Configure Routed Mode Interfaces

This procedure describes how to set the name, security zone, and IPv4 address.

Note	Not all fields are supported for all interface types.

Before you begin

Firepower 4100/9300
1. Configure a Physical Interface
2. (Optional) Configure any special interfaces.
  - Add an EtherChannel (Port Channel)
  - Add a VLAN Subinterface for Container Instances in FXOS
  - Configure a Loopback Interface
  - Add a Subinterface in Firewall Management Center
  - Configure VXLAN Interfaces
(Optional) All other models:
- Configure an EtherChannel
- Configure a Loopback Interface
- Add a Subinterface
- Configure VXLAN Interfaces
- Firewall Threat Defense Virtual on AWS: Configure Geneve Interfaces
- Firepower 1010 and Secure Firewall 1210/1220: Configure a VLAN Interface

Procedure

Step 1

Select Devices > Device Management and click Edit ( edit icon ) for your Firewall Threat Defense device. The Interfaces page is selected by default.

Step 2

Click Edit ( edit icon ) for the interface you want to edit.

Step 3

In the Name field, enter a name up to 48 characters in length.

You cannot start the name with the phrase "cluster". It is reserved for internal use.

Step 4

Enable the interface by checking the Enabled check box.

Step 5

(Optional) Set this interface to Management Only to limit traffic to management traffic; through-the-box traffic is not allowed.

Step 6

(Optional) Add a description in the Description field.

The description can be up to 200 characters on a single line, without carriage returns.

Step 7

In the Mode drop-down list, choose None.

Regular firewall interfaces have the mode set to None. The other modes are for IPS-only interface types.

Step 8

From the Security Zone drop-down list, choose a security zone or add a new one by clicking New.

The routed interface is a Routed-type interface, and can only belong to Routed-type zones.

Step 9

See Configure the MTU for information about the MTU.

Step 10

In the Priority field, enter a number ranging from 0–65535.

This value is used in the policy based routing configuration. The priority is used to determine how you want to route the traffic across multiple egress interfaces. For more information, see Configure Policy-Based Routing Policy.

Step 11

Click the IPv4 tab. To set the IP address, use one of the following options from the IP Type drop-down list.

High Availability, clustering, and loopback interfaces only support static IP address configuration; DHCP and PPPoE are not supported.

Use Static IP—Enter the IP address and subnet mask. For point-to-point connections, you can specify a 31-bit subnet mask (255.255.255.254 or /31). In this case, no IP addresses are reserved for the network or broadcast addresses. You cannot set the standby IP address in this case. For High Availability, you can only use a static IP address. Set the standby IP address on the Devices > Device Management page, click High Availability in the Monitored Interfaces area. If you do not set the standby IP address, the active unit cannot monitor the standby interface using network tests; it can only track the link state.
Use DHCP—Configure the following optional parameters:
- Obtain default route using DHCP—Obtains the default route from the DHCP server.
- DHCP route metric—Assigns an administrative distance to the learned route, between 1 and 255. The default administrative distance for the learned routes is 1.
Use PPPoE—If the interface is connected to a DSL, cable modem, or other connection to your ISP, and your ISP uses PPPoE to provide your IP address, configure the following parameters:
- VPDN Group Name—Specify a group name of your choice to represent this connection.
- PPPoE User Name—Specify the username provided by your ISP.
- PPPoE Password/Confirm Password—Specify and confirm the password provided by your ISP.
- PPP Authentication—Choose PAP, CHAP, or MSCHAP.
  
  PAP passes a cleartext username and password during authentication and is not secure. With CHAP, the client returns the encrypted [challenge plus password], with a cleartext username in response to the server challenge. CHAP is more secure than PAP, but it does not encrypt data. MSCHAP is similar to CHAP but is more secure because the server stores and compares only encrypted passwords rather than cleartext passwords as in CHAP. MSCHAP also generates a key for data encryption by MPPE.
- PPPoE route metric—Assign an administrative distance to the learned route. Valid values are from 1 to 255. By default, the administrative distance for the learned routes is 1.
- Enable Route Settings—To manually configure the PPPoE IP address, check this box and then enter the IP Address.
  
  If you select the Enable Route Settings check box and leave the IP Address blank, the ip address pppoe setroute command is applied as shown in this example:
```
interface GigabitEthernet0/2
nameif inside2_pppoe
cts manual
  propagate sgt preserve-untag
  policy static sgt disabled trusted
security-level 0
pppoe client vpdn group test
pppoe client route distance 10
ip address pppoe setroute
```
- Store Username and Password in Flash—Stores the username and password in flash memory.
  
  The Firewall Threat Defense device stores the username and password in a special location of NVRAM.

Step 12

(Optional) See Configure IPv6 Addressing to configure IPv6 addressing on the IPv6 tab.

Step 13

(Optional) See Configure the MAC Address to manually configure the MAC address on the Advanced tab.

Step 14

(Optional) Set the duplex and speed by clicking Hardware Configuration > Speed.

Duplex—Choose Full or Half. SFP interfaces only support Full duplex.
Speed—Choose a speed (varies depending on the model). (Secure Firewall 3100/4200 only) Choose Detect SFP to detect the speed of the installed SFP module and use the appropriate speed. Duplex is always Full, and auto-negotiation is always enabled. This option is useful if you later change the network module to a different model, and want the speed to update automatically. For Secure Firewall 1250, you can configure a maximum interface speed of 2.5gbps.

Note
You cannot modify the speed of a HA or a Cluster Control Link interface.

Auto-negotiation—Set the interface to negotiate the speed, link status, and flow control.

Note

If a peer switch connecting to the port over a 50G cable does not support auto-negotiation, ensure to disable auto-negotiation on the switch and the Threat Defense interface as well. For example, N9K-C93400LD-H1 does not support auto-negotiation on a 50G cable. Hence, you must disable the default auto-negotiation on the platform and the switch for the port to be connected.

Forward Error Correction Mode—(Secure Firewall 3100/4200 only) For 25Gbps and higher interfaces, enable Forward Error Correction (FEC). For an EtherChannel member interface, you must configure FEC before you add it to the EtherChannel. The setting chosen when you use Auto depends on the transceiver type and whether the interface is fixed (built-in) or on a network module.

Default FEC for Auto Setting
Transceiver Type	Fixed Port Default FEC (Ethernet 1/9 through 1/16)	Network Module Default FEC
25G-SR	Clause 74 FC-FEC	Clause 108 RS-FEC
25G-LR	Clause 74 FC-FEC	Clause 108 RS-FEC
10/25G-CSR	Clause 74 FC-FEC	Clause 74 FC-FEC
25G-AOCxM	Clause 74 FC-FEC	Clause 74 FC-FEC
25G-CU2.5/3M	Auto-Negotiate	Auto-Negotiate
25G-CU4/5M	Auto-Negotiate	Auto-Negotiate
25/50/100G	Clause 91 RS-FEC	Clause 91 RS-FEC

Step 15

(Optional) Enable Firewall Management Center manager access on a data interface on the Manager Access page.

You can enable manager access from a data interface when you first setup the Firewall Threat Defense. If you want to enable or disable manager access after you added the Firewall Threat Defense to the Firewall Management Center, see:

Enable manager access: Change the Manager Access Interface from Management to Data

Note	You cannot enable manager access unless you first initiate the manager interface migration from Management to a data interface. After you initiate the migration, you can enable manager access on the Manager Access page and save the configuration successfully.

Disable manager access: Change the Manager Access Interface from Data to Management

If you want to change the manager access interface from one data interface to another data interface, you must disable manager access on the original data interface, but do not disable the interface itself yet; the original data interface must be used to perform the deployment. If you want to use the same IP address on the new manager access interface, you can delete or change the IP configuration on the original interface; this change should not affect the deployment. If you use a different IP address for the new interface, then also change the device IP address shown in the Firewall Management Center; see Update the Hostname or IP Address in the Firewall Management Center. Be sure to also update related configuration to use the new interface such as static routes, DDNS, and DNS settings.

Manager access from a data interface has the following limitations:

You can only enable manager access on a physical, data interface. You cannot use a subinterface or EtherChannel, nor can you create a subinterface on the manager access interface. You can also use the Firewall Management Center to enable manager access on a single secondary interface for redundancy.
This interface cannot be management-only.
Routed firewall mode only, using a routed interface.
PPPoE is not supported. If your ISP requires PPPoE, you will have to put a router with PPPoE support between the Firewall Threat Defense and the WAN modem.
The interface must be in the global VRF only.
SSH is not enabled by default for data interfaces, so you will have to enable SSH later using the Firewall Management Center. Because the Management interface gateway will be changed to be the data interfaces, you also cannot SSH to the Management interface from a remote network unless you add a static route for the Management interface using the configure network static-routes command. For Firewall Threat Defense Virtual on Amazon Web Services, a console port is not available, so you should maintain your SSH access to the Management interface: add a static route for Management before you continue with your configuration. Alternatively, be sure to finish all CLI configuration (including the configure manager add command) before you configure the data interface for manager access and you are disconnected.
Clustering is not supported. You must use the Management interface in this case.

Check Enable management on this interface for the manager to use this data interface for management instead of the dedicated Management interface.
(Optional) In the Allowed Management Networks box, add the networks from which you want to allow manager access. By default, any networks are allowed.

Step 16

Click OK.

Step 17

Click Save.

You can now go to Deploy > Deploy and deploy the policy to assigned devices. The changes are not active until you deploy them.