About FTD Interfaces
The FTD device includes data interfaces as well as a management/diagnostic interface. The following topics explain the limitations of configuring interfaces through Firepower Device Manager as well as other interface management concepts.
In routed firewall mode, each interface is a Layer 3 routed interface for which you need to set an IP address on a unique subnet.
You can configure both IPv6 and IPv4 addresses on an interface. Make sure you configure a default route for both IPv4 and IPv6.
You can configure two types of unicast addresses for IPv6:
Global—The global address is a public address that you can use on the public network. You cannot specify any of the following as a global address.
Internally reserved IPv6 addresses: fd00::/56 (from=fd00:: to= fd00:0000:0000:00ff:ffff:ffff:ffff:ffff)
An unspecified address, such as ::/128
The loopback address, ::1/128
multicast addresses, ff00::/8
Link-local addresses, fe80::/10
Link-local—The link-local address is a private address that you can only use on the directly-connected network. Routers do not forward packets using link-local addresses; they are only for communication on a particular physical network segment. They can be used for address configuration or for the Network Discovery functions such as address resolution and neighbor discovery.
At a minimum, you need to configure a link-local address for IPv6 to operate. If you configure a global address, a link-local address is automatically configured on the interface, so you do not also need to specifically configure a link-local address. If you do not configure a global address, then you need to configure the link-local address, either automatically or manually.
Management/Diagnostic Interface and Network Deployment
The physical management interface is shared between the Diagnostic logical interface and the Management logical interface.
The Management logical interface is separate from the other interfaces on the device. It is used to run the configuration interface, allow access to the device command line interface (CLI), and to obtain updates for various features. Configure the address on the configure network command.page. You can configure additional settings at the CLI using the
The Diagnostic logical interface can be configured along with the rest of the data interfaces. Using the Diagnostic interface is optional. For example, configure an IP address if you do not want to send system log messages to a remote syslog server through a data interface. The Diagnostic interface only allows management traffic, and does not allow through traffic.
Routed Mode Deployment
We recommend that you do not configure an IP address for the Diagnostic interface if you do not have an inside router. The benefit to leaving the IP address off of the Diagnostic interface is that you can place the Management interface on the same network as any other data interfaces. If you configure the Diagnostic interface, its IP address is typically on the same network as the Management IP address, and it counts as a regular interface that cannot be on the same network as any other data interfaces. Because the Management interface requires Internet access for updates, putting Management on the same network as an inside interface means you can deploy the FTD device with only a switch on the inside and point to the inside interface as its gateway. See the following deployment that uses an inside switch:
To cable the above scenario on the ASA 5508-X, or ASA 5516-X, see the following:
If you configure the Diagnostic IP address, then you need an inside router:
Each interface can be assigned to a single security zone. You then apply your security policy based on zones. For example, you can assign the inside interface to the inside zone; and the outside interface to the outside zone. You can configure your access control policy to enable traffic to go from inside to outside, but not from outside to inside, for example.
You do not include the Diagnostic/Management interface in a zone. Zones apply to data interfaces only.
You can create security zones on the Objects page.
For RJ-45 interfaces, the default auto-negotiation setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation phase. Either the speed or duplex must be set to auto-negotiate to enable Auto-MDI/MDIX for the interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation for both settings, then Auto-MDI/MDIX is also disabled. For Gigabit Ethernet, when the speed and duplex are set to 1000 and full, then the interface always auto-negotiates; therefore Auto-MDI/MDIX is always enabled and you cannot disable it.
About the MTU
The MTU specifies the maximum frame payload size that the Firepower Threat Defense device can transmit on a given Ethernet interface. The MTU value is the frame size without Ethernet headers, VLAN tagging, or other overhead. For example, when you set the MTU to 1500, the expected frame size is 1518 bytes including the headers, or 1522 when using VLAN. Do not set the MTU value higher to accommodate these headers.
Path MTU Discovery
The Firepower Threat Defense device supports Path MTU Discovery (as defined in RFC 1191), which lets all devices in a network path between two hosts coordinate the MTU so they can standardize on the lowest MTU in the path.
MTU and Fragmentation
For IPv4, if an outgoing IP packet is larger than the specified MTU, it is fragmented into 2 or more frames. Fragments are reassembled at the destination (and sometimes at intermediate hops), and fragmentation can cause performance degradation. For IPv6, packets are typically not allowed to be fragmented at all. Therefore, your IP packets should fit within the MTU size to avoid fragmentation.
For UDP or ICMP, the application should take the MTU into account to avoid fragmentation.
The Firepower Threat Defense device can receive frames larger than the configured MTU as long as there is room in memory.
MTU and Jumbo Frames
A larger MTU lets you send larger packets. Larger packets might be more efficient for your network. See the following guidelines:
Matching MTUs on the traffic path—We recommend that you set the MTU on all Firepower Threat Defense device interfaces and other device interfaces along the traffic path to be the same. Matching MTUs prevents intermediate devices from fragmenting the packets.
Accommodating jumbo frames—A jumbo frame is an Ethernet packet larger than the standard maximum of 1522 bytes (including Layer 2 header and VLAN header), up to 9216 bytes. You can set the MTU up to 9198 bytes to accommodate jumbo frames.
Increasing the MTU assigns more memory for jumbo frames, which might limit the maximum usage of other features, such as access rules. If you increase the MTU above the default 1500 on ASA 5500-X series devices , you must reboot the system.