topic Re: Cisco FTD Subinterfaces change to Physical in Network Security

Cisco FTD Subinterfaces change to Physical

agilliup — Tue, 23 Aug 2022 16:48:09 GMT

I am running into issues with a sub-interface so I need to change it to a physical. I'm nervous about making the change. Is there an easy way to change a sub-interface into a physical without renaming? I currently can't ping anything from the sub-interface but don't have any issues with physical interfaces. I'm assuming that running dhcp-relay on a sub-interface is a no no on the FTD's which is why I can't get it up and running. Any help would be appreciated.

Re: Cisco FTD Subinterfaces change to Physical

balaji.bandi — Tue, 23 Aug 2022 16:59:07 GMT

I do not see any sub interface issue, when you do port-channel. that give you high availability. if one of the Physical interface go down, or switch port go down, or switch in stack or SVL part go down.

i still prefer to do port-channel. rather single sub interface, that is best advise.

Re: Cisco FTD Subinterfaces change to Physical

agilliup — Tue, 23 Aug 2022 17:03:13 GMT

I really just want to make it a physical interface. We have high availability with two FTD's already.

Re: Cisco FTD Subinterfaces change to Physical

balaji.bandi — Tue, 23 Aug 2022 17:13:23 GMT

how many sub-interface do you have enough physical interfaces ?

if so you need to make changes on the Physical interface configuration, same config need to apply on switch to match the VLAN, you need to move 1 sub-interface at a time and test it...shutdown sub-interface and bring up physical interface.

Note : i have not done myself this practice, so test 1 interface before you move to next interfaces for good safe approach, make sure you have config backup out of the box.

Re: Cisco FTD Subinterfaces change to Physical

Marvin Rhoads — Tue, 23 Aug 2022 17:14:25 GMT

You have to remove and recretae if you want to keep the same interface name (nameif).

You can potentially use interface groups as an alternative to avoid renaming but then any NAT and ACP rules would likewise have to reference those as applicable.

Re: Cisco FTD Subinterfaces change to Physical

Kasun Bandara — Wed, 24 Aug 2022 02:59:11 GMT

if you are planing to move with same name, you need to remove sub interface first and apply those settings in to physical interface. you cannot have same name simultaneously. so plana down time and move interface to physical. also when you moving interfaces, you may need to re add routings related to that interface. so keep them in track. also make sure you have enough physical interfaces to move your sub interfaces. after moving sub interfaces, you need to configure connected switch with correct VLAN which previously configured in sub interface.

Re: Cisco FTD Subinterfaces change to Physical

Marius Gunnerud — Wed, 24 Aug 2022 06:52:27 GMT

If you are managing this via FMC you can remove the configuration from the subinterface and then configure the physical interface with that configuration from the subinterface. The good thing with FTD is that the interfaces are associated with zones and then those zones are used in the access rules. this means that ACP rules and NAT rules will be updated automatically with the new interface. Routing and VPN would need to be updated manually as these reference the physical interface.

Also, none of these changes will take effect until you deploy the configuration. That means that you can configure everything, veryify that all is changed, and then deploy.

I did this just last week, though I chose to create a new interface name as it was so quick and easy to change the configuration.