topic Re: High Availability Setup in Network Security

High Availability Setup

gcook0001 — Mon, 09 Nov 2020 19:56:35 GMT

I have been doing a lot of reading but I haven't found what I am looking for. We recently purchased two Firepower 1140's to replace our Meraki appliances. We have two Catalyst 3850 switches in a non-stacked configuration.

I would like to setup them up using the following but I can't find any documentation that I can follow.

FP1 - port 1 to ISP

FP1 - port 3 to 3850-1 carrying vlans 3,4,5,6 (port-channel 1)

FP1 - port 4 to 3850-1 carrying vlans 3,4,5,6 (port-channel 1)

FP1 - port 5 to 3850-2 carrying vlans 3,4,5,6 (port-channel 2)

FP1 - port 6 to 3850-2 carrying vlans 3,4,5,6 (port-channel 2)

FP1 - port 8 to FP2 - port 8 - failover link

FP2 - port 1 to ISP

FP2 - port 3 to 3850-1 carrying vlans 3,4,5,6 (port-channel 3)

FP2 - port 4 to 3850-1 carrying vlans 3,4,5,6 (port-channel 3)

FP2 - port 5 to 3850-2 carrying vlans 3,4,5,6 (port-channel 4)

FP2 - port 6 to 3850-2 carrying vlans 3,4,5,6 (port-channel 4)

We currently have

3850-1 to 3850-2 port-channel 20 carrying vlans 3,4,5,6

If someone could point me to some decent documentation on doing this it would be great.

Re: High Availability Setup

balaji.bandi — Mon, 09 Nov 2020 20:10:19 GMT

why not follow the below guide what is recommended for the HA environment, what is not recommended.

if you have 2 ISP is thei active failover you like to both the ISP ?

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/fdm/fptd-fdm-config-guide-630/fptd-fdm-ha.html

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212699-configure-ftd-high-availability-on-firep.html

read the above document, make a small network diagram which gives you a clear picture and understands what you looking do.

still have questions post the high-level diagram of your network so we can look and suggest what suitable approach you can take.

Re: High Availability Setup

gcook0001 — Mon, 09 Nov 2020 20:43:47 GMT

Thanks for the quick reply.

I read both those documents previously. What is missing is how to create port-channels carrying multiple vlans/subnets.

I attached a document showing the layout.

Re: High Availability Setup

balaji.bandi — Mon, 09 Nov 2020 20:48:01 GMT

the best approach is FW on a stick with Port-channel with sub-interface.

each FW go with respected Parent switch port-channel and dedicated interface for HA sync link if they are in same location.

Terminated your ISP into Switch with a different VLAN segment.

Re: High Availability Setup

gcook0001 — Mon, 09 Nov 2020 21:11:03 GMT

OK. I have no idea what you said. I the firewalls setup as in the diagram. I just can't figure out how to handle the different vlan/subnets between the switch and the firewalls.

Re: High Availability Setup

balaji.bandi — Mon, 09 Nov 2020 21:17:45 GMT

here is a high level, if you still not sure, suggest hiring a consultant, rather make it difficult to make it, and eventually you can learn from them so you can maintain the network.

Re: High Availability Setup

gcook0001 — Mon, 09 Nov 2020 22:04:49 GMT

I would love to hire a consultant. We just can't afford it. I am making progress I think. I created sub-interfaces on one of the ports and I created a port-channel on the switch and it looks like I am getting some kind of connection.

Re: High Availability Setup

gcook0001 — Tue, 10 Nov 2020 22:07:02 GMT

So there is no documentation on how to implement this design. I have worked with two other firewall vendors previously and there was always a couple of default senarios that were well documented. I have looked everyone on the Cisco site and I don't find anything. I must not be the first person to want to use their firewalls for handling traffic between multiple VLANs. I am not asking for someone to design this for me, I am asking for clear documentation that explains how to do this.