Cisco Cisco FirePOWER Appliance 8390
C H A P T E R
8-1
FireSIGHT System User Guide
8
Setting Up Virtual Switches
You can configure a managed device in a Layer 2 deployment so that it provides packet switching
between two or more networks. In a Layer 2 deployment, you can configure virtual switches on managed
devices to operate as standalone broadcast domains, dividing your network into logical segments. A
virtual switch uses the media access control (MAC) address from a host to determine where to send
packets.
between two or more networks. In a Layer 2 deployment, you can configure virtual switches on managed
devices to operate as standalone broadcast domains, dividing your network into logical segments. A
virtual switch uses the media access control (MAC) address from a host to determine where to send
packets.
When you configure a virtual switch, the switch initially broadcasts packets through every available port
on the switch. Over time, the switch uses tagged return traffic to learn which hosts reside on the networks
connected to each port.
on the switch. Over time, the switch uses tagged return traffic to learn which hosts reside on the networks
connected to each port.
Note
In a Layer 2 deployment, you cannot block egress traffic based on destination network or destination
security zone. You must instead write access control rules that block ingress traffic based on blocking
source network or source security zone. For more information on adding zones and networks to access
control rules, see
security zone. You must instead write access control rules that block ingress traffic based on blocking
source network or source security zone. For more information on adding zones and networks to access
control rules, see
and
.
A virtual switch must contain two or more switched interfaces to handle traffic. For each virtual switch,
traffic becomes limited to the set of ports configured as switched interfaces. For example, if you
configure a virtual switch with four switched interfaces, packets sent in through one port for broadcast
can only be sent out of the remaining three ports on the switch.
traffic becomes limited to the set of ports configured as switched interfaces. For example, if you
configure a virtual switch with four switched interfaces, packets sent in through one port for broadcast
can only be sent out of the remaining three ports on the switch.
When you configure a physical switched interface, you must assign it to a virtual switch. You can also
define additional logical switched interfaces on a physical port as needed.
define additional logical switched interfaces on a physical port as needed.
Note that you cannot configure virtual switches, physical switched interfaces, or logical switched
interfaces on a virtual device or Sourcefire Software for X-Series.
interfaces on a virtual device or Sourcefire Software for X-Series.
Caution
If a Layer 2 deployment fails for any reason, the device no longer passes traffic.
See the following sections for more information about configuring a Layer 2 deployment:
•
•
Configuring Switched Interfaces
License:
Control
Supported Devices:
Series 3