cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2210
Views
5
Helpful
6
Replies

FTD LAN Setup

S3C
Level 1
Level 1

Hello!

Im kinda new to the FTD, used to pure CLI and not gui.

 

So I have this task to setup a VERY secure LAN network with 1 switch (5 vlans, 1 device per vlan) & 1 Cisco FTD.

Devices/VLANS -> Switch -> FTD

1/1 interface on FTD will be connected to Switch (inbound & outbound will be on same interface).

 

Fyi, this stage is only testing and will be in production if works by next year.

 

My questions is:

- What should the 1/1 be configured as? (routed or switchport/trunk)

- Do I need to add the VLANs on the FTD as well in order for it to segregate, inspect packages, access control, rules, zones etc for all the vlans? or is it just enough to have the vlans setuped on the switch.

 

Thanks for the help. 

 

1 Accepted Solution

Accepted Solutions

Assuming you are using the Firepower Device Manager (FDM) GUI, you need to go under interfaces and add subinterfaces to the 1/1 parent interface. 1/1 will have to be unconfigured before doing so (no name or IP address etc.).

Each subinterface will be routed mode with the VLAN ID indicated.

On the switch side it would be one trunk port to the FTD appliance.

The alternative is to use one physical interface per VLAN. Layer 3 inter-VLAN (inter-subnet) occurs only on the FTD so the switch must not have any SVIs in the subnets or else it will see itself as connected (admin distance = 0) and automatically route the traffic.

View solution in original post

6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

You need make Sub interface on FTD and make them in differet Zone (outside and inside your case), same Switch siide ( you can use Trunk/port) with sub interface.

 

good guide to understand :

 

https://docs.defenseorchestrator.com/Configuration_Guides/Interfaces/Switch_Port_Mode_Interfaces_for_Firepower_Threat_Defense

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hello!

You mean different zones per sub interface?

Because then it would be 5 sub interfaces on 1/1 on FTD.

 

But inside and outside would be the same zone right? As the inbound & outbound would be on same interface aka 1/1.

Thanks for your reply, helps me out a lot.

You mean different zones per subinterface?

Because then it would be 5 subinterfaces on 1/1 on FTD.

 

BB - take example only - if you have 5 VLANs all 5 VLANs belong to Inside zone create 5 subinterfaces for each VAN belong to inside.

BB - you can have 1 interface outside zone

 

But inside and outside would be the same zone right? As the inbound & outbound would be on the same interface aka 1/1.

 

BB - if inside and outside the same zone? then you do not need Firewall right? FW here for you to protect from outside network coming in. and same time inside  going out with controlled manner 

 

Hope this makes sense? if i misunderstood your requirement, please clarify

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Okey, I think we understood each other.

But here, ive drawn a logical map. 


Nothing on here is going to get internet access, the whole network is only gonna be LAN, wont even be a router. Atleast what ive seen on the current drawings and been told so far. Its a few more devices but you get the point.

 

So idea is that everything that passes through FW which is gonna be 6 different networks needs to be inspected, blocked/allowed etc etc. Even though a FW is not needed internally they want it anyways...

 

But as said im stuck on the VLAN part on how to configure the FTD interface 1/1 for the VLANs.

 

Do you see where im coming at?

 

Thx

Assuming you are using the Firepower Device Manager (FDM) GUI, you need to go under interfaces and add subinterfaces to the 1/1 parent interface. 1/1 will have to be unconfigured before doing so (no name or IP address etc.).

Each subinterface will be routed mode with the VLAN ID indicated.

On the switch side it would be one trunk port to the FTD appliance.

The alternative is to use one physical interface per VLAN. Layer 3 inter-VLAN (inter-subnet) occurs only on the FTD so the switch must not have any SVIs in the subnets or else it will see itself as connected (admin distance = 0) and automatically route the traffic.

Yeah via GUI as im not used to the FXOS. That I know how to do how to set it up, just wasnt sure if it was the correct way.

Ive set it all up and will test it on Monday with the switch.

 

Yeah that was my original plan but the client wants it this way. :(

Thanks a lot Marvin!

Review Cisco Networking for a $25 gift card