cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2653
Views
9
Helpful
25
Replies

Combining LAN ports on Cisco Firepower /Ethercahnnel or something else

amh4y0001
Level 3
Level 3

Hi,

I have Cisco Firepower 1100 series (FPR-1120) 
System image file is "disk0:/installables/switch/fxos-k8-fp1k-lfbff.2.8.1.105.SPA"

I am in a need to configure two or more LAN interfaces to make a LAN which can communicate at LAN level (in other words, in the same VLAN or same network).
I created a Ether channel as: 

amh4y0001_0-1688734794766.png

amh4y0001_1-1688734865747.png

And let the DHCP (with all default values) to assign the IP addresses.

Now one of the member port is now connected with a network which is distributing IP addresses via DHCP. 
When I connect a PC to second member port, it didn't get any IP from DHCP.

What should be configured to achieve a LAN based communication /switching so that I connect multiple devices belonging to the same network.

Note: I fully understand that Firepower is not designed for switching, and best solution should be to connect a LAN Switch in between to attach multiple clients. But sometimes, needs to find a solution outside of the recommended zone. 
Any suggestion /step by step guide /screenshots will be appreciated.

 

1 Accepted Solution

Accepted Solutions

security level must same for endpoints ports and BVI 
name must be different like BVI7_1 and BVI7_2

View solution in original post

25 Replies 25

Hi @amh4y0001 

 If you create a port-channel on the firewall side, it is expected that you connect on the other side of the port-channel another device which supports port-channel like a router, switch or another firewall.

 You can not use individual interface on a port-channel like that. Why dont you try with one interface only ?  And make sure the firewall supports mdix otherwise you need to use cross-over cable.

Then I guess I was wrong to use the Ether channel. Let me explain what is my need.
Goal: Is to have two interfaces or more in same Network /VLAN. On Cisco Firepower it is not possible to two or interface with same IP range /network.
What should I do here?

amh4y0001_0-1688762976225.pngamh4y0001_1-1688763004046.png

 

 

Create a bridge group

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/fdm/fptd-fdm-config-guide-620/fptd-fdm-interfaces.html#id_35464

"The group members do not have IP addresses. Instead, all member interfaces share the IP address of the Bridge Virtual Interface (BVI). "

can you share your topology
thanks 

MHM

Topology diagram is not available at the moment. But I can explain what I am trying to achieve here:
Goal: Is to have two interfaces or more in same Network /VLAN. On Cisco Firepower it is not possible to two or interface with same IP range /network. What should be the works around to configure multiple Ethernet ports into one LAN?

I Think what you looking for us BDI'

Fpr support bdi.

Bdi can make your FW connect to same vlan via two interfaces.

@MHM Cisco World  Thanks for input, do you have a step by step guide? 

You mgmt fpr by fmc or  fdm ?

Device = Cisco Firepower 1100 series (FPR-1120) 
System image file is "disk0:/installables/switch/fxos-k8-fp1k-lfbff.2.8.1.105.SPA"

Interface 3:
Static IP Address = 10.10.10.1 255.0.0.0.

 

amh4y0001_2-1688767372018.png

Error while configuring Interface 4 with same network as interface 3.

amh4y0001_4-1688767502604.png

 

 

amh4y0001_0-1688980706970.png

BVI group has been created and Eth3 and Eth4 are the members. BVI1 has been assigned static IP address. 
However, when I connect end points, I get 169.x.x.x APIPA address.

amh4y0001_1-1688980810814.png

 

this meaning that you not enable DHCP server in BVI interface you add 
enable the DHCP server for BVI interface 

@MHM Cisco World So I should not assign static IP address on BVI1 interface? 
Do you have more specific steps /screenshots for follow?

NO friend you need assign IP to BVI but also you need to enable DHCP server in this interface to make endpoint get IP from ASA BVI.

Review Cisco Networking for a $25 gift card