address detection (DAD) processing.
  • Change the MTU (maximum transmission unit) to the desired value.
    The default MTU is 1500 bytes. You can specify a value from 64 - 9198 (or 9000 for FTDv devices and 9184 for the Firepower 4100/9300). Set a high value if you typically see jumbo frames on your network.

Note: If you increase MTU above 1500 on ASA 5500-X series devices, ISA 3000 series devices, or FTDv devices, the VLAN must be unnamed and you must reboot the device. Log into the CLI and use the reboot command. If the device is configured for HA, you must also reboot the standby device. You do not need to reboot Firepower models, where jumbo frame support is always enabled.

  • (Optional for subinterface and HA pairs) Configure the MAC address.
    By default, the system uses the MAC address burned into the network interface card (NIC) for the interface. Thus, all subinterfaces on an interface use the same MAC address, so you might want to create unique addresses per subinterface. Manually configured active/standby MAC addresses are also recommended if you configure high availability. Defining the MAC addresses helps maintain consistency in the network in the event of failover.
    • MAC Address—The Media Access Control in H.H.H format, where H is a 16-bit hexadecimal digit. For example, you would enter the MAC address 00-0C-F1-42-4C-DE as 000C.F142.4CDE. The MAC address must not have the multicast bit set, that is, the second hexadecimal digit from the left cannot be an odd number.)
    • Standby MAC Address—For use with HA pairs. If the active unit fails over and the standby unit becomes active, the new active unit starts using the active MAC addresses to minimize network disruption, while the old active unit uses the standby address.
  1. Click OK
  2. Review and deploy now the changes you made, or wait and deploy multiple changes at once.

 

What's Next?

  • Was this article helpful?