Guidelines and Limitations for Switch Ports

High Availability and Clustering

  • No cluster support.

  • You should not use the switch port functionality when using High Availability. Because the switch ports operate in hardware, they continue to pass traffic on both the active and the standby units. High Availability is designed to prevent traffic from passing through the standby unit, but this feature does not extend to switch ports. In a normal High Availability network setup, active switch ports on both units will lead to network loops. We suggest that you use external switches for any switching capability. Note that VLAN interfaces can be monitored by failover, while switch ports cannot. Theoretically, you can put a single switch port on a VLAN and successfully use High Availability, but a simpler setup is to use physical firewall interfaces instead.

  • You can only use a firewall interface as the failover link.

Logical VLAN Interfaces

  • You can create up to 60 VLAN interfaces.

  • If you also use VLAN subinterfaces on a firewall interface, you cannot use the same VLAN ID as for a logical VLAN interface.

  • MAC Addresses:

    • Routed firewall mode—All VLAN interfaces share a MAC address. Ensure that any connected switches can support this scenario. If the connected switches require unique MAC addresses, you can manually assign MAC addresses. See Configure the MAC Address.

    • Transparent firewall mode—Each VLAN interface has a unique MAC address. You can override the generated MAC addresses if desired by manually assigning MAC addresses. See Configure the MAC Address.

Bridge Groups

You cannot mix logical VLAN interfaces and physical firewall interfaces in the same bridge group.

VLAN Interface and Switch Port Unsupported Features

VLAN interfaces and switch ports do not support:

  • Dynamic routing

  • Multicast routing

  • Equal-Cost Multi-Path routing (ECMP)

  • Inline sets or Passive interfaces

  • EtherChannels

  • Failover and state link

  • Security group tagging (SGT)

Other Guidelines and Limitations

  • You can configure a maximum of 60 named interfaces on the Firepower 1010 and Secure Firewall 1210/1220.

  • You cannot configure the Management interface as a switch port.

Default Settings

  • Ethernet 1/1 is a firewall interface.

  • On Firepower 1010 and Secure Firewall 1210, Ethernet 1/2 through Ethernet 1/8 are switch ports assigned to VLAN 1.

  • On Secure Firewall 1220, Ethernet 1/2 through Ethernet 1/10 are switch ports assigned to VLAN 1.

  • Default Speed and Duplex—By default, the speed and duplex are set to auto-negotiate.