Cisco Cisco Firepower Management Center 4000

You can configure a managed device in a Layer 2 deployment so that it provides packet switching 
between two or more networks. In a Layer 2 deployment, you can configure virtual switches on managed 
devices to operate as standalone broadcast domains, dividing your network into logical segments. A 
virtual switch uses the media access control (MAC) address from a host to determine where to send 
packets.

When you configure a virtual switch, the switch initially broadcasts packets through every available port 
on the switch. Over time, the switch uses tagged return traffic to learn which hosts reside on the networks 
connected to each port.

In a Layer 2 deployment, you cannot block egress traffic based on destination network or destination 
security zone. You must instead write access control rules that block ingress traffic based on blocking 
source network or source security zone. For more information on adding zones and networks to access 
control rules, see 

 and 

.

A virtual switch must contain two or more switched interfaces to handle traffic. For each virtual switch, 
traffic becomes limited to the set of ports configured as switched interfaces. For example, if you 
configure a virtual switch with four switched interfaces, packets sent in through one port for broadcast 
can only be sent out of the remaining three ports on the switch.

When you configure a physical switched interface, you must assign it to a virtual switch. You can also 
define additional logical switched interfaces on a physical port as needed.

Note that you cannot configure virtual switches, physical switched interfaces, or logical switched 
interfaces on a virtual device or Sourcefire Software for  X-Series.

If a Layer 2 deployment fails for any reason, the device no longer passes traffic.

See the following sections for more information about configuring a Layer 2 deployment:

Control

Series 3