https://community.cisco.com/t5/network-security/firepower-ngfw-2110-interfaces-can-you-make-them-access-ports/m-p/3357277#M1026926 <P>Hi Dan,</P> <P>I never actually tried it on the firepower, but should be similar to the ASA BVI setup.</P> <H3 class="topictitle3">About Routed Firewall Mode</H3> <SECTION> <P><A name="ID-2106-0000000a__ID-2106-0000000b" target="_blank"></A>In routed mode, the<SPAN>&nbsp;</SPAN><SPAN>Firepower Threat Defense device</SPAN><SPAN>&nbsp;</SPAN>is considered to be a router hop in the network. Each interface that you want to route between is on a different subnet.</P> <P>With Integrated Routing and Bridging, you can use a "bridge group" where you group together multiple interfaces on a network, and the<SPAN>&nbsp;</SPAN><SPAN>Firepower Threat Defense device</SPAN><SPAN>&nbsp;</SPAN>uses bridging techniques to pass traffic between the interfaces. Each bridge group includes a Bridge Virtual Interface (BVI) to which you assign an IP address on the network. The<SPAN>&nbsp;</SPAN><SPAN>Firepower Threat Defense device</SPAN><SPAN>&nbsp;</SPAN>routes between BVIs and regular routed interfaces. If you do not need clustering or EtherChannel or redundant member interfaces, you might consider using routed mode instead of transparent mode. In routed mode, you can have one or more isolated bridge groups like in transparent mode, but also have normal routed interfaces as well for a mixed deployment.</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/firepower/622/configuration/guide/fpmc-config-guide-v622/transparent_or_routed_firewall_mode_for_firepower_threat_defense.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/firepower/622/configuration/guide/fpmc-config-guide-v622/transparent_or_routed_firewall_mode_for_firepower_threat_defense.html</A></P> <P>&nbsp;</P> <P>HTH</P> <P>Bogdan</P> </SECTION> Thu, 29 Mar 2018 07:34:48 GMT Bogdan Nita 2018-03-29T07:34:48Z https://community.cisco.com/t5/network-security/firepower-ngfw-2110-interfaces-can-you-make-them-access-ports/m-p/3357205#M1026925 <P>HI All, is it possible to connect lets say a host or server directly to one of the 1GB copper or SFP interfaces and use that port as an access port?</P> <P>&nbsp;</P> <P>I know typically the firewall ports are routed ports but, you can also make these ports trunking/sub-interfaces but, I would think you would need the host NIC to have a way to interpret the frames/vlans from the 2110.</P> <P>&nbsp;</P> <P>Has anyone been able to connect to one of the 2110 interfaces and use as a switchport?</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Dan</P> Fri, 21 Feb 2020 15:34:34 GMT https://community.cisco.com/t5/network-security/firepower-ngfw-2110-interfaces-can-you-make-them-access-ports/m-p/3357205#M1026925 dan hale 2020-02-21T15:34:34Z https://community.cisco.com/t5/network-security/firepower-ngfw-2110-interfaces-can-you-make-them-access-ports/m-p/3357277#M1026926 <P>Hi Dan,</P> <P>I never actually tried it on the firepower, but should be similar to the ASA BVI setup.</P> <H3 class="topictitle3">About Routed Firewall Mode</H3> <SECTION> <P><A name="ID-2106-0000000a__ID-2106-0000000b" target="_blank"></A>In routed mode, the<SPAN>&nbsp;</SPAN><SPAN>Firepower Threat Defense device</SPAN><SPAN>&nbsp;</SPAN>is considered to be a router hop in the network. Each interface that you want to route between is on a different subnet.</P> <P>With Integrated Routing and Bridging, you can use a "bridge group" where you group together multiple interfaces on a network, and the<SPAN>&nbsp;</SPAN><SPAN>Firepower Threat Defense device</SPAN><SPAN>&nbsp;</SPAN>uses bridging techniques to pass traffic between the interfaces. Each bridge group includes a Bridge Virtual Interface (BVI) to which you assign an IP address on the network. The<SPAN>&nbsp;</SPAN><SPAN>Firepower Threat Defense device</SPAN><SPAN>&nbsp;</SPAN>routes between BVIs and regular routed interfaces. If you do not need clustering or EtherChannel or redundant member interfaces, you might consider using routed mode instead of transparent mode. In routed mode, you can have one or more isolated bridge groups like in transparent mode, but also have normal routed interfaces as well for a mixed deployment.</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/firepower/622/configuration/guide/fpmc-config-guide-v622/transparent_or_routed_firewall_mode_for_firepower_threat_defense.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/firepower/622/configuration/guide/fpmc-config-guide-v622/transparent_or_routed_firewall_mode_for_firepower_threat_defense.html</A></P> <P>&nbsp;</P> <P>HTH</P> <P>Bogdan</P> </SECTION> Thu, 29 Mar 2018 07:34:48 GMT https://community.cisco.com/t5/network-security/firepower-ngfw-2110-interfaces-can-you-make-them-access-ports/m-p/3357277#M1026926 Bogdan Nita 2018-03-29T07:34:48Z https://community.cisco.com/t5/network-security/firepower-ngfw-2110-interfaces-can-you-make-them-access-ports/m-p/3357721#M1026927 <P>Thanks for pointing me in the right direction however, it looks like creating BVI's is not supported on the 2100's.</P> <P>&nbsp;</P> <P>"you cannot configure bridge groups on Firepower 2100 series or Firepower Threat Defense Virtual devices."</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/firepower/622/fdm/fptd-fdm-config-guide-622/fptd-fdm-interfaces.html#id_35464" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/firepower/622/fdm/fptd-fdm-config-guide-622/fptd-fdm-interfaces.html#id_35464</A></P> <P>&nbsp;</P> <P>Thanks,</P> <P>Dan</P> Thu, 29 Mar 2018 18:39:45 GMT https://community.cisco.com/t5/network-security/firepower-ngfw-2110-interfaces-can-you-make-them-access-ports/m-p/3357721#M1026927 dan hale 2018-03-29T18:39:45Z