Firepower Management Center Configuration Guide, Version 6.1

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents

Find Matches in This Book

Results

Updated:: October 8, 2019

Hybrid Interfaces

The following topics describe how to configure local hybrid interfaces:

About Hybrid Interfaces

You can configure logical hybrid interfaces on managed devices that allow the Firepower System to bridge traffic between virtual routers and virtual switches. If IP traffic received on interfaces in a virtual switch is addressed to the MAC address of an associated hybrid logical interface, the system handles it as Layer 3 traffic and either routes or responds to the traffic depending on the destination IP address. If the system receives any other traffic, it handles it as Layer 2 traffic and switches it appropriately. You cannot configure logical hybrid interfaces on an NGIPSv device.

Note that hybrid interfaces that are not associated with both a virtual switch and a virtual router are not available for routing, and do not generate or respond to traffic.

Logical Hybrid Interfaces

You must associate a logical hybrid interface with a virtual router and virtual switch to bridge traffic between Layer 2 and Layer 3. You can only associate a single hybrid interface with a virtual switch. However, you can associate multiple hybrid interfaces with a virtual router.

You can also configure the Cisco Redundancy Protocol (SFRP) on a logical hybrid interface. SFRP allows devices to act as redundant gateways for specified IP addresses.

Note that disabling the ICMP Enable Responses option for hybrid interfaces does not prevent ICMP responses in all scenarios. You can add network-based rules to an access control policy to drop packets where the destination IP is the hybrid interface’s IP and the protocol is ICMP.

If you have enabled the Inspect Local Router Traffic option on the managed device, it drops the packets before they reach the host, thereby preventing any response.

The range of MTU values can vary depending on the model of the managed device and the interface type.

Caution

Changing the highest MTU value among all non-management interfaces on the device restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Inspection is interrupted on all non-management interfaces, not just the interface you modified. Whether this interruption drops traffic or passes it without further inspection depends on the model of the managed device and the interface type. See Snort® Restart Traffic Behavior for more information.

Adding Logical Hybrid Interfaces


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Control	7000 & 8000 Series	Leaf only	Admin/Network Admin

Caution

Adding a routed interface pair on 7000 or 8000 Series devices restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on how the target device handles traffic. See Snort® Restart Traffic Behavior for more information.

Procedure

Step 1

Choose Devices > Device Management.

Step 2

Next to the device where you want to add the hybrid interface, click the edit icon ().

In a multidomain deployment, if you are not in a leaf domain, the system prompts you to switch.

Step 3

From the Add drop-down menu, choose Add Logical Interface.

Step 4

Click Hybrid to display the hybrid interface options.

Step 5

In the Name field, enter a name for the interface.

Step 6

From the Virtual Router drop-down list, choose an existing virtual router, choose None, or choose New to add a new virtual router.

Note

If you add a new virtual router, you must configure it on the Device Management page after you finish setting up the hybrid interface. See Adding Virtual Routers.

Step 7

From the Virtual Switch drop-down list, choose an existing virtual switch, choose None, or choose New to add a new virtual switch.

Note

If you add a new virtual switch, you must configure it on the Device Management page after you finish setting up the hybrid interface. See Adding Virtual Switches.

Step 8

Check the Enabled check box to allow the hybrid interface to handle traffic.

Note

If you clear the check box, the interface becomes disabled and administratively taken down.

Step 9

In the MTU field, enter a maximum transmission unit (MTU), which designates the largest size packet allowed.

The range of MTU values can vary depending on the model of the managed device and the interface type.

Caution

Step 10

Next to ICMP, check the Enable Responses check box to allow the interface to respond to ICMP traffic such as pings and traceroute.

Step 11

Next to IPv6 NDP, check the Enable Router Advertisement check box to enable the interface to broadcast router advertisements. You can only enable this option if you added IPv6 addresses.

Step 12

To add an IP address, click Add.

Step 13

In the Address field, enter the IP address and subnet mask. Note the following:

You cannot add network and broadcast addresses, or the static MAC addresses 00:00:00:00:00:00 and FF:FF:FF:FF:FF:FF.
You cannot add identical IP addresses, regardless of subnet mask, to interfaces in virtual routers.

Step 14

Optionally if you have IPv6 addresses, next to the IPv6 field, check the Address Autoconfiguration check box to set the IP address of the interface automatically.

Step 15

For Type, choose either Normal or SFRP.

Step 16

If you chose SFRP for Type, set options as described in SFRP.

Step 17

Click OK.

Step 18

Click Save.

What to do next

Deploy configuration changes; see Deploy Configuration Changes.

Deleting Logical Hybrid Interfaces


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Control	7000 & 8000 Series	Leaf only	Admin/Network Admin

Procedure

Step 1	Choose Devices > Device Management.
Step 2	Next to the device where you want to delete the logical hybrid interface, click the edit icon (). In a multidomain deployment, if you are not in a leaf domain, the system prompts you to switch.
Step 3	Next to the logical hybrid interface you want to delete, click the delete icon ().
Step 4	When prompted, confirm that you want to delete the interface.

What to do next

Deploy configuration changes; see Deploy Configuration Changes.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)