Firepower Inline interfaces in VLAN

dhr.tech1 · ‎07-04-2016

Hi All,

I just need to confirm if Cisco Firepower Interfaces configured in inline group can be configured and paired as sub interfaces and then mapped to the zones or I need to map physical interfaces only for inline interfaces ?

======================

Current : S1, S2 - > Inline Pair

Required : S1.1, S2.1 ( VLAN100) - > Inline Pair

Required : S1.2, S2.2 (VLAN 200) -> Inline Pair

========================

My main objective is create access policies based on the specific VLAN rather than complete physical interfaces.

Thank you in advance.

Br,

Dhruv

dhr.tech1 · ‎07-04-2016

Hi All,

I went through below link and it describes how we can create sub interfaces and how we could use them when configuring our IPS in route mode and transparent mode interfaces. But I want to configure them in Inline mode. Please help.

http://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-guide-v601/fpmc-config-guide-v601_chapter_01101011.html#task_4FA3FC2F83774196A854661C2C85D434

============================================================

Configure VLAN Subinterfaces and 802.1Q Trunking

Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	N/A	Firepower Threat Defense	Any	Access Admin Administrator Network Admin

VLAN subinterfaces let you divide a physical, redundant, or EtherChannel interface into multiple logical interfaces that are tagged with different VLAN IDs. An interface with one or more VLAN subinterfaces is automatically configured as an 802.1Q trunk. Because VLANs allow you to keep traffic separate on a given physical interface, you can increase the number of interfaces available to your network without adding additional physical interfaces or devices.

Before You Begin

Preventing untagged packets on the physical interface—If you use subinterfaces, you typically do not also want the physical interface to pass traffic, because the physical interface passes untagged packets. This property is also true for the active physical interface in a redundant interface pair and for EtherChannel links. Because the physical, redundant, or EtherChannel interface must be enabled for the subinterface to pass traffic, ensure that the physical, redundant, or EtherChannel interface does not pass traffic by not naming the interface. If you want to let the physical, redundant, or EtherChannel interface pass untagged packets, you can name the interface as usual.

Procedure

Step 1	Select Devices > Device Management and click the edit icon () for your Firepower Threat Defense device. The Interfaces tab is selected by default.
Step 2	Click Add Interfaces > Sub Interface.
Step 3	On the General tab, set the following parameters: Interface—Choose the physical, redundant, or port-channel interface to which you want to add the subinterface. Sub-Interface ID—Enter the subinterface ID as an integer between 1 and 4294967295. The number of subinterfaces allowed depends on your platform. You cannot change the ID after you set it. VLAN ID—Enter the VLAN ID between 1 and 4094 that will be used to tag the packets on this subinterface.
Step 4	Click OK.
Step 5	Click Save. You can now click Deploy and deploy the policy to assigned devices. The changes are not active until you deploy them.
Step 6	Configure the routed or transparent mode interface parameters. See Configure Routed Mode Interfaces or Configure Transparent Mode Interfaces.