45-41
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter45 Managing Firewall Devices
Configuring Firewall Device Interfaces
Add/Edit Bridge Group Dialog Box
A transparent firewall connects the same network on its inside and outside interfaces, and supports only
the two interfaces per context. However, you can increase the number of interfaces available to a context
through use of bridge groups. You can configure up to eight bridge groups; on an FWSM each group can
contain two interfaces; on an ASA each group can contain four interfaces.
Each bridge group connects to a separate network. Bridge group traffic is isolated from other bridge
groups; traffic is not routed to another bridge group within the security appliance—traffic must exit the
security appliance to be routed by an external router back to another bridge group in the security
appliance.
You might want to use more than one bridge group if you do not want the overhead of security contexts,
or want to maximize your use of security contexts. Although the bridging functions are separate for each
bridge group, many other functions are shared between all bridge groups. For example, all bridge groups
share a syslog server or AAA server configuration. For complete security policy separation, use security
contexts with one bridge group in each context.
For FWSM 3.1+ and ASA 8.4.1+ devices in transparent mode, the Interfaces page displays two tabbed
panels: Interfaces and Bridge Groups. The following information applies to the Bridge Groups panel and
the Add/Edit Bridge Group dialog box; refer to Add/Edit Interface Dialog Box (PIX 7.0+/ASA/FWSM),
page 45-19 for information about the Interfaces panel.
Navigation Path
You can access the Add/Edit Bridge Group dialog box from the Bridge Groups panel of the Interfaces
page.
Related Topics
Interfaces in Routed and Transparent Modes, page 45-4
Bridging Support for FWSM 3.1, page 46-3
Managing Device Interfaces, Hardware Ports, and Bridge Groups, page 45-14
Speed Choose a speed for the port: 10, 100, or Auto. The Auto setting is
recommended, and the default.
If you set Speed to anything other than Auto for PoE ports Ethernet 0/6
or 0/7, then Cisco IP phones and Cisco wireless access points that do
not support IEEE 802.3af will not be detected and supplied with power.
The default Auto setting also includes the Auto-MDI/MDIX feature.
Auto-MDI/MDIX eliminates the need for crossover cabling by
performing an internal crossover when a straight cable is detected
during the auto-negotiation phase. Either Speed or Duplex must be set
to Auto to enable Auto-MDI/MDIX for the interface. If you explicitly
set both Speed and Duplex to a fixed value, thus disabling
auto-negotiation for both settings, then Auto-MDI/MDIX is also
disabled.
Table45-8 Configure Hardware Ports Dialog Box (Continued)
Element Description