Cisco Firepower/FTD 4100/9300: Changing the Management Interface on the Cisco FTD device

0 Comments

When configuring the Firepower eXtensible Operating System (FXOS) on the 4100 and 9300 FTD devices, one of the first duties you need to perform is to configure your management and event interfaces, and once you’ve done this a couple times you find that it’s rather easy. However, if you need to change your management channel, for various reasons, you’ll find that the FTD boxes don’t really like you to do that.

One of the reasons you’d need to change your management and/or event ports could be because you had configured the management ports as 1gig ports and you need to either go to 10gig, and/or create a port channel because of traffic issues.  See blog post about event data issues at large customer

Since your network should look like the figure below, let’s discuss the problem and how to fix it.

First, understand that if you lose your management port on your FMC or FTD box(es), Firepower just keeps on working, except a few things such as AD integration and Malware lookups. Yes, those are important but your SI and snort process are unaffected for the most part.

Problem:

If you move your management cable from one port to another on your FTD box, after 5 minutes you’ll get a warning on your FTD device displayed on the FMC devices page, and then after another 5 minutes, your FMC will show a critical health alert (assuming your monitoring your interfaces, which is on by default in your health policy). At this point you can perform no management of the FTD box(es) from your FMC such as deploying policy.

 

Solution 1:

Move the cables back to the original ports. That’s kinda a ridiculous solution, but if you need to get this back up and running asap then this is the way to go.

Solution 2:

Your possible only answer if you didn’t think ahead and perform solution 3 when designing and configuring your FXOS interfaces is to delete all your devices out of your FMC and then bring them back in again. This is very time consuming, and you have to redo all your HA pairs…yes, this happened to me which is why I wrote this blog post. Why do you have to remove them? Because the FMC builds a tunnel to your FTD devices using the Mac address of the link. Solution 3 fixes this.

Solution 3 (Winner!):

When you first build your FXOS interface configuration, create a port-channel for your management link. If you don’t have unlimited ports/money, then just make it a single interface port-channel. This will create a virtual Mac address that doesn’t switch with your physical port.

 

Now when you need to move your management ports you can just create them as a member of the same port channel and they will just keep working…nice!

 

Leave a Reply

Your email address will not be published. Required fields are marked *