To know how to do an initial configuration of FMC and FTD please click here.
I am using the following lab topology for configurations but it has very little to do with this discussion.
Before we begin let's clarify the confusion of Command Line Interfaces we can see on Cisco FTD.
There are 3 CLIs
1. Converged FTD CLISH (Command Line Interface Shell)
2. Firepower Linux CLI
3. LINA (Linux on ASA)
Converged FTD CLISH can be seen as '>' and it inherits Firepower Linux management plane commands and most of the data plane related Cisco ASA commands.Firepower Linux CLI is just plain Linux access to the Firepower Engine. You will need this to view the Management Plane routing stuff for Cisco FMC.LINA is just classic Cisco ASA privilege level commands without config mode. This is where the Data Plane routing stuff is in.
Ok now to the practical..
If you remember in initial configuration, we have to give the IP address, mask and gateway of the management interface and that interface is not shown in the default CLI which is Converged FTD CLISH.
Note:-
In the above diagram, You can see that interface as eth0/mgmnt. The IP gave for that was 172.16.10.10 as per the diagram.
Let's switch to the LINA CLI and see whether it is there.
Enter the command system support diagnostic-cli and then enable password, then show interface ip brief just like in Cisco ASA.
It is strange that there is a Management Interface defined in the ASA engine but it has nothing to do with the Management interface IP we configured.
No route can be seen in routing table too.
But if you switch to the expert mode / Firepower Linux cli, you can see it is there.
Let's exit back to CLISH and go to Firepower Linux cli using expert expert command, then use Linux commands..
Br1 is the interface. You can see the routing table too.
You can ping FMC from here. What we have to conclude is that this interface is just a part of the Firepower engine which is used to connect to FMC.
After I added this FTD to FMC, I have configured some interfaces and a route for Data Plane. You can see that traffic is about to take G0/1 interface as per the design. Let's see that interface and those Data Plane routes belongs to which engine.
I am not going through in detail with the configuration but I hope the following snippets and the above topology diagram explains it all.
The Interfaces will be like the following,
Deploying..
Now let's see on Converged CLISH CLI,
Let's go the LINA and see whether they are there or not.
So all the routes are there in LINA which means in ASA engine. If you go to the Firepower engine, you will see there is no change. So as a conclusion, all the routes and interfaces related to data plane is actually in the ASA engine itself while FMC connecting interface is in Firepower engine. This clarifies the idea of ASA engine handling up to Layer 4 and above Layer 4 is for Firepower engine to take care of.
Following figure from Cisco Firepower Threat Defense Book by Nazmul Rajib shows a correlation of these 2 engines inside a FTD when inspecting a traffic..
Note that the above LINA commands could be viewed in CLISH too, I have not showed that for the sake of clarity. To understand more about the 3 CLIs in FTD, please go here.
