|
Duplex
|
Lists the duplex options for the interface, including Auto, Full, Half, or N/A, depending on the interface type.
For TenGigabitEthernet (ASA 5580 only), Duplex is automatically set to Full.
|
Note
|
This option is not available when Subinterface or Redundant is the chosen Interface type.
|
|
|
Speed
|
Lists the speed options (in bits per second) for a physical interface; not applicable to logical interfaces. The speeds available
depend on the interface type.
|
Note
|
This option is not available when subinterface or redundant is the selected Interface type.
|
The port PID for the management interfaces must be specified in the path C:\Program Files (x86)\CSCOpx\MDC\athena\config\csm.properties.The
supported speed options for management interfaces are as follows:
The configurable speed options for RJ 45 interfaces supported from Ethernet1/1 to Ethernet1/8 for FPR-3100 devices are as
follows:
The following combination of speed options are not supported in RJ45 interfaces:
-
1000 and duplex half
-
auto and duplex half
The configurable speed options for an SFP port (from Ethernet1/9 to Ethernet1/16) are identified based on the SFP port PID
which you can configure in CSM.properties. The port PID for the SFP ports must be specified in the path C:\Program Files (x86)\CSCOpx\MDC\athena\config\csm.properties.
|
Note
|
You cannot configure half-duplex value for SFP ports, only full duplex is allowed.
|
The supported speed options for FPR-3110 and FPR-3120 are as follows:
-
1000
-
10000
-
no-negotiate
-
sfp-detect
The supported speed options for Secure Firewall 4200 series devices, FPR-3130, and FPR-3140 are as follows:
-
1000
-
10000
-
25000
-
no-negotiate
-
sfp-detect
The configurable speed options for Secure Firewall 3100 series devices for the EPM ports (from Ethernet2/1 to Ethernet2/8)
are identified based on the module type from device show inventory. The EPM ports must be specified in the path C:\Program
Files (x86)\CSCOpx\MDC\athena\config\csm.properties. The supported speed options are as follows:
-
FPR-X-NM-8X10G module:
-
1000
-
10000
-
no-negotiate
-
sfp-detect
-
FPR-X-NM-8X25G module:
-
1000
-
10000
-
25000
-
no-negotiate
-
sfp-detect
-
FPR-X-NM-4X40G module:
-
40000
-
sfp-detect
-
no-negotiate
For Secure Firewall 4200 series devices, the configurable speed options for the EPM ports (Ethernet2/1 to Ethernet2/8 and
Ethernet3/1 to Ethernet3/8 and ) are identified based on the module type from device show inventory. The EPM ports must be
specified in the path C:\Program Files (x86)\CSCOpx\MDC\athena\config\csm.properties. The supported speed options are as follows:
-
FPR-X-NM-8X10G module:
-
1000
-
10000
-
no-negotiate
-
sfp-detect
-
FPR-X-NM-8X25G module:
-
1000
-
10000
-
25000
-
no-negotiate
-
sfp-detect
-
FPR-X-NM-4X40G module:
-
40000
-
sfp-detect
-
no-negotiate
-
FPR-X-NM-2X100G
-
100000
-
no-negotiate
-
sfp-detect
-
FPR-X-NM-4X200G
-
200000
-
no-negotiate
-
sfp-detect
-
FPR-X-NM-2X400G:
-
40000
-
100000
-
200000
-
400000
-
sfp-detect
For CSF-1220CX devices, the configurable speed options for the SFP ports (Ethernet1/9 and Ethernet1/10) are identified based
on the SFP port PID which you can configure in CSM.properties. The port PID for the SFP ports must be specified in the path
C:\Program Files (x86)\CSCOpx\MDC\athena\config\csm.properties. The supported speed options are as follows:
-
1000
-
10000
-
no-negotiate
-
sfp-detect
|
|
FEC Mode
|
If you choose Physical Interface, you can configure the FEC Mode to reduce errors in data transmission over noisy channels.
FEC Mode supports Physical Interface hardware ports from Ethernet1/9 to Ethernet1/16. The default value is auto. FEC Mode configuration is supported in the following Firepower devices:
Following are the available FEC mode values:
-
auto
-
cl108-rs
-
cl74-fc
-
disable
|
Note
|
FEC Mode configuration is applicable to ASA 9.17(1) and higher devices only. FEC Mode is not applicable to Management Interfaces.
|
|
Note
|
For Secure Firewall 4200 series devices mangement interfaces (Management1/1 and Management1/2), FEC is always configured as None.
|
|
|
Negotiate-Auto
|
If you choose Physical Interface, you can configure the Negotiate-Auto whenever there is an interop issue with the peer.
Negotiate-Auto configuration is supported in the following Secure Firewall devices:
-
FPR-3110
-
FPR-3120
-
FPR-3130
-
FPR-3140
-
FPR-4215
-
FPR-4225
-
FPR-4245
|
Note
|
Negotiate-Auto configuration is applicable to ASA 9.17(1) and higher devices only. Negotiate-Auto (AP-port) is not applicable to Management
Interfaces and not supported if the interfaces are the member of port channel interface.
|
|
|
Enable Flow Control
|
If you choose Physical Interface, you can configure the Enable Flow Control option to control the packet flow.
Enable Flow Control send configuration is supported in the following Secure Firewall devices:
-
FPR-3110
-
FPR-3120
-
FPR-3130
-
FPR-3140
-
FPR-4215
-
FPR-4225
-
FPR-4245
|
Note
|
Enable Flow Control configuration is applicable to ASA 9.18(1) and higher devices only.
|
|
|
MTU
|
Specify the maximum packet size in bytes; that is, the maximum transmission unit (MTU). The value depends on the type of
network connected to the interface. Valid values are 64 to 9198 bytes. Default is 1500 for all types except PPPoE, for which the default is 1492. In multiple-context mode, set the MTU in
the context configuration.
|
Note
|
For cluster control link, we do not recommend the MTU size between 2561 to 8362. Due to block pool handling, the MTU size
between this range is not optimal for system operation.
|
|
|
Active MAC Address
Standby MAC Address
|
Available only on PIX 7.2+ and ASA 7.2+ devices.
Use the Active MAC Address field to manually assign a private MAC address to the interface; the Standby MAC Address field
can be used to set a standby MAC address for use with device-level failover.
Refer to Device Interface: MAC Address for more information about these fields.
|
|
Roles
|
All interface roles assigned to this interface are listed in this field. Role assignments are based on pattern matching between
the Name given to this interface and all currently defined Interface Role objects in Cisco Security Manager.
Interface role objects are replaced with the actual interface IP addresses when the configuration is generated for each device.
They allow you to define generic rules—ones that can apply to multiple interfaces.
For more information on roles and how to define and use them, see Understanding Interface Role Objects.
|
|
MAC Address
|
Site specific MAC address.
|
|
Site ID
|
Site ID to specify the site the current unit belongs to.
|
|
Beginning with Security Manager version 4.9 for ASA devices running the software version 9.5(1) or later, you can use inter-site
clustering for Spanned EtherChannels in routed mode. To avoid MAC address flapping, configure a site ID for each cluster member
so that a site-specific MAC address for each interface can be shared among a site’s units.
|
|
EtherChannel Interface options; available on ASA 8.4.1+ devices only.
|
|
Load Balancing
|
When EtherChannel is the chosen interface Type (on the General panel), choose a load-balancing method for the channel links.
See About EtherChannel Load Balancing, for more information about this option.
|
|
LACP Mode
|
Select the desired LACP Mode; the default is Active, which means up to eight interfaces are active, while up to eight are in stand-by mode, as determined
by the Minimum and Maximum values under Active Physical Interfaces.
If you select On, a static port-channel is created in which all member interfaces are all “on,” meaning you can have up to
16 ports passing traffic, with no stand-by ports. When you select this option, the Mode for all interfaces assigned to this
EtherChannel group is switched to On (if the Mode for each is not already On). See Editing LACP Parameters for an Interface Assigned to an EtherChannel, for more information about this mode.
|
|
Active Physical Interfaces
|
When EtherChannel is the chosen interface Type (on the General panel), specify the minimum and maximum number of interfaces
that can be active for this EtherChannel group:
If the active interfaces in the channel group falls below this value, then the port-channel interface goes down, and could
trigger a device-level failover.
For 16 active interfaces, be sure that your switch supports the feature (for example, the Cisco Nexus 7000 with F2-Series
10 Gigabit Ethernet Module). If your switch does not support 16 active interfaces, be sure to set this command to 8 or fewer.
Interfaces available to the channel are selected on the General tab of this dialog box (Add/Edit Interface Dialog Box: General Tab (PIX 7.0+/ASA/FWSM)).
Specifying 3, 5, 6, or 7 active ports in an EtherChannel bundle provides poor load balancing, because some ports get up to
twice the load of others. We recommend specifying 2, 4, or 8 active ports per EtherChannel to achieve effective load balancing.
(A value of 1 provides no load balancing at all.)
|
|
DHCP Relay options; available on ASA-SM 9.1.2+ devices only.
|
|
DHCP Relay Servers
|
Enter the IP address or select a Networks/Hosts object representing the interface-specific DHCP server to which DHCP requests
on this interface are relayed. Use a comma to separate multiple values. You can configure a maximum of 4 interface-specific
DHCP relay servers and a maximum of 10 global and interface-specific DHCP relay servers combined.
|
Note
|
IPv6 is not supported for interface-specific servers.
|
When a DHCP request enters an interface, the DHCP servers to which the ASA relays the request depends on your configuration.
You can configure the following types of servers:
-
Interface-specific DHCP servers—When a DHCP request enters a particular interface, then the ASA relays the request only to
the interface-specific servers.
-
Global DHCP servers—When a DHCP request enters an interface that does not have interface-specific servers configured, the
ASA relays the request to all global servers. If the interface has interface-specific servers, then the global servers are
not used. For more information, see DHCP Relay Page.
|
|
DHCP Relay Trust Info (Option 82)
|
Specifies that you want to trust this DHCP client interface. You can configure interfaces as trusted interfaces to preserve
DHCP Option 82.
|
Note
|
You can also trust all DHCP client interfaces. For more information, see DHCP Relay Page.
|
DHCP Option 82 is used by downstream switches and routers for DHCP snooping and IP Source Guard. Normally, if the ASA DHCP
relay agent receives a DHCP packet with Option 82 already set, but the giaddr field (which specifies the DHCP relay agent
address that is set by the relay agent before it forwards the packet to the server) is set to 0, then the ASA will drop that
packet by default. You can now preserve Option 82 and forward the packet by identifying an interface as a trusted interface.
|
|
Secure Group Tagging options; available on ASA 9.3.1+ devices only.
SGT plus Ethernet Tagging, also called Layer 2 SGT Imposition, enables the ASA to send and receive security group tags on
Ethernet interfaces using Cisco proprietary Ethernet framing (EtherType 0x8909), which allows the insertion of source security
group tags into plain-text Ethernet frames. The ASA inserts security group tags on the outgoing packet and processes security
group tags on the incoming packet, based on a manual per-interface configuration. This feature allows inline hop-by-hop propagation
of endpoint identity across network devices and provides seamless Layer 2 SGT Imposition between each hop.
|
Note
|
Supported only on physical interfaces, VLAN interfaces, port channel interfaces, and redundant interfaces. Not supported on
logical interfaces or virtual interfaces, such as BVI, TVI, and VNI.Does not support failover links or cluster control links.
|
|
|
Enable secure group tagging for Cisco TrustSec
|
Enables SGT plus Ethernet Tagging (also called Layer 2 SGT Imposition).
|
|
Tag egress packets with secure group tags
|
Enables propagation of a security group tag (called sgt) on an interface.
|
|
Assign a static secure group tag to all ingress packets
|
Applies a static security group tag to incoming traffic from the peer. If enabled, you must specify the SGT number to use
in the Secure Group Tag field.
|
|
Secure Group Tag
|
Specifies the SGT number to apply to incoming traffic from the peer. Valid values are from 2-65519.
|
|
Trusted Interface
|
Indicates that ingress traffic on the interface should not have its existing SGT overwritten with the static SGT specified.
|
|
ASA Cluster (Layer 3); available on ASA 5580 and 5585 devices in cluster mode only.
Supported by all interfaces when ASA cluster is in Router mode and supported by management interface when ASA cluster is in
Transparent mode.
|
|
IPv4 Address Pool
|
Enter or select the IPv4 Pool object that represents the pool of addresses to use.
|
|
MAC Address Pool
|
Enter or select the MAC Pool object that represents the pool of MAC addresses to use.
|
|
ASA Cluster (Layer 2); available on ASA 5580 and 5585 devices in cluster mode only.
Supported on EtherChannel interfaces for ASA clusters. Not supported on Management interface when ASA cluster is in Transparent
mode.
|
|
Span EtherChannel across the ASA Cluster
|
Select to configure an EtherChannel that spans all ASAs in the cluster, and provides load balancing as part of the EtherChannel
operation.
|
|
Enable load balancing between switch pairs in VSS or vPC mode
|
(Optional) If you are connecting the ASA to two switches in a Virtual Switching System (VSS) or Virtual Port Channel (vPC),
then you should enable load balancing by checking the Enable load balancing between switch pairs in VSS or vPC mode check box. This feature ensures that the physical link connections between the ASAs to the VSS (or vPC) pair are balanced.
|
|
Member Interface Configuration
|
Identifies the LACP mode for the interface and the Virtual Switching System (VSS) or Virtual Port Channel (vPC) switch to
which a given interface is connected, 1 or 2.
|
|
Advanced tab options specific to ASA 5505 devices (routed mode only)
|
|
Block Traffic To
|
Restricts this VLAN interface from initiating contact with the VLAN chosen here.
|
|
Backup Interface
|
Choose a VLAN interface as a backup interface, for example, to an ISP. The backup interface does not pass traffic unless the
default route through the primary interface fails. To ensure that traffic can pass over the backup interface, be sure to configure
default routes on both the primary and backup interfaces so that the backup interface can be used when the primary fails.
|
|
Advanced tab options specific to FWSM 3.1+ devices
|
|
Bridge Group
|
For an FWSM 3.1+ operating in transparent mode, this read-only field indicates the Bridge group to which this interface is
assigned. See Add/Edit Bridge Group Dialog Box for more information.
|
|
ASR Group
|
To add this interface to an asymmetric routing group, enter the ASR group number in this field. Stateful failover must be
enabled for asymmetric routing support to function properly between units in failover configurations. Valid values for ASR
group range from 1 to 32. See About Asymmetric Routing Groups for more information.
|
|
Pause Frame for Flow Control options
When a network interface gets over loaded, flow control allows it to send PAUSE requests to the devices sending it data to
allow the over loaded condition to clear. If flow control is not enabled and an over loaded condition occurs, the device will
drop packets.
When the receiving part of the interface reaches the high water mark, the transmitting part of the interface starts to generate
pause frames. The remote device is expected to stop / reduce the transmission of packets for the pause time mentioned in the
pause frame. If the receiving part of the interface is able to clear its queue or reaches the low water mark within the pause
time, the transmitting part of the interface sends out a special pause frame that mentions the pause time as zero.This enables
the remote device to start to transmit packets. If the receiving part of the interface still works on the queue, once the
pause time expires, the transmitting part of the interface sends a new pause frame again with a new pause time.
|
Note
|
Pause Frame for flow control is supported only on physical interfaces on ASA 8.2 and above, in the single and multi-context
mode. It is not supported on logical interfaces or virtual interfaces, such as BVI, TVI, and VNI.
|
|
|
Enable Pause Frame
|
(Optional) Enables transmission of pause frame for flow control.
|
|
Use Default Values
|
(Optional) Uses default values for Low Watermark, High Watermark and Pause Time, based on the device.
If this is unchecked, specify the values as per the Device specific Pause Frame Flow Control values reference table.
|
|
Low Watermark (in Kilobytes)
|
Enter a value for the low-water mark. After the interface sends a pause frame, when the buffer usage is reduced below the
low-water mark, the interface sends an “transmission on’ frame. The remote device can resume transmitting data.
|
|
High Watermark (in Kilobytes)
|
Enter a value for the high-water mark.When the buffer usage exceeds the high-water mark, the interface sends a pause frame.
|
|
Pause Time
|
Enter a value for the pause refresh threshold value, between 0 and 65535 slots. Each slot is the amount of time to transmit
64 bytes, so the time per unit depends on your link speed. The remote device can resume traffic after receiving an transmission
on frame, or after the transmission off frame expires, as controlled by this timer value in the pause frame. If the buffer
usage is consistently above the high-water mark, pause frames are sent repeatedly, controlled by the pause refresh threshold
value.
|
Feedback