cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
181
Views
0
Helpful
2
Replies

Need expert help with Firepower intervlan routing

GatLMCO
Level 1
Level 1

(FP)Firepower 1000 has routed sub-interfaces as shown in diagram. HostA is able to ping HostB, and vice-versa. FP Vlan20 responds to ping request from HostA. FP Vlan30 responds to ping request from HostB. All works with the following exception, FP Vlan30 does not respond to ping request from HostA; and FP Vlan20 does not respond to ping request from HostB. (no nat; basic ACL allow all). So 2-questions,

Is this normal for FTD?

And is it possible to configure FP 1/3 interface as an L3 virtual bridge on a switchport or trunk and associating the 1/3 Interface with the 1/2 Interface, then connecting the1/3 Interface to an access port on SwitchA vlan1; to allow tagged and untagged traffic to flow thru FP 1/3 Interface to SwitchA?

GatLMCO_0-1713802321540.png

 

 

2 Accepted Solutions

Accepted Solutions

By "design" you can't ping or reach an interface of the FTD (same behaviour on the ASA devices) that is setting on the opposite side, the exception for this would be if you configure such interface for management over VPN, so what you are seeing is a normal expected behaviour.

Regarding grouping the interfaces to allow the tagged and untagged traffic, you don't need to do that as you had already done it. When you configure the sub-interface you have to associate the VLAN ID as you had already done, which means that for that traffic via those sub-interfaces the traffic must be tagged, however, you can still use the physical interface for the untagged traffic and that would work with the native VLAN that would be configured on the trunk link on the switch. On the other side, if you need more capacity over the existing port then you can configure port channel.

View solution in original post

Omg' 

Now it clear to me'

Hosta can ping hostb

But hosta can not ping vlan IP in fw of hostb

This by defualt deny by asa and firepower 

No need any config.

The fw not like router that can ping from interface to interface.

MHM

View solution in original post

2 Replies 2

By "design" you can't ping or reach an interface of the FTD (same behaviour on the ASA devices) that is setting on the opposite side, the exception for this would be if you configure such interface for management over VPN, so what you are seeing is a normal expected behaviour.

Regarding grouping the interfaces to allow the tagged and untagged traffic, you don't need to do that as you had already done it. When you configure the sub-interface you have to associate the VLAN ID as you had already done, which means that for that traffic via those sub-interfaces the traffic must be tagged, however, you can still use the physical interface for the untagged traffic and that would work with the native VLAN that would be configured on the trunk link on the switch. On the other side, if you need more capacity over the existing port then you can configure port channel.

Omg' 

Now it clear to me'

Hosta can ping hostb

But hosta can not ping vlan IP in fw of hostb

This by defualt deny by asa and firepower 

No need any config.

The fw not like router that can ping from interface to interface.

MHM

Review Cisco Networking for a $25 gift card