Cisco Cisco FirePOWER Appliance 7010
C H A P T E R
10-1
FireSIGHT System User Guide
10
Setting Up Hybrid Interfaces
You can configure logical hybrid interfaces on managed devices that allow the FireSIGHT System to
bridge traffic between virtual routers and virtual switches. If IP traffic received on interfaces in a virtual
switch is addressed to the MAC address of an associated hybrid logical interface, the system handles it
as Layer 3 traffic and either routes or responds to the traffic depending on the destination IP address. If
the system receives any other traffic, it handles it as Layer 2 traffic and switches it appropriately. You
cannot configure logical hybrid interfaces on a virtual managed device or Sourcefire Software for
X-Series.
bridge traffic between virtual routers and virtual switches. If IP traffic received on interfaces in a virtual
switch is addressed to the MAC address of an associated hybrid logical interface, the system handles it
as Layer 3 traffic and either routes or responds to the traffic depending on the destination IP address. If
the system receives any other traffic, it handles it as Layer 2 traffic and switches it appropriately. You
cannot configure logical hybrid interfaces on a virtual managed device or Sourcefire Software for
X-Series.
Note that hybrid interfaces that are not associated with both a virtual switch and a virtual router are not
available for routing, and do not generate or respond to traffic.
available for routing, and do not generate or respond to traffic.
For more information about setting up hybrid interfaces, see
.
Adding Logical Hybrid Interfaces
License:
Control
Supported Devices:
Series 3
You must associate a logical hybrid interface with a virtual router and virtual switch to bridge traffic
between Layer 2 and Layer 3. You can only associate a single hybrid interface with a virtual switch.
However, you can associate multiple hybrid interfaces with a virtual router.
between Layer 2 and Layer 3. You can only associate a single hybrid interface with a virtual switch.
However, you can associate multiple hybrid interfaces with a virtual router.
You can also configure SFRP on a logical hybrid interface. See
for more
information.
Note that disabling the
ICMP Enable Responses
option for hybrid interfaces does not prevent ICMP
responses in all scenarios. You can add rules to an access control policy to drop packets where the
destination IP is the hybrid interface’s IP and the protocol is ICMP. For more information about creating
access control rules, see
destination IP is the hybrid interface’s IP and the protocol is ICMP. For more information about creating
access control rules, see
. If you have
enabled the
Inspect Local Router Traffic
option on the managed device, it drops the packets before they
reach the host, thereby preventing any response. For more information about inspecting local router
traffic, see
traffic, see
.
Caution
Changing the maximum transmission unit (MTU) interrupts routed or switched traffic on the device and
packets are dropped. The range within which you can set the MTU can vary depending on the FireSIGHT
System device model and interface type. See
packets are dropped. The range within which you can set the MTU can vary depending on the FireSIGHT
System device model and interface type. See
more information.