Cisco Cisco Firepower Management Center 4000
8-7
FireSIGHT System User Guide
Chapter 8 Setting Up Virtual Switches
Configuring Virtual Switches
Tip
Interfaces that you have disabled from the Interfaces tab are not available; disabling an interface after
you add it removes it from the configuration.
you add it removes it from the configuration.
Step 7
Click
Add
.
Step 8
Optionally, from the
Hybrid Interface
drop-down list, select a hybrid interface that ties the virtual switch
to a virtual router. For more information, see
Step 9
Click
Save
.
The virtual switch is added. Note that your changes do not take effect until you apply the device
configuration; see
configuration; see
for more information.
Tip
To configure advanced settings for the switch, such as static MAC entries and spanning tree protocol,
see
see
.
Configuring Advanced Virtual Switch Settings
License:
Control
Supported Devices:
Series 3
When adding or editing a virtual switch, you can add static MAC entries, enable Spanning Tree Protocol
(STP), drop Bridge Protocol Data Units (BPDU), and enable strict TCP enforcement.
(STP), drop Bridge Protocol Data Units (BPDU), and enable strict TCP enforcement.
Over time, a virtual switch learns MAC addresses by tagging return traffic from the network. Optionally,
you can manually add a static MAC entry, which designates that a MAC address resides on a specific
port. Regardless of whether you ever receive traffic from that port, the MAC address remains static in
the table. You can specify one or more static MAC addresses for each virtual switch.
you can manually add a static MAC entry, which designates that a MAC address resides on a specific
port. Regardless of whether you ever receive traffic from that port, the MAC address remains static in
the table. You can specify one or more static MAC addresses for each virtual switch.
STP is a network protocol used to prevent network loops. BPDUs are exchanged through the network,
carrying information about network bridges. The protocol uses BPDUs to identify and select the fastest
network links, if there are redundant links in the network. If a network link fails, Spanning Tree fails
over to an existing alternate link.
carrying information about network bridges. The protocol uses BPDUs to identify and select the fastest
network links, if there are redundant links in the network. If a network link fails, Spanning Tree fails
over to an existing alternate link.
If your virtual switch routes traffic between VLANs, similar to a router on a stick, BPDUs enter and exit
the device through different logical switched interfaces, but the same physical switched interface. As a
result, STP identifies the device as a redundant network loop, which can cause issues in certain Layer 2
deployments. To prevent this, you can configure the virtual switch at the domain level to have the device
drop BPDUs when monitoring traffic.
the device through different logical switched interfaces, but the same physical switched interface. As a
result, STP identifies the device as a redundant network loop, which can cause issues in certain Layer 2
deployments. To prevent this, you can configure the virtual switch at the domain level to have the device
drop BPDUs when monitoring traffic.
Note
Cisco strongly recommends that you enable STP when configuring a virtual switch that you plan to
deploy in a device cluster.
deploy in a device cluster.
To maximize TCP security, you can enable strict enforcement, which blocks connections where the
three-way handshake was not completed. Strict enforcement also blocks:
three-way handshake was not completed. Strict enforcement also blocks:
•
non-SYN TCP packets for connections where the three-way handshake was not completed
•
non-SYN/RST packets from the initiator on a TCP connection before the responder sends the
SYN-ACK
SYN-ACK