Re: Cisco FMC and FTD management connectivity

varrao · ‎10-20-2021

Hi All,

I am working with a very peculiar design requirements, where we are using FMC4500 and FTD 4140 with container instances.

We have assigned a Eth1/8 interface as logical management interface to be shared by all containers. Now the requirement is to put the FMC and FTD logical management interface behind a container firewall on one of the 4140 itself.

Which potentially means if I am placing the management interface of a firewall behind a data interface on the same firewall. to explain further, lets say I want 10.10.10.0/24 for the mgmt subnet for FMC and FTD. On the firewall I have to create the data interface 10.10.10.1, which will be the gateway for FMC (lets say 10.10.10.10), and which will be the gateway for the logical mgmt interface of the same container (eth1/7, lets say 10.10.10.9). Is this possible to have same subnet interface for data and interface type mgmt interfaces? will it be a supported config? I am not sure since I could not find any cisco doc to give me this info.

Thanks,
Varun Rao

Rob Ingram · ‎10-20-2021

Hi @varrao the data and mgmt interfaces can be on the same network.

Alternatively from FTD 6.7 you can use the data interface for mgmt, instead of using a mgmt dedicated interface.

https://www.cisco.com/c/en/us/td/docs/security/firepower/670/relnotes/firepower-release-notes-670/m_features_functionality.html

varrao · ‎10-20-2021

Hi Rob,

Thanks for a prompt response. Is their a doc that says data and management can be same network? or is it something from your own personal experience?

Yes I did go through the 6.7 release notes, but we do not want to use the data interfaces for management and also because there is no gold starred image in 6.7.x yet.

Thanks in advance.

Thanks,
Varun Rao

Rob Ingram · ‎10-20-2021

@varrao in production no, I usually used a dedicated VLAN....but in the lab I am pretty confident I have and it works fine. I doubt it's mentioned in cisco docs.