About Basic Interface Configuration
This section describes interface features and special interfaces.
Auto-MDI/MDIX Feature
For RJ-45 interfaces, the default auto-negotiation setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation phase. Either the speed or duplex must be set to auto-negotiate to enable Auto-MDI/MDIX for the interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation for both settings, then Auto-MDI/MDIX is also disabled. For Gigabit Ethernet, when the speed and duplex are set to 1000 and full, then the interface always auto-negotiates; therefore Auto-MDI/MDIX is always enabled and you cannot disable it.
Management Interface
The management interface, depending on your model, is a separate interface just for management traffic.
Management Interface Overview
You can manage the ASA by connecting to:
-
Any through-traffic interface
-
A dedicated Management Slot/Port interface (if available for your model)
You may need to configure management access to the interface according to Management Access.
Management Slot/Port Interface
The following table shows the Management interfaces per model.
Model |
Management 0/0 |
Management 1/1 |
Management 1/2 |
Configurable for Through Traffic |
Subinterfaces Allowed |
---|---|---|---|---|---|
Firepower 1000 |
— |
Yes |
— |
Yes |
Yes |
Firepower 2100 |
— |
Yes |
— |
— Note: Technically, you can enable through traffic; however, the throughput of this interface is not adequate for data operations. |
Yes |
Secure Firewall 3100 |
— |
Yes |
— |
Yes |
Yes |
Secure Firewall 4200 |
— |
Yes |
Yes |
Yes |
Yes |
Firepower 4100/9300 |
N/A The interface ID depends on the physical mgmt-type interface that you assigned to the ASA logical device |
— |
— |
— |
Yes |
ISA 3000 |
— |
Yes |
— |
— |
— |
ASAv |
Yes |
— |
— |
Yes |
— |
Use Any Interface for Management-Only Traffic
You can use any interface as a dedicated management-only interface by configuring it for management traffic, including an EtherChannel interface.
Management Interface for Transparent Mode
In transparent firewall mode, in addition to the maximum allowed through-traffic interfaces, you can also use the Management interface (either the physical interface, a subinterface (if supported for your model)) as a separate management-only interface. You cannot use any other interface types as Management interfaces. For the Firepower 4100/9300 chassis, the management interface ID depends on the mgmt-type interface that you assigned to the ASA logical device.
In multiple context mode, you cannot share any interfaces, including the Management interface, across contexts. To provide management per context on Firepower device models, you can create subinterfaces of the Management interface and allocate a Management subinterface to each context. However, ASA models do not allow subinterfaces on the Management interface, so per-context management for these models requires you to connect to a data interface. For the Firepower 4100/9300 chassis, the management interface and its subinterfaces are not recognized as specially-allowed management interfaces within the contexts; you must treat a management subinterface as a data interface in this case and add it to a BVI.
The management interface is not part of a normal bridge group. Note that for operational purposes, it is part of a non-configurable bridge group.
Note |
In transparent firewall mode, the management interface updates the MAC address table in the same manner as a data interface; therefore you should not connect both a management and a data interface to the same switch unless you configure one of the switch ports as a routed port (by default Catalyst switches share a MAC address for all VLAN switch ports). Otherwise, if traffic arrives on the management interface from the physically-connected switch, then the ASA updates the MAC address table to use the management interface to access the switch, instead of the data interface. This action causes a temporary traffic interruption; the ASA will not re-update the MAC address table for packets from the switch to the data interface for at least 30 seconds for security reasons. |