Re: Firepower 4110 intra-interface traffic

usman.works1985 · ‎09-21-2021

Hello Everyone,

I have a scenario, where I have to manage the east-west traffic and I have only one inside interface for LAN. So is this possible the traffic enters and exits the same interface in FTD? if yes, then how can I achieve this.

thanks.....

Mohammed al Baqari · ‎09-21-2021

Hi,

This is doable in FTD. By default intra-interface traffic is allowed by
default. Just make sure to avoid ICMP redirects which can bypass FTD. I
suggest creating two sub-interfaces on the same physical interface to
ensure that traffic enters and exits FTD.

***** please remember to rate useful posts

usman.works1985 · ‎09-22-2021

Hi Mohommed,

Thanks for your response. In my scenario the Firewall is not the Gateway, but still it is passing all the traffic... In that case I cannot have two or multiple sub-interfaces instead one physical interface... would it still be applicable?

Marvin Rhoads · ‎09-22-2021

If it isn't the gateway and only has a single interface how is it passing all the traffic?

If it is set as the routing next hop by the gateway it can work. Traffic can go in and come out of the same interface (physical and logical). Of course you will need policies set to inspect, log etc.

It's a bit of an odd configuration that way and normally we would recommend separate interfaces for various reasons.

usman.works1985 · ‎09-22-2021

Hi Marvin,

So to answer your question my FTD is connected with ACI fabric and the FABRIC is acting as a gateway for all the services... also the the fabric will redirect the traffic toward FTD with the help of PBR and FTD will inspect and send the back from the same interface...