3-5
Firepower 7000 and 8000 Series Installation Guide
Chapter 3 Deploying Firepower Managed Devices
Connecting Devices to Your Network
Some devices are marketed as hubs but actually function as switches and do not broadcast each packet
to every port. If you attach your managed device to a hub, but do not see all the traffic, you may need to
purchase a different hub or use a switch with a Span port.
Using a Span Port
Many network switches include a span port that mirrors traffic from one or more ports. By connecting
an interface set to the span port, you can monitor the combined traffic from all ports, generally both
incoming and outgoing. If you already have a switch that includes this feature on your network, in the
proper location, then you can deploy the detection on multiple segments with little extra equipment cost
beyond the cost of the managed device. In high-traffic networks, this solution has its limitations. If the
span port can handle 200Mbps and each of three mirrored ports can handle up to 100Mbps, then the span
port is likely to become oversubscribed and drop packets, lowering the effectiveness of the managed
device.
Using a Network Tap
Network taps allow you to passively monitor traffic without interrupting the network flow or changing
the network topology. Taps are readily available for different bandwidths and allow you to analyze both
incoming and outgoing packets on a network segment. Because you can monitor only a single network
segment with most taps, they are not a good solution if you want to monitor the traffic on two of the eight
ports on a switch. Instead, you would install the tap between the router and the switch and access the full
IP stream to the switch.
By design, network taps divide incoming and outgoing traffic into two different streams over two
different cables. Managed devices offer multiple sensing interface options that recombine the two sides
of the conversation so that the entire traffic stream is evaluated by the decoders, the preprocessors, and
the detection engine.
Cabling Inline Deployments on Copper Interfaces
If you deploy your device inline on your network and you want to use your device’s bypass capabilities
to maintain network connectivity if the device fails, you must pay special attention to how you cable the
connections.
If you deploy a device with fiber bypass capable interfaces, there are no special cabling issues beyond
ensuring that the connections are securely fastened and the cables are not kinked. However, if you are
deploying devices with copper rather than fiber network interfaces, then you must be aware of the device
model that you are using, because different device models use different network cards. Note that some
8000 Series NetMods do not allow bypass configuration.
The network interface cards (NICs) in the device support a feature called Auto-Medium Dependent
Interface Crossover (Auto-MDI-X), which allows network interfaces to configure automatically whether
you use a straight-through or crossover Ethernet cable to connect to another network device. Firepower
devices bypass as crossover connections.
Wire the device as would normally be done without a device deployed. The link should work with power
to the device removed. In most cases you should use two straight-through cables to connect the device
to the two endpoints.