Configure Routed Mode Interfaces

This procedure describes how to set the name, security zone, and IPv4 address.

Note

Not all fields are supported for all interface types.

Procedure


Step 1

Select Devices > Device Management and click Edit (edit icon) for your threat defense device. The Interfaces page is selected by default.

Step 2

Click Edit (edit icon) for the interface you want to edit.

Step 3

In the Name field, enter a name up to 48 characters in length.

You cannot start the name with the phrase "cluster". It is reserved for internal use.

Step 4

Enable the interface by checking the Enabled check box.

Step 5

(Optional) Set this interface to Management Only to limit traffic to management traffic; through-the-box traffic is not allowed.

Step 6

(Optional) Add a description in the Description field.

The description can be up to 200 characters on a single line, without carriage returns.

Step 7

In the Mode drop-down list, choose None.

Regular firewall interfaces have the mode set to None. The other modes are for IPS-only interface types.

Step 8

From the Security Zone drop-down list, choose a security zone or add a new one by clicking New.

The routed interface is a Routed-type interface, and can only belong to Routed-type zones.

Step 9

See Configure the MTU for information about the MTU.

Step 10

In the Priority field, enter a number ranging from 0–65535.

This value is used in the policy based routing configuration. The priority is used to determine how you want to route the traffic across multiple egress interfaces. For more information, see Configure Policy-Based Routing Policy.

Step 11

Click the IPv4 tab. To set the IP address, use one of the following options from the IP Type drop-down list.

High Availability, clustering interfaces only support static IP address configuration; DHCP and PPPoE are not supported.

  • Use Static IP—Enter the IP address and subnet mask. For point-to-point connections, you can specify a 31-bit subnet mask (255.255.255.254 or /31). In this case, no IP addresses are reserved for the network or broadcast addresses. You cannot set the standby IP address in this case. For High Availability, you can only use a static IP address. Set the standby IP address on the Devices > Device Management > High Availability tab in the Monitored Interfaces area. If you do not set the standby IP address, the active unit cannot monitor the standby interface using network tests; it can only track the link state.

  • Use DHCP—Configure the following optional parameters:

    • Obtain default route using DHCP—Obtains the default route from the DHCP server.

    • DHCP route metric—Assigns an administrative distance to the learned route, between 1 and 255. The default administrative distance for the learned routes is 1.

  • Use PPPoE—If the interface is connected to a DSL, cable modem, or other connection to your ISP, and your ISP uses PPPoE to provide your IP address, configure the following parameters:

    • VPDN Group Name—Specify a group name of your choice to represent this connection.

    • PPPoE User Name—Specify the username provided by your ISP.

    • PPPoE Password/Confirm Password—Specify and confirm the password provided by your ISP.

    • PPP Authentication—Choose PAP, CHAP, or MSCHAP.

      PAP passes a cleartext username and password during authentication and is not secure. With CHAP, the client returns the encrypted [challenge plus password], with a cleartext username in response to the server challenge. CHAP is more secure than PAP, but it does not encrypt data. MSCHAP is similar to CHAP but is more secure because the server stores and compares only encrypted passwords rather than cleartext passwords as in CHAP. MSCHAP also generates a key for data encryption by MPPE.

    • PPPoE route metric—Assign an administrative distance to the learned route. Valid values are from 1 to 255. By default, the administrative distance for the learned routes is 1.

    • Enable Route Settings—To manually configure the PPPoE IP address, check this box and then enter the IP Address.

      If you select the Enable Route Settings check box and leave the IP Address blank, the ip address pppoe setroute command is applied as shown in this example:

      interface GigabitEthernet0/2
      nameif inside2_pppoe
      cts manual
        propagate sgt preserve-untag
        policy static sgt disabled trusted
      security-level 0
      pppoe client vpdn group test
      pppoe client route distance 10
      ip address pppoe setroute
    • Store Username and Password in Flash—Stores the username and password in flash memory.

      The threat defense device stores the username and password in a special location of NVRAM.

Step 12

(Optional) See Configure IPv6 Addressing to configure IPv6 addressing on the IPv6 tab.

Step 13

(Optional) See Configure the MAC Address to manually configure the MAC address on the Advanced tab.

Step 14

(Optional) Set the duplex and speed by clicking Hardware Configuration > Speed.

  • Duplex—Choose Full or Half. SFP interfaces only support Full duplex.

  • Speed—Choose a speed (varies depending on the model). (Secure Firewall 3100 only) Choose Detect SFP to detect the speed of the installed SFP module and use the appropriate speed. Duplex is always Full, and auto-negotiation is always enabled. This option is useful if you later change the network module to a different model, and want the speed to update automatically.

  • Auto-negotiation—Set the interface to negotiate the speed, link status, and flow control.

  • Forward Error Correction Mode—(Secure Firewall 3100 only) For 25 Gbps and higher interfaces, enable Forward Error Correction (FEC). For an EtherChannel member interface, you must configure FEC before you add it to the EtherChannel. The setting chosen when you use Auto depends on the transceiver type and whether the interface is fixed (built-in) or on a network module.

    Default FEC for Auto Setting

    Transceiver Type

    Fixed Port Default FEC (Ethernet 1/9 through 1/16)

    Network Module Default FEC

    25G-SR

    Clause 74 FC-FEC

    Clause 108 RS-FEC

    25G-LR

    Clause 74 FC-FEC

    Clause 108 RS-FEC

    10/25G-CSR

    Clause 74 FC-FEC

    Clause 74 FC-FEC

    25G-AOCxM

    Clause 74 FC-FEC

    Clause 74 FC-FEC

    25G-CU2.5/3M

    Auto-Negotiate

    Auto-Negotiate

    25G-CU4/5M

    Auto-Negotiate

    Auto-Negotiate

Step 15

(Optional) Enable management center manager access on a data interface on the FMC Access page.

You can enable manager access from a data interface when you first setup the threat defense. If you want to enable or disable manager access after you added the threat defense to the management center, see:

If you want to change the manager access interface from one data interface to another data interface, you must disable manager access on the original data interface, but do not disable the interface itself yet; the original data interface must be used to perform the deployment. If you want to use the same IP address on the new manager access interface, you can delete or change the IP configuration on the original interface; this change should not affect the deployment. If you use a different IP address for the new interface, then also change the device IP address shown in the management center; see Update the Hostname or IP Address in the Management Center. Be sure to also update related configuration to use the new interface such as static routes, DDNS, and DNS settings.

Manager access from a data interface has the following limitations:

  • You can only enable manager access on one physical, data interface. You cannot use a subinterface or EtherChannel.

  • This interface cannot be management-only.

  • Routed firewall mode only, using a routed interface.

  • PPPoE is not supported. If your ISP requires PPPoE, you will have to put a router with PPPoE support between the threat defense and the WAN modem.

  • The interface must be in the global VRF only.

  • SSH is not enabled by default for data interfaces, so you will have to enable SSH later using the management center. Because the Management interface gateway will be changed to be the data interfaces, you also cannot SSH to the Management interface from a remote network unless you add a static route for the Management interface using the configure network static-routes command.

  • Clustering is not supported. You must use the Management interface in this case.

  • Check Enable management on this interface for the Firepower Management Center to use this data interface for management instead of the dedicated Management interface.

  • (Optional) In the Allowed Management Networks box, add the networks from which you want to allow manager access. By default, any networks are allowed.

Step 16

Click OK.

Step 17

Click Save.

You can now go to Deploy > Deployment and deploy the policy to assigned devices. The changes are not active until you deploy them.