Enable the Physical Interface and Configure Ethernet Settings

This section describes how to:

  • Enable the physical interface. By default, physical interfaces are disabled (with the exception of the Management interface).

  • Set a specific speed and duplex. By default, speed and duplex are set to Auto.

This procedure only covers a small subset of Interface settings. Refrain from setting other parameters at this point. For example, you cannot name an interface that you want to use as part of an EtherChannel interface.

Note

For the Firepower 4100/9300, you configure basic interface settings in FXOS. See Configure a Physical Interface for more information.

Note

For Firepower 1010 and Secure Firewall 1210/1220 switch ports, see Configure Firepower 1010 and Secure Firewall 1210/1220 Switch Ports.

Before you begin

If you changed the physical interfaces on the device after you added it to the management center, you need to refresh the interface listing by clicking Sync Interfaces from device on the top left of Interfaces. For the Secure Firewall 3100/4200, which supports hot swapping, see Manage the Network Module for the Secure Firewall 3100/4200 before you change interfaces on a device.

Procedure

Step 1

Select Devices > Device Management and click Edit (edit icon) for your threat defense device. The Interfaces page is selected by default.

Step 2

Click Edit (edit icon) for the interface you want to edit.

Step 3

Enable the interface by checking the Enabled check box.

Step 4

(Optional) Add a description in the Description field.

The description can be up to 200 characters on a single line, without carriage returns.

Step 5

(Optional) Set the duplex and speed by clicking Hardware Configuration > Speed.

  • Duplex—Choose Full or Half. SFP interfaces only support Full duplex.

  • Speed—Choose a speed (varies depending on the model). (Secure Firewall 3100/4200 only) Choose Detect SFP to detect the speed of the installed SFP module and use the appropriate speed. Duplex is always Full, and auto-negotiation is always enabled. This option is useful if you later change the network module to a different model, and want the speed to update automatically.

  • Auto-negotiation—Set the interface to negotiate the speed, link status, and flow control.

  • Forward Error Correction Mode—(Secure Firewall 3100/4200 only) For 25 Gbps and higher interfaces, enable Forward Error Correction (FEC). For an EtherChannel member interface, you must configure FEC before you add it to the EtherChannel. The setting chosen when you use Auto depends on the transceiver type and whether the interface is fixed (built-in) or on a network module.

    Default FEC for Auto Setting

    Transceiver Type

    Fixed Port Default FEC (Ethernet 1/9 through 1/16)

    Network Module Default FEC

    25G-SR

    Clause 74 FC-FEC

    Clause 108 RS-FEC

    25G-LR

    Clause 74 FC-FEC

    Clause 108 RS-FEC

    10/25G-CSR

    Clause 74 FC-FEC

    Clause 74 FC-FEC

    25G-AOCxM

    Clause 74 FC-FEC

    Clause 74 FC-FEC

    25G-CU2.5/3M

    Auto-Negotiate

    Auto-Negotiate

    25G-CU4/5M

    Auto-Negotiate

    Auto-Negotiate

    25/50/100G

    Clause 91 RS-FEC

    Clause 91 RS-FEC

Step 6

(Optional) (Firepower 1100/Secure Firewall 1200/3100/4200) Enable Link Layer Discovery Protocol (LLDP) by clicking Hardware Configuration > Network Connectivity.

  • Enable LLDP Receive—Enables the firewall to receive LLDP packets from its peers.

  • Enable LLDP Transmit—Enables the firewall to send LLDP packets to its peers.

Step 7

(Optional) (Secure Firewall 3100/4200) Enable pause (XOFF) frames for flow control by clicking Hardware Configuration > Network Connectivity, and checking Flow Control Send.

Flow control enables connected Ethernet ports to control traffic rates during congestion by allowing congested nodes to pause link operation at the other end. If the threat defense port experiences congestion (exhaustion of queuing resources on the internal switch) and cannot receive any more traffic, it notifies the other port by sending a pause frame to stop sending until the condition clears. Upon receipt of a pause frame, the sending device stops sending any data packets, which prevents any loss of data packets during the congestion period.

Note

The threat defense supports transmitting pause frames so that the remote peer can rate-control the traffic.

However, receiving of pause frames is not supported.

The internal switch has a global pool of 8000 buffers of 250 bytes each, and the switch allocates buffers dynamically to each port. A pause frame is sent out every interface with flowcontrol enabled when the buffer usage exceeds the global high-water mark (2 MB (8000 buffers)); and a pause frame is sent out of a particular interface when its buffer exceeds the port high-water mark (.3125 MB (1250 buffers)). After a pause is sent, an XON frame can be sent when the buffer usage is reduced below the low-water mark (1.25 MB globally (5000 buffers); .25 MB per port (1000 buffers)). The link partner can resume traffic after receiving an XON frame.

Only flow control frames defined in 802.3x are supported. Priority-based flow control is not supported.

Step 8

In the Mode drop-down list, choose one of the following:.

  • None—Choose this setting for regular firewall interfaces and inline sets. The mode will automatically be changed to Routed, Switched, or Inline based on further configuration.

  • Passive—Choose this setting for passive IPS-only interfaces.

  • Erspan—Choose this setting for ERSPAN passive IPS-only interfaces.

Step 9

In the Priority field, enter a number ranging from 0–65535.

This value is used in the policy based routing configuration. The priority is used to determine how you want to distribute the traffic across multiple egress interfaces.

Step 10

Click OK.

Step 11

Click Save.

You can now go to Deploy > Deployment and deploy the policy to assigned devices. The changes are not active until you deploy them.

Step 12

Continue configuring interfaces.