Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2653
Views
9
Helpful
25
Replies

Combining LAN ports on Cisco Firepower /Ethercahnnel or something else

Go to solution
amh4y0001
Level 3
Level 3

‎07-07-2023 07:57 AM

Hi,

I have Cisco Firepower 1100 series (FPR-1120) 
System image file is "disk0:/installables/switch/fxos-k8-fp1k-lfbff.2.8.1.105.SPA"

I am in a need to configure two or more LAN interfaces to make a LAN which can communicate at LAN level (in other words, in the same VLAN or same network).
I created a Ether channel as: 

amh4y0001_0-1688734794766.png

amh4y0001_1-1688734865747.png

And let the DHCP (with all default values) to assign the IP addresses.

Now one of the member port is now connected with a network which is distributing IP addresses via DHCP. 
When I connect a PC to second member port, it didn't get any IP from DHCP.

What should be configured to achieve a LAN based communication /switching so that I connect multiple devices belonging to the same network.

Note: I fully understand that Firepower is not designed for switching, and best solution should be to connect a LAN Switch in between to attach multiple clients. But sometimes, needs to find a solution outside of the recommended zone. 
Any suggestion /step by step guide /screenshots will be appreciated.

 

1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to amh4y0001

‎07-10-2023 07:50 AM

security level must same for endpoints ports and BVI 
name must be different like BVI7_1 and BVI7_2

View solution in original post

0 Helpful
25 Replies 25

Go to solution
Flavio Miranda
VIP
VIP

‎07-07-2023 11:48 AM

Hi @amh4y0001 

 If you create a port-channel on the firewall side, it is expected that you connect on the other side of the port-channel another device which supports port-channel like a router, switch or another firewall.

 You can not use individual interface on a port-channel like that. Why dont you try with one interface only ?  And make sure the firewall supports mdix otherwise you need to use cross-over cable.

0 Helpful

Go to solution
amh4y0001
Level 3
Level 3
In response to Flavio Miranda

‎07-07-2023 01:50 PM

Then I guess I was wrong to use the Ether channel. Let me explain what is my need.
Goal: Is to have two interfaces or more in same Network /VLAN. On Cisco Firepower it is not possible to two or interface with same IP range /network.
What should I do here?

amh4y0001_0-1688762976225.pngamh4y0001_1-1688763004046.png

 

 

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to amh4y0001

‎07-07-2023 02:19 PM

Create a bridge group

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/fdm/fptd-fdm-config-guide-620/fptd-fdm-interfaces.html#id_35464

"The group members do not have IP addresses. Instead, all member interfaces share the IP address of the Bridge Virtual Interface (BVI). "

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎07-07-2023 11:54 AM

can you share your topology
thanks 

MHM

0 Helpful

Go to solution
amh4y0001
Level 3
Level 3
In response to MHM Cisco World

‎07-07-2023 01:52 PM

Topology diagram is not available at the moment. But I can explain what I am trying to achieve here:
Goal: Is to have two interfaces or more in same Network /VLAN. On Cisco Firepower it is not possible to two or interface with same IP range /network. What should be the works around to configure multiple Ethernet ports into one LAN?

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to amh4y0001

‎07-07-2023 01:55 PM

I Think what you looking for us BDI'

Fpr support bdi.

Bdi can make your FW connect to same vlan via two interfaces.

Go to solution
amh4y0001
Level 3
Level 3
In response to MHM Cisco World

‎07-07-2023 02:15 PM

@MHM Cisco World  Thanks for input, do you have a step by step guide? 

Go to solution
MHM Cisco World
VIP
VIP
In response to amh4y0001

‎07-07-2023 02:23 PM

You mgmt fpr by fmc or  fdm ?

0 Helpful

Go to solution
amh4y0001
Level 3
Level 3
In response to MHM Cisco World

‎07-07-2023 03:05 PM

Device = Cisco Firepower 1100 series (FPR-1120) 
System image file is "disk0:/installables/switch/fxos-k8-fp1k-lfbff.2.8.1.105.SPA"

Interface 3:
Static IP Address = 10.10.10.1 255.0.0.0.

 

amh4y0001_2-1688767372018.png

Error while configuring Interface 4 with same network as interface 3.

amh4y0001_4-1688767502604.png

 

 

0 Helpful

Go to solution
amh4y0001
Level 3
Level 3
In response to MHM Cisco World

‎07-10-2023 02:21 AM

amh4y0001_0-1688980706970.png

BVI group has been created and Eth3 and Eth4 are the members. BVI1 has been assigned static IP address. 
However, when I connect end points, I get 169.x.x.x APIPA address.

amh4y0001_1-1688980810814.png

 

Go to solution
MHM Cisco World
VIP
VIP
In response to amh4y0001

‎07-10-2023 03:15 AM

this meaning that you not enable DHCP server in BVI interface you add 
enable the DHCP server for BVI interface 

Go to solution
amh4y0001
Level 3
Level 3
In response to MHM Cisco World

‎07-10-2023 04:10 AM

@MHM Cisco World So I should not assign static IP address on BVI1 interface? 
Do you have more specific steps /screenshots for follow?

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to amh4y0001

‎07-10-2023 04:12 AM

NO friend you need assign IP to BVI but also you need to enable DHCP server in this interface to make endpoint get IP from ASA BVI.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card