08-20-2020 03:02 AM - edited 08-20-2020 03:02 AM
Hello!
Im kinda new to the FTD, used to pure CLI and not gui.
So I have this task to setup a VERY secure LAN network with 1 switch (5 vlans, 1 device per vlan) & 1 Cisco FTD.
Devices/VLANS -> Switch -> FTD
1/1 interface on FTD will be connected to Switch (inbound & outbound will be on same interface).
Fyi, this stage is only testing and will be in production if works by next year.
My questions is:
- What should the 1/1 be configured as? (routed or switchport/trunk)
- Do I need to add the VLANs on the FTD as well in order for it to segregate, inspect packages, access control, rules, zones etc for all the vlans? or is it just enough to have the vlans setuped on the switch.
Thanks for the help.
Solved! Go to Solution.
08-20-2020 07:52 PM
Assuming you are using the Firepower Device Manager (FDM) GUI, you need to go under interfaces and add subinterfaces to the 1/1 parent interface. 1/1 will have to be unconfigured before doing so (no name or IP address etc.).
Each subinterface will be routed mode with the VLAN ID indicated.
On the switch side it would be one trunk port to the FTD appliance.
The alternative is to use one physical interface per VLAN. Layer 3 inter-VLAN (inter-subnet) occurs only on the FTD so the switch must not have any SVIs in the subnets or else it will see itself as connected (admin distance = 0) and automatically route the traffic.
08-20-2020 04:16 AM
You need make Sub interface on FTD and make them in differet Zone (outside and inside your case), same Switch siide ( you can use Trunk/port) with sub interface.
good guide to understand :
08-20-2020 12:49 PM
Hello!
You mean different zones per sub interface?
Because then it would be 5 sub interfaces on 1/1 on FTD.
But inside and outside would be the same zone right? As the inbound & outbound would be on same interface aka 1/1.
Thanks for your reply, helps me out a lot.
08-20-2020 01:28 PM
You mean different zones per subinterface?
Because then it would be 5 subinterfaces on 1/1 on FTD.
BB - take example only - if you have 5 VLANs all 5 VLANs belong to Inside zone create 5 subinterfaces for each VAN belong to inside.
BB - you can have 1 interface outside zone
But inside and outside would be the same zone right? As the inbound & outbound would be on the same interface aka 1/1.
BB - if inside and outside the same zone? then you do not need Firewall right? FW here for you to protect from outside network coming in. and same time inside going out with controlled manner
Hope this makes sense? if i misunderstood your requirement, please clarify
08-20-2020 03:09 PM
Okey, I think we understood each other.
But here, ive drawn a logical map.
Nothing on here is going to get internet access, the whole network is only gonna be LAN, wont even be a router. Atleast what ive seen on the current drawings and been told so far. Its a few more devices but you get the point.
So idea is that everything that passes through FW which is gonna be 6 different networks needs to be inspected, blocked/allowed etc etc. Even though a FW is not needed internally they want it anyways...
But as said im stuck on the VLAN part on how to configure the FTD interface 1/1 for the VLANs.
Do you see where im coming at?
Thx
08-20-2020 07:52 PM
Assuming you are using the Firepower Device Manager (FDM) GUI, you need to go under interfaces and add subinterfaces to the 1/1 parent interface. 1/1 will have to be unconfigured before doing so (no name or IP address etc.).
Each subinterface will be routed mode with the VLAN ID indicated.
On the switch side it would be one trunk port to the FTD appliance.
The alternative is to use one physical interface per VLAN. Layer 3 inter-VLAN (inter-subnet) occurs only on the FTD so the switch must not have any SVIs in the subnets or else it will see itself as connected (admin distance = 0) and automatically route the traffic.
08-21-2020 08:20 AM
Yeah via GUI as im not used to the FXOS. That I know how to do how to set it up, just wasnt sure if it was the correct way.
Ive set it all up and will test it on Monday with the switch.
Yeah that was my original plan but the client wants it this way. :(
Thanks a lot Marvin!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide