FTD1010 MGMT1/1 to L2 ports

johnlloyd_13 · ‎09-06-2020

hi,

i got a FP1010 and would like to setup/cable similar to ASA5506 wherein MGMT port can be cabled to L2 ports eth1/2-8.

i noticed this can only be achieved in FTD 6.5 and above (correct me if i'm wrong). my FTD is currently version 6.4 and i tried the said cable setup (MGMT1/1 > port 1/2) but didn't work.

which FTD image do i go for: 6.5 or 6.6? i can only see 6.4.0.9 has the gold star.

i noticed the MGMT1/1 doesn't show its IP 192.168.45.45 and it displays "diagnostics". how do i change the MGMT1/1 IP address so it's "in-band" with the 192.168.1.0/24 "inside" subnet and can go to internet?

> show interface Management 1/1

Interface Management1/1 "diagnostic", is up, line protocol is up

Hardware is en_vtun rev00, BW Unknown Speed-Capability, DLY 1000 usec

Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

Input flow control is unsupported, output flow control is unsupported

MAC address 5c5a.c7b8.f781, MTU 1500

IP address unassigned

6771 packets input, 447504 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 pause input, 0 resume input

0 L2 decode drops, 0 demux drops

0 packets output, 0 bytes, 0 underruns

0 pause output, 0 resume output

0 output errors, 0 collisions, 2 interface resets

0 late collisions, 0 deferred

3 input reset drops, 0 output reset drops

input queue (blocks free curr/low): hardware (0/0)

output queue (blocks free curr/low): hardware (0/0)

Traffic Statistics for "diagnostic":

4074 packets input, 205755 bytes

0 packets output, 0 bytes

1654 packets dropped

1 minute input rate 1 pkts/sec, 78 bytes/sec

1 minute output rate 0 pkts/sec, 0 bytes/sec

1 minute drop rate, 0 pkts/sec

5 minute input rate 1 pkts/sec, 55 bytes/sec

5 minute output rate 0 pkts/sec, 0 bytes/sec

5 minute drop rate, 0 pkts/sec

Management-only interface. Blocked 0 through-the-device packets

configure network ipv4 manual 192.168.1.45 255.255.255.0 192.168.1.1 management

i'm also unable to ping to internet. the FTD eth1/1 is already set to DHCP and can get an ISP public IP. is there GUI option for CLI command to configure ip address dhcp setroute similar to ASA?

Marvin Rhoads · ‎09-07-2020

@johnlloyd_13 I've found 6.6 to be quite stable in the lab and a few small deployments where I have used it. 6.6.1 should be out soon and that will probably get a Gold Star once it's been deployed widely.

6.5 is already EoS and I wouldn't recommend going to it for that reason (although it is stable).

So I'd try moving up to 6.6 and undertaking your configuration from there.

johnlloyd_13 · ‎09-07-2020

hi marvin,

so in FTD 6.6 i can cable the MGMT1/1 to any L2 ports since i don't have any L2 switch?

is the command correct to change the MGMT IP?

configure network ipv4 manual 192.168.1.45 255.255.255.0 192.168.1.1 management

balaji.bandi · ‎09-07-2020

yes you can connect to any Layer 2 device. ( as per my knowledge this should mention management0 - is the number you need to mention 0/1 or 1/1 )

configure network ipv4 manual 192.168.1.45 255.255.255.0 192.168.1.1 management0

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

johnlloyd_13 · ‎09-07-2020

hi balaji,

there's no L2 switch and it's just a standalone setup. i will cable MGMT port to either ports on eth1/2-8 and configure the IP to be on the same 192.168.1.0/24 and get to the internet.

i don't see MGMT0 per show interface ip brief. it took the said command but didn't take effect, which is weird.

do i need to click deploy or an apply button or CLI command?

> show interface ip brief

Interface IP-Address OK? Method Status Protocol

Internal-Data0/0 unassigned YES unset up up

Ethernet1/1 unassigned YES unset up up

Ethernet1/2 unassigned YES unset admin down down

Ethernet1/3 unassigned YES unset admin down down

Ethernet1/4 unassigned YES unset admin down down

Ethernet1/5 unassigned YES unset admin down down

Ethernet1/6 unassigned YES unset admin down down

Ethernet1/7 unassigned YES unset admin down down

Ethernet1/8 unassigned YES unset admin down down

Internal-Control1/1 unassigned YES unset up up

Internal-Data1/1 169.254.1.1 YES unset up up

Internal-Data1/2 unassigned YES unset up up

Management1/1 unassigned YES unset up up

Marvin Rhoads · ‎09-07-2020

See this guide:

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fp1010/firepower-1010-gsg/ftd-fdm.html#id_97497

As noted, using the management interface is optional.

When you make one of the setup type changes that's available via the cli configure commands, they take effect immediately. No "deploy" or "write mem" or similar technique is required.

johnlloyd_13 · ‎09-07-2020

hi marvin,

this is interesting. how about the option of ip address dhcp setroute in FTD E1/1 "outside" interface?

what's the equivalent FTD CLI or where in the GUI can i configure this?

Marvin Rhoads · ‎09-08-2020

I know for sure the eth1/1 interface gets it address via DHCP by default.

I don't have an appliance on hand to verify but I believe that includes getting a default route (assuming the DHCP server provides one).

So basically the command you mentioned is the default behavior and it is not necessary to configure it. If you start with a manually configured address and gateway, changing to DCHP (via the FDM GUI) should revert it to the default behavior.

Ruben Cocheno · ‎09-09-2020

@johnlloyd_13

your ISP is giving you back a default route, make sure your have NAT on the egress, and policies allowing traffic going throught. A very common mistake is to forget of the management 1/1 to have access to the Internet, so maake sure your NAT/Firewall policy covers that as well.

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/