Re: Cisco FTD Subinterfaces change to Physical

agilliup · ‎08-23-2022

I am running into issues with a sub-interface so I need to change it to a physical. I'm nervous about making the change. Is there an easy way to change a sub-interface into a physical without renaming? I currently can't ping anything from the sub-interface but don't have any issues with physical interfaces. I'm assuming that running dhcp-relay on a sub-interface is a no no on the FTD's which is why I can't get it up and running. Any help would be appreciated.

balaji.bandi · ‎08-23-2022

I do not see any sub interface issue, when you do port-channel. that give you high availability. if one of the Physical interface go down, or switch port go down, or switch in stack or SVL part go down.

i still prefer to do port-channel. rather single sub interface, that is best advise.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

agilliup · ‎08-23-2022

I really just want to make it a physical interface. We have high availability with two FTD's already.

balaji.bandi · ‎08-23-2022

how many sub-interface do you have enough physical interfaces ?

if so you need to make changes on the Physical interface configuration, same config need to apply on switch to match the VLAN, you need to move 1 sub-interface at a time and test it...shutdown sub-interface and bring up physical interface.

Note : i have not done myself this practice, so test 1 interface before you move to next interfaces for good safe approach, make sure you have config backup out of the box.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Marvin Rhoads · ‎08-23-2022

You have to remove and recretae if you want to keep the same interface name (nameif).

You can potentially use interface groups as an alternative to avoid renaming but then any NAT and ACP rules would likewise have to reference those as applicable.

Kasun Bandara · ‎08-23-2022

if you are planing to move with same name, you need to remove sub interface first and apply those settings in to physical interface. you cannot have same name simultaneously. so plana down time and move interface to physical. also when you moving interfaces, you may need to re add routings related to that interface. so keep them in track. also make sure you have enough physical interfaces to move your sub interfaces. after moving sub interfaces, you need to configure connected switch with correct VLAN which previously configured in sub interface.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Marius Gunnerud · ‎08-23-2022

If you are managing this via FMC you can remove the configuration from the subinterface and then configure the physical interface with that configuration from the subinterface. The good thing with FTD is that the interfaces are associated with zones and then those zones are used in the access rules. this means that ACP rules and NAT rules will be updated automatically with the new interface. Routing and VPN would need to be updated manually as these reference the physical interface.

Also, none of these changes will take effect until you deploy the configuration. That means that you can configure everything, veryify that all is changed, and then deploy.

I did this just last week, though I chose to create a new interface name as it was so quick and easy to change the configuration.

--
Please remember to select a correct answer and rate helpful posts