Skip to main content

 

 

Cisco Defense Orchestrator

Switch Port Mode Interfaces for an FTD

For each physical Firepower 1010 interface, you can set its operation as a firewall interface or as a switch port. Switch ports forward traffic at Layer 2, using the switching function in hardware. Switch ports on the same VLAN can communicate with each other using hardware switching, and traffic is not subject to the FTD security policy. Access ports accept only untagged traffic, and you can assign them to a single VLAN. Trunk ports accept untagged and tagged traffic, and can belong to more than one VLAN. For devices that have been reimaged to Version 6.4, Ethernet 1/2 through 1/8 are configured as access switch ports on VLAN 1; devices that are manually upgraded to Version 6.4 (and later), the ethernet configuration maintains the configuration prior ot upgrading. Note that switch ports on the same VLAN can communicate with each other using hardware switching, and traffic is not subject to the FTD security policy. 

Access or Trunk

A physical interface configured as a switch port can be assigned as either an access port or a trunk port. 

Access ports forward traffic to only one VLAN and accept only untagged traffic. We strongly recommend this option if you intend to forward traffic to a single host or device. You must also specify the VLAN you would like to be associated with the interface, otherwise it will default to VLAN 1.

Trunk ports forward traffic to multiple VLANs. You must assign one VLAN interface as the native trunk port and at least one VLAN as an associated trunk port. You can select up to 20 interfaces to be associated with the switch port interface, which enables traffic from different VLAN IDs to pass through the switch port interface. If an untagged traffic is passed through the switch port then the traffic is tagged with the VLAN ID of the native VLAN interface. Note that the default Fiber Distributed Data Interface (FDDI) & Token RING ID between 1002 and 1005 cannot be used for VLAN ID.

Change the Port Mode

If you select an interface that is configured for routed mode as a VLAN member, CDO automatically converts the interface to switch port mode and configures the interface as an access port by default. As a result the logical name and the associated static IP addresses are removed from the interface.

High Availability and Switch Port Mode Interfaces

You should not use the switch port functionality when using High Availability. Because the switch ports operate in hardware, they continue to pass traffic on both the active and the standby units. High Availability is designed to prevent traffic from passing through the standby unit, but this feature does not extend to switch ports. In a normal High Availability network setup, active switch ports on both units will lead to network loops. We suggest that you use external switches for any switching capability. Note that VLAN interfaces can be monitored by failover, while switch ports cannot. 

Note: You can only use a firewall interface as the failover link.

Switch Port Mode Configurations in Templates

You can create templates of devices with interfaces configured for switch port mode. Beware the following scenarios when mapping interfaces from the template to a device:

  • If a template interface does not contain any VLAN members prior to applying the template, CDO automatically maps it to an available device interface that has the same properties. 
  • If a template interface that does not contain a VLAN member is mapped to a device interface that is configured as N/A, CDO automatically creates an interface on the device the template is to be applied to
  • If a template interface containing a VLAN member is mapped to a device interface that is not present, applying a template will fail
  • Templates do not support mapping more than one template interface to the same device interface. 
  • The template's management interface must be mapped to the device's management interface. 

Configuration Limitations

Be aware of the following limitations:

  • Only physical FTD 1010 devices support switch port mode configuration. Virtual FTD devices do not support switch port mode.
  • The FTD 1010 device allows a maximum of 60 VLANs. 
  • VLAN interfaces configured for switch port mode must be unnamed. This means the MTU must be configured to 1500 bytes.  
  • You cannot delete an interface configured as a switch port mode. You must manually change the interface mode from switch port mode to routed mode.
  • Interfaces configured for switch port mode do not support IP addresses. If the interface is currently referenced in or configured for VPN, DHCP, or is associated with a static route, you must manually remove the IP address.
  • You cannot use any member of the bridge group interface as a a switch port. 
  • The MTU for a VLAN interface must be 1500 bytes. Unnamed VLAN interfaces do not support any other configuration. 
  • Switch port mode does not support the following:
    • Diagnostic interface.
    • Dynamic, multicast, or Equal-Cost Multi-Path (ECMP) routing.
    • Passive interfaces.
    • Port etherchannels, or using an interface that is a member of an etherchannel.
    • Subinterfaces.
    • Failover and state link.

 

 

Related Articles: 

  • Was this article helpful?