topic Firepower 4110 intra-interface traffic in Network Security

Firepower 4110 intra-interface traffic

usman.works1985 — Tue, 21 Sep 2021 11:12:24 GMT

Hello Everyone,

I have a scenario, where I have to manage the east-west traffic and I have only one inside interface for LAN. So is this possible the traffic enters and exits the same interface in FTD? if yes, then how can I achieve this.

thanks.....

Re: Firepower 4110 intra-interface traffic

Mohammed al Baqari — Tue, 21 Sep 2021 12:44:10 GMT

Hi,

This is doable in FTD. By default intra-interface traffic is allowed by
default. Just make sure to avoid ICMP redirects which can bypass FTD. I
suggest creating two sub-interfaces on the same physical interface to
ensure that traffic enters and exits FTD.

***** please remember to rate useful posts

Re: Firepower 4110 intra-interface traffic

usman.works1985 — Wed, 22 Sep 2021 14:40:59 GMT

Hi Mohommed,

Thanks for your response. In my scenario the Firewall is not the Gateway, but still it is passing all the traffic... In that case I cannot have two or multiple sub-interfaces instead one physical interface... would it still be applicable?

Re: Firepower 4110 intra-interface traffic

Marvin Rhoads — Wed, 22 Sep 2021 16:26:48 GMT

If it isn't the gateway and only has a single interface how is it passing all the traffic?

If it is set as the routing next hop by the gateway it can work. Traffic can go in and come out of the same interface (physical and logical). Of course you will need policies set to inspect, log etc.

It's a bit of an odd configuration that way and normally we would recommend separate interfaces for various reasons.

Re: Firepower 4110 intra-interface traffic

usman.works1985 — Wed, 22 Sep 2021 17:20:04 GMT

Hi Marvin,

So to answer your question my FTD is connected with ACI fabric and the FABRIC is acting as a gateway for all the services... also the the fabric will redirect the traffic toward FTD with the help of PBR and FTD will inspect and send the back from the same interface...