Download Table of Contents Print this page

Hybrid Interfaces - Cisco AMP8050 Hardware Installation

Firepower 8000 series
Hide thumbs Also See for AMP8050:


Table of Contents
Connecting Devices to Your Network
You can configure your device as a virtual router and use the remaining interfaces to connect to network
segments you want to monitor. You can also enable strict TCP enforcement for maximum TCP security.
To use a virtual router on your device, create physical routed interfaces on your device and then follow
the instructions for Setting Up Virtual Routers in the Firepower Management Center Configuration

Hybrid Interfaces

You can configure logical hybrid interfaces on Firepower devices that allow the Firepower System to
bridge traffic between virtual routers and virtual switches. If IP traffic received on interfaces in a virtual
switch is addressed to the MAC address of an associated hybrid logical interface, the system handles it
as Layer 3 traffic and either routes or responds to the traffic depending on the destination IP address. If
the system receives any other traffic, it handles it as Layer 2 traffic and switches it appropriately.
To create a hybrid interface, you first configure a virtual switch and virtual router, then add the virtual
switch and virtual router to the hybrid interface. A hybrid interface that is not associated with both a
virtual switch and a virtual router is not available for routing, and does not generate or respond to traffic.
You can configure hybrid interfaces with network address translation (NAT) to pass traffic between
networks. For more information, see
If you want to use hybrid interfaces on your device, define a hybrid interface on the device and then
follow the instructions for Setting Up Hybrid Interfaces in the Firepower Management Center
Configuration Guide.
Connecting Devices to Your Network
You can connect the sensing interfaces on your managed devices to your network in several ways.
Configure a hub or network tap using either passive or inline interfaces, or a span port using passive
Using a Hub
An Ethernet hub is a simple way to ensure that the managed device can see all the traffic on a network
segment. Most hubs of this type take the IP traffic meant for any of the hosts on the segment and
broadcast it to all the devices connected to the hub. Connect the interface set to the hub to monitor all
incoming and outgoing traffic on the segment. Using a hub does not guarantee that the detection engine
sees every packet on a higher volume network because of the potential of packet collision. For a simple
network with low traffic, this is not likely to be a problem. In a high-traffic network, a different option
may provide better results. Note that if the hub fails or loses power, the network connection is broken.
In a simple network, the network would be down.
Some devices are marketed as hubs but actually function as switches and do not broadcast each packet
to every port. If you attach your managed device to a hub, but do not see all the traffic, you may need to
purchase a different hub or use a switch with a Span port.
Firepower 8000 Series Hardware Installation Guide
Chapter 6
Deploying with Policy-Based NAT, page
Deploying Firepower Managed Devices


Table of Contents

Table of Contents