Summary: Structured approach to diagnosing connectivity issues between a Cisco Firepower Threat Defense (FTD) firewall and a Catalyst 9300 switch, covering physical links, VLANs and trunking, ARP/MAC, routing, and FTD policy inspection.
1. Physical / interface state → is the link up on both sides?
2. VLAN and trunking → are the correct VLANs passing?
3. ARP and MAC → are layer 2 adjacencies resolving?
4. Routing → are routes present on both devices?
5. FTD policy / inspection → is the firewall dropping the traffic?
6. Captures and packet tracer → confirm exactly where traffic is lost
> show interface
> show interface ip brief
up/up! Check interface errors and stats
> show interface <interface-name>
show interface GigabitEthernet1/0/X
show interface GigabitEthernet1/0/X status
show cdp neighbors detail
connected = link is up; notconnect = physical issue — check cable, SFP, or port shutdownshow interfaces status err-disabled
show log | include ERR_DISABLE
⚠️ Err-Disabled Ports
A port in err-disabled state will not pass traffic even if the physical link is up. Common causes on a port connected to an FTD are BPDU guard triggering (if the FTD sends BPDUs in transparent mode) or port security violations. Re-enable withshutdownthenno shutdownafter fixing the root cause.
FTD uses subinterfaces for inter-VLAN routing. The uplink to the 9300 should be a trunk.
FTD side:
> show interface
GigabitEthernet0/0.10, GigabitEthernet0/0.20)9300 side:
show interfaces GigabitEthernet1/0/X trunk
show interfaces GigabitEthernet1/0/X switchport
trunk not access! Check native VLAN
show running-config interface GigabitEthernet1/0/X | include native
FTD acts as a bump-in-the-wire bridge. Traffic passes through without an IP address on the data interfaces.
! Check BVI (Bridge Virtual Interface) is up
> show interface BVI1
show spanning-tree vlan <vlan-id>
> show arp
> show conn
! Confirm the FTD MAC is in the CAM table
show mac address-table | include <ftd-mac>
! Confirm the correct VLAN
show mac address-table vlan <vlan-id>
! Check ARP on the SVI
show ip arp <ftd-ip>
> show route
> show route <destination-network>
show route management-onlyshow ip route <ftd-interface-ip>
show ip route <destination>
! If using SVIs, confirm the SVI is up
show interface Vlan<id>
show ip interface Vlan<id>
Traffic that passes all layer 2/3 checks may still be dropped by FTD policy.
> show conn
> show conn detail address <host-ip>
In FMC: Analysis > Connections > Events — filter by source/destination and look for Block decisions.
On FTD CLI:
> show access-list
> show access-list <acl-name> | include <host-ip>
Packet tracer simulates a flow through the FTD policy engine without sending real traffic — use it to identify exactly which policy is dropping traffic.
> packet-tracer input <ingress-interface> tcp <src-ip> <src-port> <dst-ip> <dst-port> detail
DROP result shows the exact rule and reason> show nat detail
> show xlate
show xlate shows active NAT translations — unexpected entries indicate a misconfigured NAT ruleUse captures as a last resort to confirm exactly where traffic is entering and leaving the FTD.
! Capture inbound traffic on FTD interface facing 9300
> capture CAP1 interface <inside-interface> match ip host <src-ip> host <dst-ip>
! View capture
> show capture CAP1
> show capture CAP1 detail
! Remove capture when done
> no capture CAP1
Cross-reference with a capture on the outbound interface — if traffic arrives on the ingress capture but not the egress, FTD policy is dropping it.
| Symptom | Likely Cause | Fix |
|---|---|---|
| Port err-disabled on 9300 | BPDU guard triggered (transparent mode FTD) | Disable spanning-tree on the FTD-facing port or set portfast with BPDU guard off |
| FTD ARP not resolving | Native VLAN mismatch or VLAN not allowed on trunk | Verify trunk config and native VLAN on 9300 |
| Traffic dropped silently | FTD access control policy blocking | Use packet-tracer to identify the rule; check FMC connection events |
| FTD subinterface down | VLAN not allowed on 9300 trunk | Add VLAN to switchport trunk allowed vlan add <id> |
| SVI on 9300 down | No active ports in VLAN | Confirm at least one access or trunk port carrying the VLAN is up |
| Asymmetric routing drops | Return traffic arriving on different FTD interface | Check routing on 9300; enable ip verify reverse-path or adjust routes |
show interface ip brief ! All interface states and IPs
show interface <name> ! Interface stats and errors
show arp ! ARP table
show route ! Routing table
show conn ! Active connections
show nat detail ! NAT rules and hit counts
show access-list ! ACL hit counts
packet-tracer input <int> tcp <src-ip> <src-port> <dst-ip> <dst-port> detail
capture <name> interface <int> match ip host <src> host <dst>
show capture <name> detail
show interface GigabitEthernet1/0/X status
show interfaces GigabitEthernet1/0/X trunk
show interfaces GigabitEthernet1/0/X switchport
show spanning-tree vlan <id>
show mac address-table vlan <id>
show ip arp <ip>
show interfaces Vlan<id>
show cdp neighbors detail
show interfaces status err-disabled