Interface Management

About Firepower Interfaces

The Firepower 4100/9300 chassis supports physical interfaces and EtherChannel (port-channel) interfaces. EtherChannel interfaces can include up to 16 member interfaces of the same type.

Chassis Management Interface

The chassis management interface is used for management of the FXOS Chassis by SSH or Firepower Chassis Manager. This interface is separate from the mgmt-type interface that you assign to the logical devices for application management.

To configure parameters for this interface, you must configure them from the CLI. To view information about this interface in the FXOS CLI, connect to local management and show the management port:

Firepower # connect local-mgmt

Firepower(local-mgmt) # show mgmt-port

Note that the chassis management interface remains up even if the physical cable or SFP module are unplugged, or if the mgmt-port shut command is performed.


Note

The chassis management interface does not support jumbo frames.


Interface Types

Each interface can be one of the following types:

  • Data—Use for regular data. Data interfaces cannot be shared between logical devices, and logical devices cannot communicate over the backplane to other logical devices. For traffic on Data interfaces, all traffic must exit the chassis on one interface and return on another interface to reach another logical device.

  • Mgmt—Use to manage application instances. These interfaces can be shared by one or more logical devices to access external hosts; logical devices cannot communicate over this interface with other logical devices that share the interface. You can only assign one management interface per logical device. For ASA: You can later enable management from a data interface; but you must assign a Management interface to the logical device even if you don't intend to use it after you enable data management. For information about the separate chassis management interface, see Chassis Management Interface.


    Note

    Mgmt interface change will cause reboot of the logical device, for example one change mgmt from e1/1 to e1/2 will cause the logical device to reboot to apply the new management.


  • Firepower-eventing—Use as a secondary management interface for FTD devices. To use this interface, you must configure its IP address and other parameters at the FTD CLI. For example, you can separate management traffic from events (such as web events). See the FMC configuration guide for more information. Firepower-eventing interfaces can be shared by one or more logical devices to access external hosts; logical devices cannot communicate over this interface with other logical devices that share the interface.

  • Cluster—Use as the cluster control link for a clustered logical device. By default, the cluster control link is automatically created on Port-channel 48. The Cluster type is only supported on EtherChannel interfaces.

FXOS Interfaces vs. Application Interfaces

The Firepower 4100/9300 manages the basic Ethernet settings of physical interfaces and EtherChannel (port-channel) interfaces. Within the application, you configure higher level settings. For example, you can only create EtherChannels in FXOS; but you can assign an IP address to the EtherChannel within the application.

The following sections describe the interaction between FXOS and the application for interfaces.

VLAN Subinterfaces

For all logical devices, you can create VLAN subinterfaces within the application.

Independent Interface States in the Chassis and in the Application

You can administratively enable and disable interfaces in both the chassis and in the application. For an interface to be operational, the interface must be enabled in both operating systems. Because the interface state is controlled independently, you may have a mismatch between the chassis and application.

Hardware Bypass Pairs

For the FTD, certain interface modules on the Firepower 9300 and 4100 series let you enable the Hardware Bypass feature. Hardware Bypass ensures that traffic continues to flow between an inline interface pair during a power outage. This feature can be used to maintain network connectivity in the case of software or hardware failures.

The Hardware Bypass feature is configured within the FTD application. You do not need to use these interfaces as Hardware Bypass pairs; they can be used as regular interfaces for both the ASA and the FTD applications. Note that Hardware Bypass-capable interfaces cannot be configured for breakout ports. If you want to use the Hardware Bypass feature, do not configure the ports as EtherChannels; otherwise, you can include these interfaces as EtherChannel members in regular interface mode.

When Hardware Bypass is enabled on an inline pair, switch bypass is attempted first. If the bypass configuration fails due a switch error, physical bypass is enabled.


Note

Hardware Bypass (FTW) is not supported on FTD installed in service-chaining with third-party applications, such as VDP/Radware.


The FTD supports Hardware Bypass for interface pairs on specific network modules on the following models:

  • Firepower 9300

  • Firepower 4100 series

The supported Hardware Bypass network modules for these models include:

  • Firepower 6-port 1G SX FTW Network Module single-wide (FPR-NM-6X1SX-F)

  • Firepower 6-port 10G SR FTW Network Module single-wide (FPR-NM-6X10SR-F)

  • Firepower 6-port 10G LR FTW Network Module single-wide (FPR-NM-6X10LR-F)

  • Firepower 2-port 40G SR FTW Network Module single-wide (FPR-NM-2X40G-F)

  • Firepower 8-port 1G Copper FTW Network Module single-wide (FPR-NM-8X1G-F)

Hardware Bypass can only use the following port pairs:

  • 1 & 2

  • 3 & 4

  • 5 & 6

  • 7 & 8

Jumbo Frame Support

The Firepower 4100/9300 chassis has support for jumbo frames enabled by default. To enable jumbo frame support on a specific logical device installed on the Firepower 4100/9300 chassis, you will need to configure the appropriate MTU settings for the interfaces on the logical device.

The maximum MTU that is supported for the application on the Firepower 4100/9300 chassis is 9184.


Note

The chassis management interface does not support jumbo frames.


Inline Set Link State Propagation for the Firepower Threat Defense

An inline set acts like a bump on the wire, and binds two interfaces together to slot into an existing network. This function allows the system to be installed in any network environment without the configuration of adjacent network devices. Inline interfaces receive all traffic unconditionally, but all traffic received on these interfaces is retransmitted out of an inline set unless explicitly dropped.

When you configure an inline set in the FTD application and enable link state propagation, the FTD sends inline set membership to the FXOS chassis. Link state propagation means that the chassis automatically brings down the second interface in the inline interface pair when one of the interfaces in an inline set goes down. When the downed interface comes back up, the second interface automatically comes back up, also. In other words, if the link state of one interface changes, the chassis senses the change and updates the link state of the other interface to match it. Note that the chassis requires up to 4 seconds to propagate link state changes. Link state propagation is especially useful in resilient network environments where routers are configured to reroute traffic automatically around network devices that are in a failure state.

Guidelines and Limitations for Firepower Interfaces

Inline Sets for FTD

  • Supported for physical interfaces (both regular and breakout ports) and EtherChannels.

  • Link state propagation is supported.

Hardware Bypass

  • Supported for the FTD; you can use them as regular interfaces for the ASA.

  • The FTD only supports Hardware Bypass with inline sets.

  • Hardware Bypass-capable interfaces cannot be configured for breakout ports.

  • You cannot include Hardware Bypass interfaces in an EtherChannel and use them for Hardware Bypass; you can use them as regular interfaces in an EtherChannel.

  • Hardware Bypass is not supported with High Availability.

Default MAC Addresses

Default MAC address assignments depend on the type of interface.

  • Physical interfaces—The physical interface uses the burned-in MAC address.

  • EtherChannels—For an EtherChannel, all interfaces that are part of the channel group share the same MAC address. This feature makes the EtherChannel transparent to network applications and users, because they only see the one logical connection; they have no knowledge of the individual links. The port-channel interface uses a unique MAC address from a pool; interface membership does not affect the MAC address.

Configure Interfaces

By default, physical interfaces are disabled. You can enable interfaces, add EtherChannels, and edit interface properties.

Configure a Physical Interface

You can physically enable and disable interfaces, as well as set the interface speed and duplex. To use an interface, it must be physically enabled in FXOS and logically enabled in the application.

Before you begin

  • Interfaces that are already a member of an EtherChannel cannot be modified individually. Be sure to configure settings before you add it to the EtherChannel.

Procedure


Step 1

Enter interface mode.

scope eth-uplink

scope fabric a

Step 2

Enable the interface.

enter interface interface_id

enable

Example:


Firepower /eth-uplink/fabric # enter interface Ethernet1/8
Firepower /eth-uplink/fabric/interface # enable

Note 

Interfaces that are already a member of a port-channel cannot be modified individually. If you use the enter interface or scope interface command on an interface that is a member of a port channel, you will receive an error stating that the object does not exist. You should edit interfaces using the enter interface command before you add them to a port-channel.

Step 3

(Optional) Set the interface type.

set port-type {data | mgmt | firepower-eventing | cluster}

Example:


Firepower /eth-uplink/fabric/interface # set port-type mgmt

The data keyword is the default type. Do not choose the cluster keyword; by default, the cluster control link is automatically created on Port-channel 48.

Step 4

Enable or disable autonegotiation, if supported for your interface.

set auto-negotiation {on | off}

Example:


Firepower /eth-uplink/fabric/interface* # set auto-negotiation off

Step 5

Set the interface speed.

set admin-speed {10mbps | 100mbps | 1gbps | 10gbps | 40gbps | 100gbps}

Example:


Firepower /eth-uplink/fabric/interface* # set admin-speed 1gbps

Step 6

Set the interface duplex mode.

set admin-duplex {fullduplex | halfduplex}

Example:


Firepower /eth-uplink/fabric/interface* # set admin-duplex halfduplex

Step 7

If you edited the default flow control policy, it is already applied to interfaces. If you created a new policy, apply it to the interface.

set flow-control-policy name

Example:


Firepower /eth-uplink/fabric/interface* # set flow-control-policy flow1

Step 8

Save the configuration.

commit-buffer

Example:


Firepower /eth-uplink/fabric/interface* # commit-buffer
Firepower /eth-uplink/fabric/interface #


Add an EtherChannel (Port Channel)

An EtherChannel (also known as a port channel) can include up to 16 member interfaces of the same media type and capacity, and must be set to the same speed and duplex. The media type can be either RJ-45 or SFP; SFPs of different types (copper and fiber) can be mixed. You cannot mix interface capacities (for example 1GB and 10GB interfaces) by setting the speed to be lower on the larger-capacity interface. The Link Aggregation Control Protocol (LACP) aggregates interfaces by exchanging the Link Aggregation Control Protocol Data Units (LACPDUs) between two network devices.

LACP coordinates the automatic addition and deletion of links to the EtherChannel without user intervention. It also handles misconfigurations and checks that both ends of member interfaces are connected to the correct channel group.

When the Firepower 4100/9300 chassis creates an EtherChannel, the EtherChannel stays in a Suspended state until you assign it to a logical device, even if the physical link is up. The EtherChannel will be brought out of this Suspended state in the following situations:

  • The EtherChannel is added as a data or management interface for a standalone logical device

  • The EtherChannel is added as a management interface or cluster control link for a logical device that is part of a cluster

  • The EtherChannel is added as a data interface for a logical device that is part of a cluster and at least one unit has joined the cluster

Note that the EtherChannel does not come up until you assign it to a logical device. If the EtherChannel is removed from the logical device or the logical device is deleted, the EtherChannel will revert to a Suspended state.

Procedure


Step 1

Enter interface mode:

scope eth-uplink

scope fabric a

Step 2

Create the port-channel:

create port-channel id

enable

Step 3

Assign member interfaces:

create member-port interface_id

You can add up to 16 member interfaces of the same media type and capacity. The member interfaces must be set to the same speed and duplex, and must match the speed and duplex that you configured for this port channel. The media type can be either RJ-45 or SFP; SFPs of different types (copper and fiber) can be mixed. You cannot mix interface capacities (for example 1GB and 10GB interfaces) by setting the speed to be lower on the larger-capacity interface.

Example:


Firepower /eth-uplink/fabric/port-channel* # create member-port Ethernet1/1
Firepower /eth-uplink/fabric/port-channel/member-port* # exit
Firepower /eth-uplink/fabric/port-channel* # create member-port Ethernet1/2 
Firepower /eth-uplink/fabric/port-channel/member-port* # exit
Firepower /eth-uplink/fabric/port-channel* # create member-port Ethernet1/3 
Firepower /eth-uplink/fabric/port-channel/member-port* # exit
Firepower /eth-uplink/fabric/port-channel* # create member-port Ethernet1/4
Firepower /eth-uplink/fabric/port-channel/member-port* # exit

Step 4

(Optional) Set the interface type.

set port-type {data | mgmt | firepower-eventing | cluster}

Example:


Firepower /eth-uplink/fabric/port-channel # set port-type data

The data keyword is the default type. Do not choose the cluster keyword unless you want to use this port-channel as the cluster control link instead of the default.

Step 5

Set the required interface speed for members of the port-channel.

set speed {10mbps | 100mbps | 1gbps | 10gbps | 40gbps | 100gbps}

If you add a member interface that is not at the specified speed, it will not successfully join the port channel. The default is 10gbps .

Example:


Firepower /eth-uplink/fabric/port-channel* # set speed 1gbps

Step 6

(Optional) Set the required duplex for members of the port-channel.

set duplex {fullduplex | halfduplex}

If you add a member interface that is configured with the specified duplex, it will not successfully join the port channel. The default is fullduplex .

Example:


Firepower /eth-uplink/fabric/port-channel* # set duplex fullduplex

Step 7

Enable or disable autonegotiation, if supported for your interface.

set auto-negotiation {on | off}

Example:


Firepower /eth-uplink/fabric/interface* # set auto-negotiation off

Step 8

If you edited the default flow control policy, it is already applied to interfaces. If you created a new policy, apply it to the interface.

set flow-control-policy name

Example:


Firepower /eth-uplink/fabric/interface* # set flow-control-policy flow1

Step 9

Commit the configuration:

commit-buffer

Configure Breakout Cables

The following procedure shows how to configure breakout cables for use with the Firepower 4100/9300 chassis. You can use a breakout cable to provide four 10 Gbps ports in place of a single 40 Gbps port.

Before you begin

Hardware Bypass-capable interfaces cannot be configured for breakout ports.

Procedure


Step 1

To create a new breakout, use the following commands:

  1. Enter cabling mode:

    scope cabling

    scope fabric a

  2. Create the breakout:

    create breakout network_module_slot port

    Example:

    
    Firepower /cabling/fabric/ # create breakout 2 1
    
    
  3. Commit the configuration:

    commit-buffer

    This will cause an automatic reboot. If you are configuring more than one breakout, you should create all of them before you issue the commit-buffer command.

Step 2

To enable/configure the breakout ports, use the following commands:

  1. Enter interface mode:

    scope eth-uplink

    scope fabric a

    scope aggr-interface network_module_slot port

    Note 

    Interfaces that are already a member of a port-channel cannot be modified individually. If you use the enter interface or scope interface command on an interface that is a member of a port channel, you will receive an error stating that the object does not exist. You should edit interfaces using the enter interface command before you add them to a port-channel.

  2. Use the set command to configure the interface speed and port type.

    Use the enable or disable command to set the administrative state of the interface.

  3. Commit the configuration:

    commit-buffer


Configure a Flow Control Policy

Flow control policies determine whether the Ethernet ports send and receive IEEE 802.3x pause frames when the receive buffer for a port fills. These pause frames request that the transmitting port stop sending data for a few milliseconds until the buffer clears. For flow control to work between devices, you must enable the corresponding receive and send flow control parameters for both devices.

The default policy disables send and receive control, and sets the priority to autonegotiate.

Procedure


Step 1

Enter eth-uplink and then flow-control mode.

scope eth-uplink

scope flow-control

Example:


firepower-4110# scope eth-uplink
firepower-4110 /eth-uplink # scope flow-control
firepower-4110 /eth-uplink/flow-control # 

Step 2

Edit or create a flow control policy.

enter policy name

If you want to edit the default policy, enter default for the name.

Example:


firepower-4110 /eth-uplink/flow-control # enter policy default
firepower-4110 /eth-uplink/flow-control/policy* # 

Step 3

Set the priority.

set prio {auto | on}

The priority sets whether to negotiate or enable PPP for this link.

Example:


firepower-4110 /eth-uplink/flow-control/policy* # set prio on

Step 4

Enable or disable flow control receive pauses.

set receive {on | off}

  • on—Pause requests are honored and all traffic is halted on that uplink port until the network cancels the pause request.

  • off—Pause requests from the network are ignored and traffic flow continues as normal.

Example:


firepower-4110 /eth-uplink/flow-control/policy* # set receive on

Step 5

Enable or disable flow control send pauses.

set send {on | off}

  • on—The Firepower 4100/9300 sends a pause request to the network if the incoming packet rate becomes too high. The pause remains in effect for a few milliseconds before traffic is reset to normal levels.

  • off—Traffic on the port flows normally regardless of the packet load.

Example:


firepower-4110 /eth-uplink/flow-control/policy* # set send on

Step 6

Save the configuration.

commit-buffer

Example:


firepower-4110 /eth-uplink/flow-control/policy* # commit-buffer
firepower-4110 /eth-uplink/flow-control/policy # 


Example

The following example configures a flow control policy.


firepower-4110# scope eth-uplink
firepower-4110 /eth-uplink # scope flow-control
firepower-4110 /eth-uplink/flow-control # enter policy FlowControlPolicy23
firepower-4110 /eth-uplink/flow-control/policy* # set prio auto
firepower-4110 /eth-uplink/flow-control/policy* # set receive on
firepower-4110 /eth-uplink/flow-control/policy* # set send on
firepower-4110 /eth-uplink/flow-control/policy* # commit-buffer
firepower-4110 /eth-uplink/flow-control/policy # 

Monitoring Interfaces


Note

There can be a difference between the FXOS and FTD/ASA interface utilization due to fragmentation drops in the FTD/ASA. To view fragmentation drops, see the FTD/ASA show asp drop and show fragment commands.


  • show interface

    Shows interface status.


    Note

    Interfaces that act as ports in port channels do not appear in this list.


    
    Firepower# scope eth-uplink
    Firepower /eth-uplink # scope fabric a
    Firepower /eth-uplink/fabric # show interface
    
    Interface:
        Port Name       Port Type          Admin State Oper State       State Reason
        --------------- ------------------ ----------- ---------------- ------------
        Ethernet1/1     Mgmt               Enabled     Up
        Ethernet1/2     Data               Enabled     Link Down        Link failure or not-connected
        Ethernet1/3     Data               Enabled     Up
        Ethernet1/4     Data               Enabled     Sfp Not Present  Unknown
        Ethernet1/6     Data               Enabled     Sfp Not Present  Unknown
        Ethernet1/7     Data               Enabled     Sfp Not Present  Unknown
        Ethernet1/8     Data               Disabled    Sfp Not Present  Unknown
        Ethernet2/1     Data               Enabled     Up
        Ethernet2/2     Data               Enabled     Up
        Ethernet2/4     Data               Enabled     Up
        Ethernet2/5     Data               Enabled     Up
        Ethernet2/6     Data               Enabled     Up
        Ethernet3/2     Data               Enabled     Up
        Ethernet3/4     Data               Enabled     Up
    
    
  • show port-channel

    Shows port-channel status.

    
    Firepower# scope eth-uplink
    Firepower /eth-uplink # scope fabric a
    Firepower /eth-uplink/fabric # show port-channel
    
    Port Channel:
        Port Channel Id Name             Port Type          Admin State Oper State       Port Channel Mode State Reason
        --------------- ---------------- ------------------ ----------- ---------------- ----------------- ------------
        1               Port-channel1    Data               Enabled     Up               Active    
        2               Port-channel2    Data               Enabled     Failed           Active            No operational members
        48              Port-channel48   Cluster            Enabled     Up               Active            
    
    

History for Interfaces

Feature Name

Platform Releases

Feature Information

Support for EtherChannels in FTD inline sets

2.1.1

You can now use EtherChannels in a FTD inline set.

Inline set link state propagation support for the FTD

2.0.1

When you configure an inline set in the FTD application and enable link state propagation, the FTD sends inline set membership to the FXOS chassis. Link state propagation means that the chassis automatically brings down the second interface in the inline interface pair when one of the interfaces in an inline set goes down.

New/Modified commands: show fault |grep link-down, show interface detail

Support for Hardware bypass network modules for the FTD

2.0.1

Hardware Bypass ensures that traffic continues to flow between an inline interface pair during a power outage. This feature can be used to maintain network connectivity in the case of software or hardware failures.

New/Modified Firepower Management Center screens:

Devices > Device Management > Interfaces > Edit Physical Interface

Firepower-eventing type interface for FTD

1.1.4

You can specify an interface as firepower-eventing for use with the FTD. This interface is a secondary management interface for FTD devices. To use this interface, you must configure its IP address and other parameters at the FTD CLI. For example, you can separate management traffic from events (such as web events). See the "Management Interfaces" section in the Firepower Management Center configuration guide System Configuration chapter.

New/Modified FXOS commands: set port-type firepower-eventing, show interface