https://community.cisco.com/t5/network-security/ftd-failover-link-recommendations/m-p/5243291#M1118575 <P>Can I know SW form VSS or vPC or stack wise virtual?</P> <P>MHM</P> Sat, 04 Jan 2025 11:34:20 GMT MHM Cisco World 2025-01-04T11:34:20Z https://community.cisco.com/t5/network-security/ftd-failover-link-recommendations/m-p/5243283#M1118572 <P>Hi All,</P><P>I'm currently implementing a pair of Cisco 3130 FTDs in active/stanby HA. The firewalls will be located within the same campus site but in different buildings. I'm trying to determine the recommendations and best practises for the failover link. My initial plan was to connect the firewalls back-to-back using a single 10G LR link (which I have done for other deployments without any issues), however in this instance I've been advised to either use a back-to-back port-channel, with each fibre link taking a seperate path for increased availability, or by connecting a single failover link via our inside or outside switch infrastrucutre, so an indirect failover link.</P><P>Is there a general recommendation or best practise for FTD failover connectivity that I should be following?</P><P>&nbsp;</P><P>&nbsp;</P> Sat, 04 Jan 2025 10:53:36 GMT https://community.cisco.com/t5/network-security/ftd-failover-link-recommendations/m-p/5243283#M1118572 packet2020 2025-01-04T10:53:36Z https://community.cisco.com/t5/network-security/ftd-failover-link-recommendations/m-p/5243287#M1118573 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1304848">@packet2020</a> using an Etherchannel via different paths for the failover link would be sensible. The failover link can also be shared with the stateful failover link. Sharing a failover link is the best way to conserve interfaces, but consider a dedicated interface for the state link and failover link, if you have a large configuration and a high traffic network.&nbsp;</P> <P>This are the different scenarios</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="RobIngram_0-1735988615962.png" style="width: 651px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/236923i21FC87F867DA3340/image-dimensions/651x627?v=v2" width="651" height="627" role="button" title="RobIngram_0-1735988615962.png" alt="RobIngram_0-1735988615962.png" /></span></P> <P>The Cisco guides covers each option <A href="https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/760/management-center-device-config-76/high-availability.html#ID-2107-00000039" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/760/management-center-device-config-76/high-availability.html#ID-2107-00000039</A></P> <P>&nbsp;</P> Sat, 04 Jan 2025 11:05:58 GMT https://community.cisco.com/t5/network-security/ftd-failover-link-recommendations/m-p/5243287#M1118573 Rob Ingram 2025-01-04T11:05:58Z https://community.cisco.com/t5/network-security/ftd-failover-link-recommendations/m-p/5243291#M1118575 <P>Can I know SW form VSS or vPC or stack wise virtual?</P> <P>MHM</P> Sat, 04 Jan 2025 11:34:20 GMT https://community.cisco.com/t5/network-security/ftd-failover-link-recommendations/m-p/5243291#M1118575 MHM Cisco World 2025-01-04T11:34:20Z https://community.cisco.com/t5/network-security/ftd-failover-link-recommendations/m-p/5243309#M1118577 <P>The switches that the FTDs connect to are independant, so we have core switch 1 and core switch 2 that are connected togther using a trunk, with FTD1 connected only to core switch 1 and FTD2 connected only to core switch 2. We generally dont use VSS/SWV in the core/critical parts of our network</P> Sat, 04 Jan 2025 13:13:24 GMT https://community.cisco.com/t5/network-security/ftd-failover-link-recommendations/m-p/5243309#M1118577 packet2020 2025-01-04T13:13:24Z