Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM, 6.2F
Configuring Interfaces
Downloads: This chapterpdf (PDF - 265.0KB) The complete bookPDF (PDF - 13.51MB) | Feedback

Configuring Interfaces

Table Of Contents

Configuring Interfaces

Security Level Overview

Configuring Routed Interfaces

Guidelines and Limitations

Adding or Editing a Routed Interface

Configuring Transparent Interfaces and Bridge Groups

Information About Interfaces in Transparent Mode

Information About Bridge Groups

Information About Device Management

Guidelines and Limitations

Adding or Editing a Bridge Group

Adding or Editing a Transparent Interface

Configuring IPv6 Addressing

Information about IPv6 Addressing

Information About Duplicate Address Detection

Information About Modified EUI-64 Interface IDs

Configuring IPv6 Addressing on an Interface

Configuring the Link-Local Address on an Interface (Transparent Firewall Mode)

Allowing Communication Between Interfaces on the Same Security Level

Configuring Inter-Interface Communication

Configuring Intra-Interface Communication


Configuring Interfaces


This chapter contains the following sections:

Security Level Overview

Configuring Routed Interfaces

Configuring Transparent Interfaces and Bridge Groups

Configuring IPv6 Addressing

Allowing Communication Between Interfaces on the Same Security Level

Security Level Overview

Each interface must have a security level from 0 (lowest) to 100 (highest). For example, you should assign your most secure network, such as the inside host network, to level 100. While the outside network connected to the Internet can be level 0. Other networks, such as DMZs can be in between. You can assign interfaces to the same security level.

The level controls the following behavior:

Inspection engines—Some inspection engines are dependent on the security level. For same security interfaces, inspection engines apply to traffic in either direction.

NetBIOS inspection engine—Applied only for outbound connections.

OraServ inspection engine—If a control connection for the OraServ port exists between a pair of hosts, then only an inbound data connection is permitted through the FWSM.

Filtering—HTTP(S) and FTP filtering applies only for outbound connections (from a higher level to a lower level).

If you enable communication between same security interfaces, you can filter traffic in either direction.

NAT control—When you enable NAT control, you must configure NAT for hosts on a higher security interface (inside) when they access hosts on a lower security interface (outside).

Without NAT control, or for same security interfaces, you can choose to use NAT between any interface, or you can choose not to use NAT. Keep in mind that configuring NAT for an outside interface might require a special keyword.

established command—This command allows return connections from a lower security host to a higher security host if there is already an established connection from the higher level host to the lower level host.

If you enable communication between same security interfaces, you can configure established commands for both directions.

Configuring Routed Interfaces

This section describes how to configure routed mode interfaces, and includes the following topics:

Guidelines and Limitations

Adding or Editing a Routed Interface

Guidelines and Limitations

See the following guidelines for configuring an interface:

Multiple Context Mode Guidelines

You can only configure context interfaces that you already assigned to the context in the system configuration.

All allocated interfaces are enabled by default, no matter what the state of the interface is in the system execution space. However, for traffic to pass through the interface, the interface also has to be enabled in the system execution space. If you shut down an interface in the system execution space, then that interface is down in all contexts that share it.

Configure the context interfaces from within each context.

Configure failover interfaces in the system configuration; do not configure failover interfaces with this procedure. See Failover > Setup Tab for more information ("Adding or Editing a Bridge Group" section).

Failover Guidelines

If you are using failover, do not use this section to name interfaces that you are reserving for failover and Stateful Failover communications. See Failover > Setup Tab to configure the failover and state links ("Adding or Editing a Bridge Group" section).

Adding or Editing a Routed Interface

In single context mode, you can add any VLAN ID that is assigned to the FWSM by the switch. You cannot add an interface to a context from this dialog box. See the Security Contexts pane to assign interfaces to contexts.

If you use an interface for failover, do not configure the interface using this procedure; instead, use the Failover > Setup Tab tab. In particular, do not set the interface name, as this parameter disqualifies the interface from being used as the failover link; other parameters are ignored. After you assign the interface as the failover link or state link, you cannot edit the interface from the Interfaces pane.

To add or edit an interface, perform the following steps:


Step 1 Choose the Configuration > Device Setup > Interfaces pane.

Step 2 Click Add or Edit.

The Add/Edit Interface dialog box appears with the General tab selected.

Step 3 If you are adding an interface in single context mode, choose the VLAN ID from the Interface menu.

Step 4 If the interface is not already enabled, check the Enable Interface check box.

The interface is enabled by default. To disable it, uncheck the check box.

Step 5 (Optional) To set this interface as a management-only interface, check the Dedicate this interface to management-only check box.

Through traffic is not accepted on a management-only interface.

Step 6 In the Interface Name field, enter a name up to 48 characters in length.

Step 7 In the Security level field, enter a level between0 (lowest) and 100 (highest).

See the "Security Level Overview" section for more information.

Step 8 In the IP Address and Subnet Mask fields, enter the IP address and mask.

Step 9 (Optional) In the Description field, enter a description for this interface.

The description can be up to 240 characters on a single line, without carriage returns. For multiple context mode, the system description is independent of the context description. In the case of a failover or state link, the description is fixed as "LAN Failover Interface," "STATE Failover Interface," or "LAN/STATE Failover Interface," for example. You cannot edit this description. The fixed description overwrites any description you enter here if you make this interface a failover or state link.

Step 10 (Optional) To set the MTU, click the Advanced tab and enter the value in the MTU field, between 300 and 65,535 bytes.

The default is 1500 bytes.


Configuring Transparent Interfaces and Bridge Groups

This section includes the following topics:

Information About Interfaces in Transparent Mode

Adding or Editing a Bridge Group

Adding or Editing a Transparent Interface

Information About Interfaces in Transparent Mode

This section includes the following topics:

Information About Bridge Groups

Information About Device Management

Guidelines and Limitations

Information About Bridge Groups

A transparent firewall connects the same network on its inside and outside interfaces. Each pair of interfaces belongs to a bridge group, to which you must assign a management IP address. You can configure up to eight bridge groups of two interfaces each. Each bridge group connects to a separate network. Bridge group traffic is isolated from other bridge groups; traffic is not routed to another bridge group within the FWSM, and traffic must exit the FWSM before it is routed by an external router back to another bridge group in the FWSM.

You might want to use more than one bridge group if you do not want the overhead of security contexts, or want to maximize your use of security contexts. Although the bridging functions are separate for each bridge group, many other functions are shared between all bridge groups. For example, all bridge groups share a system log server or AAA server configuration. For complete security policy separation, use security contexts with one bridge group in each context.


Note The FWSM does not support traffic on secondary networks; only traffic on the same network as the management IP address is supported.


Information About Device Management

For device management, you have two available mechanisms:

Any bridge group management address—Connect to the bridge group network on which your management station is located.

Separate management VLAN—The management VLAN is not part of any bridge group. This VLAN is especially useful in multiple context mode where you can share a single management VLAN across multiple contexts.

See the following guidelines for the management VLAN:

You can have only a single management VLAN in single mode or per context. Note that some contexts can use one VLAN while others can use a different VLAN, so long as each context only uses one management VLAN each.

The management VLAN IP address can be on a separate network from any bridge group networks, or can be on the same network as a bridge group network.

If you share the VLAN across multiple contexts, then the VLAN IP address must be on the same network in each context.

You can only share the management VLAN across multiple transparent contexts; you cannot also share this VLAN with a routed context.

Figure 9-1 shows one bridge group each for three contexts, plus a shared management VLAN:

Figure 9-1 Shared Management VLAN

Guidelines and Limitations

See the following guidelines for configuring an interface:

Multiple Context Mode Guidelines

You can only configure context interfaces that you already assigned to the context in the system configuration.

All allocated interfaces are enabled by default, no matter what the state of the interface is in the system execution space. However, for traffic to pass through the interface, the interface also has to be enabled in the system execution space. If you shut down an interface in the system execution space, then that interface is down in all contexts that share it.

Configure the context interfaces from within each context.

Configure failover interfaces in the system configuration; do not configure failover interfaces with this procedure. See the Failover > Setup Tab for more information.

Failover Guidelines

If you are using failover, do not use this section to name interfaces that you are reserving for failover and Stateful Failover communications. See the Failover > Setup Tab to configure the failover and state links ("Adding or Editing a Bridge Group" section).

After you assign the interface as the failover link or state link, you cannot edit the interface from the Interfaces pane.

Adding or Editing a Bridge Group

To add or edit a bridge group, perform the following steps:


Step 1 On the Configuration > Interfaces > Bridge Groups tab, click Add or Edit.

The Add/Edit Bridge Group dialog box appears.

Step 2 In the Bridge Group field, enter the bridge group ID between 1 and 100.

Step 3 In the IP Address field, enter the management IP address.

A transparent firewall does not participate in IP routing. The only IP configuration required for the FWSM is to set the management IP address for each bridge group. This address is required because the FWSM uses this address as the source address for traffic originating on the FWSM, such as system messages or communications with AAA servers. You can also use this address for remote management access (alternately, you can add a management-only VLAN. See the "Adding or Editing a Transparent Interface" section).

The FWSM does not support traffic on secondary networks; only traffic on the same network as the management IP address is supported.

Step 4 In the Subnet Mask field, enter the subnet mask or choose one from the menu.

Do not assign a host address (/32 or 255.255.255.255) to the transparent firewall. Also, do not use other subnets that contain fewer than 3 host addresses (one each for the upstream router, downstream router, and transparent firewall) such as a /30 subnet (255.255.255.252). The FWSM drops all ARP packets to or from the first and last addresses in a subnet. For example, if you use a /30 subnet and assign a reserved address from that subnet to the upstream router, then the FWSM drops the ARP request from the downstream router to the upstream router.

Step 5 (Optional) In the Description field, enter a description for this bridge group.


Adding or Editing a Transparent Interface

This procedure lets you configure VLAN interfaces in transparent mode. For through traffic, you can assign two VLANs to each bridge group. You can also add an optional management VLAN that is not part of any bridge group. See the "Information About Device Management" section.

In single mode, you can add any VLAN ID that is assigned to the FWSM by the switch. You cannot add an interface to a context using this procedure. See the Security Contexts pane to assign interfaces to contexts.

If you intend to use an interface for failover, do not configure the interface using this procedure; instead, use the Failover > Setup Tab. See the "Adding or Editing a Bridge Group" section.

To add or edit an interface, perform the following steps:


Step 1 In the Configuration > Interfaces pane, click Add or Edit.

The Add/Edit Interface dialog box appears with the General tab selected.

Step 2 If you are adding an interface in single context mode, choose the VLAN ID from the Interface menu.

Step 3 To assign the interface to a bridge group, choose the bridge group ID from the Bridge Group menu.

See the "Adding or Editing a Bridge Group" section to view or add a bridge group.


Note For the management-only VLAN, do not assign it to a bridge group.


Step 4 If the interface is not already enabled, check the Enable Interface check box.

The interface is enabled by default. To disable it, uncheck the check box.

Step 5 To set this interface as the management-only interface, check the Dedicate this interface to management-only check box.

Through traffic is not accepted on a management-only interface. This option is required; an interface without this option that is not part of a bridge group will be ignored.

Step 6 In the Interface Name field, enter a name up to 48 characters in length.

Step 7 In the Security level field, enter a level between0 (lowest) and 100 (highest).

For the management interface, set the security level to 100.

See the "Security Level Overview" section for more information.

Step 8 In the IP Address and Subnet Mask fields, enter the IP address and mask.

Step 9 (Optional) In the Description field, enter a description for this interface.

The description can be up to 240 characters on a single line, without carriage returns. For multiple context mode, the system description is independent of the context description. In the case of a failover or state link, the description is fixed as "LAN Failover Interface," "STATE Failover Interface," or "LAN/STATE Failover Interface," for example. You cannot edit this description. The fixed description overwrites any description you enter here if you make this interface a failover or state link.

Step 10 (Optional) To set the MTU, click the Advanced tab and enter the value in the MTU field, between 300 and 65,535 bytes.

The default is 1500 bytes.


Configuring IPv6 Addressing

This section describes how to configure IPv6 addressing and includes the following sections:

Information about IPv6 Addressing

Configuring IPv6 Addressing on an Interface

Configuring the Link-Local Address on an Interface (Transparent Firewall Mode)

For more information about IPv6, see the "IPv6 Addresses" section on page B-5.


Note IPv6 interface settings are not supported in transparent mode.


Information about IPv6 Addressing

When you configure an IPv6 address on an interface, you can assign one or several IPv6 addresses to the interface at one time, such as an IPv6 link-local address and a global address. However, at a minimum, you must configure a link-local address.

Every IPv6-enabled interface must include at least one link-local address. When you configure a global address, a link-local addresses is automatically configured on the interface, so you do not also need to specifically configure a link-local address. These link-local addresses can only be used to communicate with other hosts on the same physical link.

When IPv6 is used over Ethernet networks, the Ethernet MAC address can be used to generate the 64-bit interface ID for the host. This is called the EUI-64 address. Because MAC addresses use 48 bits, additional bits must be inserted to fill the 64 bits required. The last 64 bits are used for the interface ID. For example, FE80::/10 is a link-local unicast IPv6 address type in hexadecimal format.

Information About Duplicate Address Detection

During the stateless autoconfiguration process, duplicate address detection (DAD) verifies the uniqueness of new unicast IPv6 addresses before the addresses are assigned to interfaces (the new addresses remain in a tentative state while duplicate address detection is performed). Duplicate address detection is performed first on the new link-local address. When the link local address is verified as unique, then duplicate address detection is performed all the other IPv6 unicast addresses on the interface.

Duplicate address detection is suspended on interfaces that are administratively down. While an interface is administratively down, the unicast IPv6 addresses assigned to the interface are set to a pending state. An interface returning to an administratively up state restarts duplicate address detection for all of the unicast IPv6 addresses on the interface.

When a duplicate address is identified, the state of the address is set to DUPLICATE, the address is not used, and the following error message is generated:

%PIX|ASA-4-325002: Duplicate address ipv6_address/MAC_address on interface

If the duplicate address is the link-local address of the interface, the processing of IPv6 packets is disabled on the interface. If the duplicate address is a global address, the address is not used. However, all configuration commands associated with the duplicate address remain as configured while the state of the address is set to DUPLICATE.

If the link-local address for an interface changes, duplicate address detection is performed on the new link-local address and all of the other IPv6 address associated with the interface are regenerated (duplicate address detection is performed only on the new link-local address).

The FWSM uses neighbor solicitation messages to perform duplicate address detection. By default, the number of times an interface performs duplicate address detection is 1.

Information About Modified EUI-64 Interface IDs

RFC 3513: Internet Protocol Version 6 (IPv6) Addressing Architecture requires that the interface identifier portion of all unicast IPv6 addresses, except those that start with binary value 000, be 64 bits long and be constructed in Modified EUI-64 format. The FWSM can enforce this requirement for hosts attached to the local link.

When this command is enabled on an interface, the source addresses of IPv6 packets received on that interface are verified against the source MAC addresses to ensure that the interface identifiers use the Modified EUI-64 format. If the IPv6 packets do not use the Modified EUI-64 format for the interface identifier, the packets are dropped and the following system log message is generated:

%PIX|ASA-3-325003: EUI-64 source address check failed.

The address format verification is only performed when a flow is created. Packets from an existing flow are not checked. Additionally, the address verification can only be performed for hosts on the local link. Packets received from hosts behind a router will fail the address format verification, and be dropped, because their source MAC address will be the router MAC address and not the host MAC address.

Configuring IPv6 Addressing on an Interface

For information about IPv6 addressing, see the "Configuring IPv6 Addressing" section.

To configure IPv6 addressing on an interface, perform the following steps:


Step 1 Choose the Configuration > Device Setup > Interfaces pane.

Step 2 Choose an interface from the list of configured interfaces, and click Edit.

The Edit Interfaces dialog box appears with the General tab selected.

Step 3 Click the IPv6 tab.

Step 4 (Optional) To enforce the use of Modified EUI-64 format interface identifiers in IPv6 addresses on a local link, check the Enforce EUI-64 check box.

If the interface identifiers do not conform to the modified EUI-64 format, an error message appears. See the "Information About Modified EUI-64 Interface IDs" section for more information.

Step 5 Configure the global IPv6 address using one of the following methods.


Note If you do not want to configure a global IPv6 address, you can configure the link-local addresses either automatically by checking the Enable IPv6 check box or manually by entering a value in the Link-local address field in the Interface IPv6 Addresses area. A link-local address should start with FE8, FE9, FEA, or FEB, for example, fe80::20d:88ff:feee:6a82. See the"IPv6 Addresses" section on page B-5 for more information about IPv6 addressing.
If you configure a global IPv6 address (or manually configure a link-local address), checking or unchecking the Enable IPv6 check box does not affect how IPv6 operates; IPv6 continues to be enabled.


Stateless autoconfiguration—In the Interface IPv6 Addresses area, check the Enable address autoconfiguration check box.
Enabling stateless autoconfiguration on the interface configures IPv6 addresses based upon prefixes received in Router Advertisement messages. A link-local address, based on the Modified EUI-64 interface ID, is automatically generated for the interface when stateless autoconfiguration is enabled.

Manual configuration—To manually configure a global IPv6 address, do the following:

a. In the Interface IPv6 Addresses area, click Add.

The Add IPv6 Address for Interface dialog box appears.

b. In the Address/Prefix Length field, enter the global IPv6 address and the IPv6 prefix length. For example, 2001:0DB8::BA98:0:3210/48. See the "IPv6 Addresses" section on page B-5 for more information about IPv6 addressing.

c. (Optional) To use the Modified EUI-64 interface ID in the low order 64 bits of the address, check the EUI-64 check box.

d. Click OK.

Step 6 (Optional) In the top area, customize the IPv6 configuration by configuring the following options:

DAD Attempts—This setting configures the number of consecutive neighbor solicitation messages that are sent on an interface while DAD is performed on IPv6 addresses. Valid values are from 0 to 600. A zero value disables DAD processing on the specified interface. The default is one message.

NS Interval—Enter the neighbor solicitation message interval. The neighbor solicitation message requests the link-layer address of a target node. Valid values are from 1000 to 3600000 milliseconds. The default is 1000 milliseconds.

Reachable Time—Enter the amount of time in seconds that a remote IPv6 node is considered reachable after a reachability confirmation event has occurred. Valid values are from 0 to 3600000 milliseconds. the default is zero. A configured time enables the detection of unavailable neighbors. Shorter times enable detection more quickly; however, very short configured times are not recommended in normal IPv6 operation.

RA Lifetime—Enter the amount of time that IPv6 router advertisement transmissions are considered valid. Valid values are from 0 to 9000 seconds. the default is 1800 seconds. Router advertisement transmissions include a preference level and a lifetime field for each advertised router address. These transmissions provide router information and indicate that the router is still operational to network hosts.

RA Interval—Enter the interval between IPv6 router advertisement transmissions. Valid values are from 3 to 1800 seconds. The default is 200 seconds. To list the router advertisement transmission interval in milliseconds, check the RA Interval in Milliseconds check box. Valid values are from 500 to 1800000 milliseconds.

To allow the generation of addresses for hosts, make sure that the Suppress RA check box is unchecked. This is the default setting if IPv6 unicast routing is enabled. To prevent the generation of IPv6 router advertisement transmissions, check the Suppress RA check box.

Step 7 (Optional) To configure which IPv6 prefixes are included in IPv6 router advertisements, complete the following:

By default, prefixes configured as addresses on an interface are advertised in router advertisements. If you configure prefixes for advertisement using this area, then only these prefixes are advertised.

a. In the Interface IPv6 Prefixes area, click Add.

The Add IPv6 Prefix for Interface dialog box appears.

b. In the Address/Prefix Length field, enter the Ipv6 address with the prefix length. To configure settings that apply to all prefixes, check the Default Values check box instead of entering an address.

c. (Optional) To indicate that the IPv6 prefix is not advertised, check the No Advertisements check box.

d. (Optional) To indicate that the specified prefix is not used for on-link determination, check the Off-link check box.

e. (Optional) To indicate to hosts on the local link that the specified prefix cannot be used for IPv6 autoconfiguration, check the No Auto-Configuration check box.

f. In the Prefix Lifetime area, choose one of the following.

Lifetime Duration—Specify the following:

A valid lifetime for the prefix in seconds from the drop-down list. This setting is the amount of time that the specified IPv6 prefix is advertised as being valid. The maximum value represents infinity. Valid values are from 0 to 4294967295. the default setting is 6048000 (seven days).

Lifetime Expiration Date—Specify the following:

Choose a valid month and day from the drop-down list, and then enter a time in hh:mm format.

Choose a preferred month and day from the drop-down list, and then enter a time in hh:mm format.

Step 8 Click OK.

You return to the Edit Interface dialog box.

Step 9 Click OK.

You return to the Configuration > Device Setup > Interfaces pane.


Configuring the Link-Local Address on an Interface (Transparent Firewall Mode)

If you only need to configure a link-local address and are not going to assign any other IPv6 addresses, you have the option of manually defining the link-local address.

To assign a link-local address to an interface, perform the following steps:


Step 1 Choose the Configuration > Device Setup > Interfaces pane.

Step 2 Choose an interface from the list of configured interfaces, and click Edit.

The edit Interface dialog box appears with the General tab selected.

Step 3 Click the IPv6 tab.

Step 4 (Optional) To enforce the use of Modified EUI-64 format interface identifiers in IPv6 addresses on a local link, check the Enforce EUI-64 check box.

If the interface identifiers do not conform to the modified EUI-64 format, an error message appears. See the "Information About Modified EUI-64 Interface IDs" section for more information.

Step 5 To set the link-local address, enter an address in the Link-local address field.

Step 6 A link-local address should start with FE8, FE9, FEA, or FEB, for example, fe80::20d:88ff:feee:6a82. See the"IPv6 Addresses" section on page B-5 for more information about IPv6 addressing.

Step 7 Click OK.


Allowing Communication Between Interfaces on the Same Security Level

By default, interfaces on the same security level cannot communicate with each other, even if you configure NAT and access lists. Also, by default, traffic cannot enter and exit the same interface. This section describes how to configure inter-interface and intra-interface communication, and includes the following topics:

Configuring Inter-Interface Communication

Configuring Intra-Interface Communication

Configuring Inter-Interface Communication

Allowing communication between same security interfaces lets you configure more than 101 communicating interfaces. If you use different levels for each interface and do not assign any interfaces to the same security level, you can configure only one interface per level (0 to 100).


Note If you enable NAT control, you do not need to configure NAT between same security level interfaces. See the "NAT and Same Security Level Interfaces" section on page 22-14 for more information on NAT and same security level interfaces.


If you enable same security interface communication, you can still configure interfaces at different security levels as usual.

To enable interfaces on the same security level to communicate with each other, in the Configuration > Interfaces pane, check the Enable traffic between two or more interfaces which are configured with same security level check box.


Note If you use a same-security interface for both the outside and inside interfaces, you might want to enable xlate bypass (see the "Enabling Xlate Bypass" section on page 22-17); in some situations, you can exceed the maximum number of xlates using that configuration (see the "Managed System Resources" section on page 2-5 for limits). For example, without xlate bypass, the FWSM creates xlates for all connections (even if you do not configure NAT). In a same-security-traffic configuration, the FWSM randomly chooses which same-security interface is the "inside" interface for the sake of creating xlates. If the FWSM considers the outside same-security interface as the "inside" interface, it creates xlates for every Internet host being accessed through it. If there is any application (or a virus) on the internal network that scans thousands of Internet hosts, all entries in the xlate table may be quickly exhausted.


Configuring Intra-Interface Communication

Routed Mode Only

You can configure the FWSM to enable communication between two hosts on the same interface. Before you can enable this feature, you must first correctly configure the MSFC so that packets are sent to the FWSM MAC address instead of being sent directly through the switch to the destination host. Figure 9-2 shows a network where hosts on the same interface need to communicate. The following samples show the route-map command used to enable policy routing on the MSFC in the network shown in Figure 9-2:

Router(config)# route-map intra-inter3 permit 0
Router(config-route-map)# match ip address 103
Router(config-route-map)# set interface Vlan20
Router(config-route-map)# set set ip next-hop 10.6.34.7

Router(config)# route-map intra-inter2 permit 20
Router(config-route-map)# match ip address 102
Router(config-route-map)# set interface Vlan20
Router(config-route-map)# set set ip next-hop 10.6.34.7

Router(config)# route-map intra-inter1 permit 10
Router(config-route-map)# match ip address 101
Router(config-route-map)# set interface Vlan20
Router(config-route-map)# set set ip next-hop 10.6.34.7

Figure 9-2 Communication Between Hosts on the Same Interface

When you enable communication between two hosts on the same interface, keep in mind the following requirements:

Outside NAT is not supported.

You can configure static routes from one interface to another on the same security level.

To enable interfaces on the same security level to communicate with each other, in the Configuration > Interfaces pane, check the Enable traffic between two or more hosts connected to the same interface check box.