3-7
Firepower 7000 and 8000 Series Installation Guide
Chapter 3 Deploying Firepower Managed Devices
Deployment Options
Deployment Options
When you place your managed device on a network segment, you can monitor traffic using an intrusion
detection system or protect your network from threats using an intrusion prevention system.
You can also deploy your managed device to function as a virtual switch, virtual router, or gateway VPN.
Additionally, you can use policies to route traffic or control access to traffic on your network.
Deploying with a Virtual Switch
You can create a
virtual switch
on your managed device by configuring inline interfaces as switched
interfaces. The virtual switch provides Layer 2 packet switching for your deployment. Advanced options
include setting a static MAC address, enabling spanning tree protocol, enabling strict TCP enforcement,
and dropping bridge protocol data units (BPDUs) at the domain level. For information on switched
interfaces, see
A virtual switch must contain two or more switched interfaces to handle traffic. For each virtual switch,
the system switches traffic only to the set of ports configured as switched interfaces. For example, if you
configure a virtual switch with four switched interfaces, when the system receives traffic packets through
one port it only broadcasts these packets to the remaining three ports on the switch.
To configure a virtual switch to allow traffic, you configure two or more switched interfaces on a
physical port, add and configure a virtual switch, and then assign the virtual switch to the switched
interfaces. The system drops any traffic received on an external physical interface that does not have a
switched interface waiting for it. If the system receives a packet with no VLAN tag and you have not
configured a physical switched interface for that port, it drops the packet. If the system receives a
VLAN-tagged packet and you have not configured a logical switched interface, it also drops the packet.
You can define additional logical switched interfaces on the physical port as needed, but you must assign
a logical switched interface to a virtual switch to handle traffic.
Virtual switches have the advantage of scalability. When you use a physical switch, you are limited by
the number of available ports on the switch. When you replace your physical switch with a virtual switch,
you are limited only by your bandwidth and the level of complexity you want to introduce to your
deployment.
Use a virtual switch where you would use a Layer 2 switch, such as workgroup connectivity and network
segmentation. Layer 2 switches are particularly effective where workers spend most of their time on their
local segment. Larger deployments (for example, deployments that contain broadcast traffic,
Voice-over-IP, or multiple networks) can use virtual switches on smaller network segments of the
deployment.
When you deploy multiple virtual switches on the same managed device, you can maintain separate
levels of security as dictated by the needs of each network.