Category Archives: Cisco

Cisco Firepower Threat Defense with a PPPoE Connection, no default route?

I have been working recently with Cisco Firepower Threat Defense and came across a difficult issue with using a PPPoE connection, where if the interface was using a dynamic IP address, the default route was not pushed from the ISP to the device, so there was no internet connectivity.

A helpful user on the Cisco commuity forum shared his settings, and there is a misleading tick box “Enable Route Settings” under “Devices > Device Management>  Interfaces” from the Firepower Management Center which needs to be ticked for this to work. This example is for a BT Infinity (VDSL) connection using the Openreach NTE, but will likely work for other ISPs:

BT PPPOE

Cisco’s description of this tick box in their own documentation is not entirely accurate (source – https://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-guide-v601/fpmc-config-guide-v601_chapter_01101011.pdf page 18):

“Enable Route Settings—To manually configure the PPPoE IP address, check this box and then enter the IP Address.”

Whilst this is true if the IP address box is populated, they fail to mention that its required for a dynamically assigned connection to receive a default route!

Hope this helps someone!

 

Snags with sticky MACs

I recently inherited a network which uses port-security with sticky MACs. I’d not used this configuration in a long time and one limitation I was not aware of which caused me some trouble is that a MAC address can only be sticky on a single port per config, so if a device is moved from one port to another, and it’s not working, you will need to check that the MAC of the device isn’t sticky on another port.

“sh log” on the switch shows the error:

Switch port-security tshoot 1

Normally in this situation one would clear the gi2/0/45 sticky MAC, but in this case this will not work, as the MAC is already assigned to another port.

“sh port-security address” can be used to identify which port the MAC exists on

Switch port-security tshoot 2
This shows that the offending device has been moved from port gi2/0/44 (as it exists in the port-security config) to gi2/0/45.
We then can go ahead and clear the stored MAC for both gi2/0/44 and gi2/0/45 to allow these ports to be used once more. Don’t forget to shut and un-shut the ports after this!

Switch port-security tshoot 3
Switch port-security tshoot 4