Cisco Cisco Firepower Management Center 2000
9-2
FireSIGHT System User Guide
Chapter 9 Setting Up Virtual Routers
Configuring Routed Interfaces
The system handles traffic that has been received with VLAN tags on switched interfaces by stripping
the outermost VLAN tag on ingress prior to any rules evaluation or forwarding decisions. Packets
leaving the device through a VLAN-tagged logical routed interface are encapsulated with the associated
VLAN tag on egress. The system drops any traffic received with a VLAN tag after the stripping process
completes.
the outermost VLAN tag on ingress prior to any rules evaluation or forwarding decisions. Packets
leaving the device through a VLAN-tagged logical routed interface are encapsulated with the associated
VLAN tag on egress. The system drops any traffic received with a VLAN tag after the stripping process
completes.
Note that if you change the parent physical interface to inline or passive, the system deletes all the
associated logical interfaces.
associated logical interfaces.
See the following sections for more information:
•
•
•
•
Configuring Physical Routed Interfaces
License:
Control
Supported Devices:
Series 3
You can configure one or more physical ports on a managed device as routed interfaces. You must assign
a physical routed interface to a virtual router before it can route traffic.
a physical routed interface to a virtual router before it can route traffic.
You can add static Address Resolution Protocol (ARP) entries to a routed interface. If an external host
needs to know the MAC address of the destination IP address it needs to send traffic to on your local
network, it sends an ARP request. When you configure static ARP entries, the virtual router responds
with an IP address and associated MAC address.
needs to know the MAC address of the destination IP address it needs to send traffic to on your local
network, it sends an ARP request. When you configure static ARP entries, the virtual router responds
with an IP address and associated MAC address.
Note that disabling the
ICMP Enable Responses
option for routed interfaces does not prevent ICMP
responses in all scenarios. You can add rules to an access control policy to drop packets where the
destination IP is the routed interface’s IP and the protocol is ICMP. For more information about creating
access control rules, see
destination IP is the routed interface’s IP and the protocol is ICMP. For more information about creating
access control rules, see
. If you have
enabled the
Inspect Local Router Traffic
option on the managed device, it drops the packets before they
reach the host, thereby preventing any response. For more information about inspecting local router
traffic, see
traffic, see
.
Caution
Changing the maximum transmission unit (MTU) interrupts traffic on the device and packets are
dropped. The range within which you can set the MTU can vary depending on the FireSIGHT System
device model and interface type. See
dropped. The range within which you can set the MTU can vary depending on the FireSIGHT System
device model and interface type. See
for more
information.
To configure a physical routed interface:
Access:
Admin/Network Admin
Step 1
Select
Devices > Device Management
.
The Device Management page appears.
Step 2
Next to the device where you want to configure the routed interface, click the edit icon (
).
The Interfaces tab for that device appears.
Step 3
Next to the interface you want to configure as a routed interface, click the edit icon (
).