Skip to main content

 

 

Cisco Defense Orchestrator

Switch Port Mode Interfaces for Firepower Threat Defense

For each physical Firepower 1010 interface, you can set its operation as a firewall interface or as a switch port. Switch ports forward traffic at Layer 2, using the switching function in hardware. Switch ports on the same VLAN can communicate with each other using hardware switching, and traffic is not subject to the FTD security policy. Access ports accept only untagged traffic, and you can assign them to a single VLAN. Trunk ports accept untagged and tagged traffic, and can belong to more than one VLAN. By default, Ethernet 1/2 through 1/8 are configured as access switch ports on VLAN 1. Note that switch ports on the same VLAN can communicate with each other using hardware switching, and traffic is not subject to the FTD security policy. 

Access or Trunk

A physical interface configured as a switch port can be assigned as either an access port or a trunk port. 

Access ports forward traffic to only one VLAN and accept only untagged traffic. This option is preferrable for forwarding traffic to a single host or device. You must also specify the VLAN you would like to be associated with the interface, otherwise it will default to VLAN 1.

Trunk ports forward traffic to multiple VLANs. You must assign one VLAN interface as the native trunk port and at least one VLAN as an associated trunk port. You can select up to 20 interfaces to be associated with the switch port interface, which enables traffic from different VLAN IDs to pass through the switch port interface. If an untagged traffic is passed through the switch port then the traffic is tagged with the VLAN ID of the native VLAN interface. 

High Availability and Switch Port Mode Interfaces

You should not use the switch port functionality when using High Availability. Because the switch ports operate in hardware, they continue to pass traffic on both the active and the standby units. High Availability is designed to prevent traffic from passing through the standby unit, but this feature does not extend to switch ports. In a normal High Availability network setup, active switch ports on both units will lead to network loops. We suggest that you use external switches for any switching capability. Note that VLAN interfaces can be monitored by failover, while switch ports cannot. 

Note: You can only use a firewall interface as the failover link.

Configuration Limitations

Be aware of the following limitations:

  • Only physical FTD 1010 devices support switchport mode configuration. Virtual FTD devices do not support switch port mode.
  • The FTD 1010 device allows a maximum of 60 VLANs. 
  • You cannot delete an interface configured as a switch port mode. You must manually change the interface mode from switch port mode to routed mode.
  • You cannot use any member of the bridge group interface as a a switch port. 
  • Switch port mode does not support the following:
    • Diagnostic interface.
    • Dynamic, multicast, or Equal-Cost Multi-Path (ECMP) routing.
    • Passive interfaces.
    • Port etherchannels, or using an interface that is a member of an etherchannel.
    • Subinterfaces.
    • Failover and state link.
  • Was this article helpful?