Configure a Bridge Group

A bridge group is a virtual interface that groups one or more interfaces. The main reason to group interfaces is to create a group of switched interfaces. Thus, you can attach workstations or other endpoint devices directly to the interfaces included in the bridge group. You do not need to connect them through a separate physical switch, although you can also attach a switch to a bridge group member.

The group members do not have IP addresses. Instead, all member interfaces share the IP address of the Bridge Virtual Interface (BVI). If you enable IPv6 on the BVI, member interfaces are automatically assigned unique link-local addresses.

You typically configure a DHCP server on the bridge group interface (BVI), which provides IP addresses for any endpoints connected through member interfaces. However, you can configure static addresses on the endpoints connected to the member interfaces if you prefer. All endpoints within the bridge group must have IP addresses on the same subnet as the bridge group IP address.

Note

For ISA 3000, the device comes pre-configured with bridge group BVI, named inside, which includes all data interfaces except for the outside interface. Thus, the device is pre-configured with one port used for linking to the Internet or other upstream network, and all other ports enabled and available for direct connections to endpoints. If you want to use an inside interface for a new subnet, you must first remove the needed interfaces from BVI.

FDM-managed devices only support one bridge group; therefore, Cisco Defense Orchestrator can only manage that one bridge group and cannot create additional bridge groups on the device.

After you create a bridge group on CDO, you will not know the bridge group ID until after the configuration is deployed to the FDM-managed device. FDM-managed device assigns the bridge group ID, for example, BVI1. If the interface is deleted and a new bridge group is created, the new bridge group receives an incremented number, for example, BVI2.

Before you Begin

Configure the interfaces that will be members of the bridge group. Specifically, each member interface must meet the following requirements:

  • The interface must have a name.

  • The interface cannot be configured as management-only.

  • The interface cannot be configured for passive mode.

  • The interface cannot be an EtherChannel interface or an EtherChannel subinterface.

  • The interface cannot have any IPv4 or IPv6 addresses defined for it, either static or served through DHCP. If you need to remove the address from an interface that you are currently using, you might also need to remove other configurations for the interface, such as static routes, DHCP server, or NAT rules, that depend on the interface having an address. If you try to add an interface with an IP address to a bridge group, CDO will warn you. If you continue to add the interface to the bridge group, CDO will remove the IP address from the interface configuration.

  • BVI can have either VLAN interfaces or other routed interfaces as a member interface, but you cannot have both as member interfaces on a single BVI.

  • The interface cannot be Point-to-Point Protocol over Ethernet (PPPoE)

  • The interface cannot be associated with a security zone (if it is in a zone). You must delete any NAT rules for the interface before you can add it to a bridge group.

  • Enable and disable the member interfaces individually. Thus, you can disable any unused interfaces without needing to remove them from the bridge group. The bridge group itself is always enabled.

  • Bridge groups do not support clustering.

Note

Bridge groups are not supported on Firepower 2100 devices in routed mode or on VMware with bridged ixgbevf interfaces.