Guidelines for Inline Sets and Passive Interfaces

Firewall Mode

  • ERSPAN interfaces are only allowed when the device is in routed firewall mode.

Clustering

  • Link State Propagation for an inline set is not supported with clustering.

Multi-Instance Mode

  • Multi-instance shared interfaces are not supported. You must use an unshared interface.

  • Multi-instance chassis-defined subinterfaces are not supported. You must use a physical interface or EtherChannel.

General Guidelines

  • Inline sets and passive interfaces support physical interfaces and EtherChannels only, and cannot use VLANs or other virtual interfaces, including multi-instance chassis-defined subinterfaces.

  • Bidirectional Forwarding Detection (BFD) echo packets are not allowed through the threat defense when using inline sets. If there are two neighbors on either side of the threat defense running BFD, then the threat defense will drop BFD echo packets because they have the same source and destination IP address and appear to be part of a LAND attack.

  • For inline sets and passive interfaces, the threat defense supports up to two 802.1Q headers in a packet (also known as Q-in-Q support), with the exception of the Firepower 4100/9300, which only supports one 802.1Q header. Note: Firewall-type interfaces do not support Q-in-Q, and only support one 802.1Q header.

Hardware Bypass Guidelines

  • Hardware Bypass ports are supported only for inline sets.

  • Hardware Bypass ports cannot be part of an EtherChannel.

  • Hardware Bypass is not supported in high availability mode.

  • Hardware Bypass ports are supported with intra-chassis clustering on the Firepower 9300. Ports are placed in Hardware Bypass mode when the last unit in the chassis fails. Inter-chassis clustering is not supported, because inter-chassis clustering only supports Spanned EtherChannels; Hardware Bypass ports cannot be part of an EtherChannel.

  • If all modules in an intra-chassis cluster on the Firepower 9300 fail, then Hardware Bypass is triggered on the final unit, and traffic continues to pass. When units come back up, Hardware Bypass returns to standby mode. However, when you use rules that match application traffic, those connections may be dropped and need to be reestablished. Connections are dropped because state information is not retained on the cluster unit, and the unit cannot identify the traffic as belonging to an allowed application. To avoid a traffic drop, use a port-based rule instead of an application-based rule, if appropriate for your deployment.

  • You can use Hardware Bypass interfaces as regular interfaces without the Hardware Bypass feature enabled.

  • Do not enable Hardware Bypass and link state propagation for the same inline set.

Unsupported Firewall Features on IPS Interfaces

  • DHCP server

  • DHCP relay

  • DHCP client

  • TCP Intercept

  • Routing

  • NAT

  • VPN

  • Application inspection

  • QoS

  • NetFlow

  • VXLAN