FMC managed FPR 4112 and adding sub-interfaces with 'Management Only'?

andrew.butterworth · ‎03-16-2023

We have a customer with an on-premise FMC appliance running 7.0.5. It is managing several HA pairs of FPR 4112 and 4115 FTDs. We have a requirement to add an additional sub-interface to an FTD that is a 'Management Only' interface.

In the lab I have a FMCv with the same release code, but only managing FTDv's, we can add sub-interfaces and check the 'Management Only' box and this all works as expected. However on the live system if we attempt to add a sub-interface (or edit any of the other sub-interfaces or physical interfaces) the 'Management Only' box is greyed out.

I don't think this is a HA limitation as I have a pair of on-box FDM managed FTDv's and this lets me do it.

The help doesn't mention anything about FTD Management Only interfaces as far as I can see, but I'm more than happy to be corrected. I've also searched online and can't find anything helpful.

Marvin Rhoads · ‎03-17-2023

Management vs. data interface type needs to be assigned at the chassis manager in 4100 and 9300 series FTDs.

andrew.butterworth · ‎03-18-2023

Yes, that's how its been explained to me. However the OoB management interface is different as it connects to 'both' parts of the system - its the 'eth0' of the FTD host as well as the 'Management0/0' interface of the LINA element - each having its own MAC address. With the FTDv (and an ASA5506-X I have that's been reimaged as an FTD) I can select 'Management only' when I add sub-interfaces (or any of the physical interfaces) and this puts it in the 'Management-only' routing table. Why has this functionality been removed/disabled with the 4100/9300 platform? It seems odd.

I guess I could create a new VRF for management only and assign the sub-interface to it. However we need this for syslog & NetFlow and I don't know whether it will be possible to send from a different VRF? Anyone know?

This all stems from some HA pairs of FTD's that are between DC's with L2 between them. Unfortunately the OoB management (the eth0) are on different networks in each DC and this isn't something that can be changed (bit of a house of cards...). Therefore we wanted to create a new VLAN between the DCs and assign a new management-only sub-interface to each FTD pair that was dedicated to a 3rd party SOC service for receiving syslog & NetFlow.

Marvin Rhoads · ‎03-20-2023

The distinction I am referring to isn't between eth0 and Management0/0, it's that whatever additional interface(s) you want to use for management must be first designated as such in the chassis manager. This distinction allows Cisco to accommodate other features in those particular platforms, particularly multi-instance. Since multi-instance is not available on the other platforms, it is not done that way on those.

andrew.butterworth · ‎03-20-2023

Yes, I understand what's going on; however, all the physical interfaces are assigned to port-channels on the single instance FTD. On the FTD we are defining the 802.1q tagged sub-interfaces. We don't have the option to add another interface at the FXOS level and set this as 'Management'.

I'm seeing if I can do this with a new VRF that is 'Management Only'. I'm not sure if I can then send Syslog & NetFlow via an interface in this VRF though. Back to the lab....