topic Re: Sub-interface configuration limit on FTD managed via FMC in Network Security

Sub-interface configuration limit on FTD managed via FMC

adebola — Wed, 11 Sep 2024 13:00:02 GMT

I need to ask a question. We've got an FTD managed by an FMC with interfaces configured as follows:

INSIDE - 1 sub-interface

OUTSIDE - 16 sub-interfaces

All sub interfaces on the OUTSIDE side were configured via the chassis manager. Sub-interface on the INSIDE was configured via FMC.

We need to configure a 17th sub-interface on the OUTSIDE interface and the OUSIDE interface is grayed out and only the INSIDE interface is available.

Creating sub interfaces on an FMC managed FTD that already has 16 sub interfaces on the OUTSIDE interface, the FMC wouldn't allow it. I could create on the INSIDE interface that's got just one sub interface, but I couldn't on the OUTSIDE interface that already has 16.

Can anyone tell me if there's a limitation to 16 sub interfaces on the FMC? If i create it on the chassis, I'm able to sync and use it on the FMC, just couldn't create it from there after 16 sub interfaces.

Re: Sub-interface configuration limit on FTD managed via FMC

Aref Alsouqi — Wed, 11 Sep 2024 15:32:10 GMT

I don't believe there is any limitation with FMC to create more than 16 subinterfaces, actually the limitation of how many subinterface you can create on an FTD is bound to the FTD hardware not to the FMC. Not sure if there is anything you should do to kinda handover the OUTSIDE interface management from the chassis manager to the FMC, I'm not so familiar with the chassis manager. Did you try to create the subinterface from the chassis manager?

Re: Sub-interface configuration limit on FTD managed via FMC

adebola — Wed, 11 Sep 2024 16:04:35 GMT

Thanks for the response. Responding to your question about chassis manager, yes, after I couldn't get the sub-interface configured, I went to the chassis manager and was able to configure the 17th interface from there and then associated it with the instance and then synced it to the FMC, but my doubt is that I couldn't create the sub-interface via FMC and I was wondering if there's was a limit to creating sub interfaces via FMC.

Re: Sub-interface configuration limit on FTD managed via FMC

Marvin Rhoads — Wed, 11 Sep 2024 16:39:14 GMT

You did not mention your platform or software version, but there are some important distinctions explained here:

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/2120/web-guide/b_GUI_FXOS_ConfigGuide_2120/interface_management.html#id_90184

Re: Sub-interface configuration limit on FTD managed via FMC

adebola — Wed, 11 Sep 2024 18:41:50 GMT

Thanks Marvin for sharing the link. I have looked at this information before. Here is the information about version and platform as requested.

Cisco Firepower 4115 running FXOS 2.12
FMC/FTD version: 7.2.8.

Thanks once again.

Re: Sub-interface configuration limit on FTD managed via FMC

Marius Gunnerud — Wed, 11 Sep 2024 20:12:13 GMT

Are you by chance running the FTD in multi-instance? It could be that you need to add the subinterface at the chassis level before you can configure it in the FMC.

Re: Sub-interface configuration limit on FTD managed via FMC

adebola — Thu, 12 Sep 2024 13:49:30 GMT

Yes mate! It's a multi-instance FTD. I figured out we needed to do the configuration via chassis manager which we did and it worked. What I didn't get was that I could create sub interfaces on the INSIDE interface using the FMC without having to do that through the chassis manager, but OUTSIDE interface wouldn't let me do it.

Information I forgot to add is that both INSIDE and OUTSIDE interfaces are Port channels.

Re: Sub-interface configuration limit on FTD managed via FMC

Marius Gunnerud — Thu, 12 Sep 2024 21:25:05 GMT

What I believe has happened is that when the FTD was set up, the "whole" inside interface or Port-channel was provisioned to the FTD instance, while the outside Port-channel only the sub-interface was provisioned. This might be because the different instances are sharing that interface for access outside the network. So that would mean that you have full access to the inside interface and will be able to define sub-interfaces while the outside interface you would need to create the sub-interface on the chassis and then provision it to the instance before you can make use of it.

Re: Sub-interface configuration limit on FTD managed via FMC

adebola — Fri, 13 Sep 2024 13:11:20 GMT

Hello Marius!

i went back to the chassis manager just to be verify what you pointed out. I can confirm that both port-channels were configured the same way and associated the same way to the FTD instance. I'm sharing some screenshots of the chassis configuration.

I'm grateful to everyone who has contributed to this. i would like to understand this FMC behaviour so I can avoid having this problem in future configurations as a Field Engineer.

Re: Sub-interface configuration limit on FTD managed via FMC

Marius Gunnerud — Mon, 16 Sep 2024 07:32:00 GMT

I do not believe you are sharing the "parent interface" or parent port-channel 6 with the instance. This because you are not able to select it in the FMC / application configuration. So as mentioned earlier, port-channel 5 is being shared completely with the instance you are configuring, while port-channel 6 is only sharing the sub-interfaces. The below is taken from a Cisco document also linked to below.

VLAN Subinterfaces

For all logical devices, you can create VLAN subinterfaces within the application.

For container instances in standalone mode only, you can also create VLAN subinterfaces in FXOS. Multi-instance clusters do not support subinterfaces in FXOS except on the Cluster-type interface. Application-defined subinterfaces are not subject to the FXOS limit. Choosing in which operating system to create subinterfaces depends on your network deployment and personal preference. For example, to share a subinterface, you must create the subinterface in FXOS. Another scenario that favors FXOS subinterfaces comprises allocating separate subinterface groups on a single interface to multiple instances. For example, you want to use Port-channel1 with VLAN 2–11 on instance A, VLAN 12–21 on instance B, and VLAN 22–31 on instance C. If you create these subinterfaces within the application, then you would have to share the parent interface in FXOS, which may not be desirable. See the following illustration that shows the three ways you can accomplish this scenario:

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/multi-instance/multi-instance_solution.html#id_20107