Solved: Management interface for logical FTD on Firepower 4100

DavideRanalli97851 · ‎03-12-2021

Hi,

I'll shortly have to deploy a physical firepower of the 4100 family "4115".

I know that the first MGMT interface showing up is for chassis FXOS purpuses. In Cisco videos I've seen that the management interface used for FTD "logical instance" is the ethernet1/1 .

1) I am right on saying that management interface for FTD can be any of the interfaces available on the fixed module?

2) On FTD can I use a subinterface as management (and FMC use that same subinterface), or management interface must be physical?

3) Management interface on FTD, can also work as data interface? (for example as mgmt interface i use the once facing as server in a DMZ)

Unfortunately on my virtual lab I couldn't test these things

Thank you in advanced

Marvin Rhoads · ‎03-14-2021

While we note that the documentation for Firepower 6.7 says that you can "manage the FTD using a data interface instead of the Management interface", I know that, at least through the latest FXOS for a 4100 or 9300 series, you cannot deploy an FTD logical device without first designating one of the network interfaces as exclusively management (not data). Note that the guide tells us explicitly:

"You can later enable management from a data interface; but you must assign a Management interface to the logical device even if you don't intend to use it after you enable data management. See the configure network management-data-interface command in the FTD command reference for more information."

Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos291/web-guide/b_GUI_FXOS_ConfigGuide_291/logical_devices.html#task_4D51AFC7091E4D8F8289F08C6A071459

View solution in original post

Marvin Rhoads · ‎03-13-2021

Yes - you must use a separate dedicated physical interface for management. Firepower Chassis Manager will not allow you do deploy an FTD logical devices without having that configured and available.

DavideRanalli97851 · ‎03-13-2021

Thanks Marvin,

so i must first define a management interface, for example eth1/1, then I can create the FTD logical device and apply eth1/1 to it, but can that eth1/1 interface be used for both data and management or does it have to be used exclusively for managemet?

thanks

David

Marvin Rhoads · ‎03-14-2021

While we note that the documentation for Firepower 6.7 says that you can "manage the FTD using a data interface instead of the Management interface", I know that, at least through the latest FXOS for a 4100 or 9300 series, you cannot deploy an FTD logical device without first designating one of the network interfaces as exclusively management (not data). Note that the guide tells us explicitly:

"You can later enable management from a data interface; but you must assign a Management interface to the logical device even if you don't intend to use it after you enable data management. See the configure network management-data-interface command in the FTD command reference for more information."

Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos291/web-guide/b_GUI_FXOS_ConfigGuide_291/logical_devices.html#task_4D51AFC7091E4D8F8289F08C6A071459

DavideRanalli97851 · ‎03-14-2021

Fantastic thanks Marvin, you couldn't be clearer than this