Hybrid Interfaces; Connecting Devices To Your Network; Using A Hub - Cisco 7010 Installation Manual

Connecting Devices to Your Network

•
•
To use routed interfaces in a Layer 3 deployment, you must configure virtual routers and assign routed
interfaces to them. A virtual router is a group of routed interfaces that route Layer 3 traffic.
You can configure your device as a virtual router and use the remaining interfaces to connect to network
segments you want to monitor. You can also enable strict TCP enforcement for maximum TCP security.
To use a virtual router on your device, create physical routed interfaces on your device and then follow
the instructions for Setting Up Virtual Routers in the Firepower Management Center Configuration
Guide.

Hybrid Interfaces

You can configure logical hybrid interfaces on Firepower devices that allow the Firepower System to
bridge traffic between virtual routers and virtual switches. If IP traffic received on interfaces in a virtual
switch is addressed to the MAC address of an associated hybrid logical interface, the system handles it
as Layer 3 traffic and either routes or responds to the traffic depending on the destination IP address. If
the system receives any other traffic, it handles it as Layer 2 traffic and switches it appropriately.
To create a hybrid interface, you first configure a virtual switch and virtual router, then add the virtual
switch and virtual router to the hybrid interface. A hybrid interface that is not associated with both a
virtual switch and a virtual router is not available for routing, and does not generate or respond to traffic.
You can configure hybrid interfaces with network address translation (NAT) to pass traffic between
networks. For more information, see
If you want to use hybrid interfaces on your device, define a hybrid interface on the device and then
follow the instructions for Setting Up Hybrid Interfaces in the Firepower Management Center
Configuration Guide.
Connecting Devices to Your Network
You can connect the sensing interfaces on your managed devices to your network in several ways.
Configure a hub or network tap using either passive or inline interfaces, or a span port using passive
interfaces.

Using a Hub

An Ethernet hub is a simple way to ensure that the managed device can see all the traffic on a network
segment. Most hubs of this type take the IP traffic meant for any of the hosts on the segment and
broadcast it to all the devices connected to the hub. Connect the interface set to the hub to monitor all
incoming and outgoing traffic on the segment. Using a hub does not guarantee that the detection engine
sees every packet on a higher volume network because of the potential of packet collision. For a simple
network with low traffic, this is not likely to be a problem. In a high-traffic network, a different option
may provide better results. Note that if the hub fails or loses power, the network connection is broken.
In a simple network, the network would be down.
Firepower 7000 and 8000 Series Installation Guide
3-4
Physical routed interfaces are physical interfaces with routing configured. Uses physical routed
interfaces to handle untagged VLAN traffic.
Logical switched interfaces are an association between a physical interface and a VLAN tag. Use
logical interfaces to handle traffic with designated VLAN tags.
Chapter 3
Deploying with Policy-Based NAT, page
Deploying Firepower Managed Devices
3-11.