Enable the Physical Interface and Configure Ethernet Settings

This section describes how to:

  • Enable the physical interface. By default, physical interfaces are disabled (with the exception of the interface).

  • Set a specific speed and duplex. By default, speed and duplex are set to Auto.

This procedure only covers a small subset of Interface settings. Refrain from setting other parameters at this point. For example, you cannot name an interface that you want to use as part of an EtherChannel interface. The exact interface options vary depending on your model and interface type.

Note

For the Firepower 4100/9300, you configure basic interface settings in FXOS. See Configure a Physical Interface for more information.

Note

For switch ports, see Configure switch ports.

Before you begin

If you changed the physical interfaces on the device after you added it to the Firewall Management Center, you need to refresh the interface listing by clicking Sync Interfaces from device on the top left of Interfaces. For the 3100, which supports hot swapping, see Manage the Network Module for the Secure Firewall 3100 before you change interfaces on a device.

Procedure

Step 1

Select Devices > Device Management and click Edit (edit icon) for your Firewall Threat Defense device. The Interfaces page is selected by default.

Step 2

Click Edit (edit icon) for the interface you want to edit.

Step 3

Enable the interface by checking the Enabled check box.

Step 4

(Optional) Add a description in the Description field.

The description can be up to 200 characters on a single line, without carriage returns.

Step 5

(Optional) Set the duplex and speed by clicking Hardware Configuration > Speed.

  • Duplex—Choose Full or Half. SFP interfaces only support Full duplex.

  • Speed—Choose a speed (varies depending on the model).For SFPs, choose Detect SFP to detect the speed of the installed SFP module and use the appropriate speed. Duplex is always full, autonegotiation is enabled, and FEC is set to auto. For dual-speed transceivers, the lower speed is used. This option is useful if you later change the network module to a different model, and want the speed to update automatically. Some switches and transceivers don't support autonegotiation, especially for higher speed interfaces. In this case, set the interface on the Firewall Threat Defense to a manual speed and also disable Auto-negotiation so the link can come up.

    Note
    You cannot modify the speed of a high availability or a cluster control link interface.

  • Auto-negotiation—Set the interface to negotiate the link status and flow control.

    Except for the 1100 and 2100, autonegotiation is set separately from the speed. Some switches don't support autonegotiation, especially for higher speed interfaces. In this case, set the interface on the Firewall Threat Defense to a manual speed and also disable Auto-negotiation so the link can come up.

  • Forward Error Correction Mode—For 25Gbps and higher interfaces, enable Forward Error Correction (FEC).

    For an EtherChannel member interface, you must configure FEC before you add it to the EtherChannel. If you remove the interface from the EtherChannel, after rebooting, you may need to reconfigure the FEC for the interface.

    Some switches don't support auto mode for FEC, especially for larger interfaces. Be sure to either disable FEC or manually configure the setting, depending on the switch support.

    The setting chosen when you use auto depends on the transceiver type and whether the interface is fixed (built-in) or on a network module.

    Default FEC for Auto Setting

    Transceiver Type

    Fixed Port Default FEC (Ethernet 1/9 through 1/16)

    Network Module Default FEC

    25G-SR

    Clause 74 FC-FEC

    Clause 108 RS-FEC

    25G-LR

    Clause 74 FC-FEC

    Clause 108 RS-FEC

    10/25G-CSR

    Clause 74 FC-FEC

    Clause 74 FC-FEC

    25G-AOCxM

    Clause 74 FC-FEC

    Clause 74 FC-FEC

    25G-CU2.5/3M

    Auto-Negotiate

    Auto-Negotiate

    25G-CU4/5M

    Auto-Negotiate

    Auto-Negotiate

Step 6

(Optional) Enable Link Layer Discovery Protocol (LLDP) by clicking Hardware Configuration > LLDP.

  • Enable LLDP Receive—Enables the firewall to receive LLDP packets from its peers.

  • Enable LLDP Transmit—Enables the firewall to send LLDP packets to its peers.

Step 7

In the Mode drop-down list, choose one of the following:.

  • None—Choose this setting for regular firewall interfaces and inline sets. The mode will automatically be changed to Routed, Switched, or Inline based on further configuration.

  • Passive—Choose this setting for passive IPS-only interfaces.

  • Erspan—Choose this setting for ERSPAN passive IPS-only interfaces.

Step 8

In the Priority field, enter a number ranging from 0–65535.

This value is used in the policy based routing configuration. The priority is used to determine how you want to distribute the traffic across multiple egress interfaces.

Step 9

Click OK.

Step 10

Click Save.

You can now go to Deploy > Deploy and deploy the policy to assigned devices. The changes are not active until you deploy them.

Step 11

Continue configuring interfaces.