topic Re: Firepower 1120 transparent mode interface best practises? in Network Security

Firepower 1120 transparent mode interface best practises?

Network Diver — Thu, 13 Feb 2025 10:13:05 GMT

Hi,

We have a pair of Firepower 1120 running FTD in transparent mode and active/standby HA. They should do IPS and threat protection for internet links with two separate ISP connections and different IP ranges and routing.

Separate bridge groups for each ISP.

Uplink switches are 2 x Nexus C9348GC switches with vPC.

What's the best practise for interface assignments in such a setup for throughput and failover resiliency? The FTD admin guide is not very clear about this and the Youtube tutorials were all with virtual FTDs.

Combined: 4 x 1 Gb/s port-channel with VLAN subinterfaces for both ISPs inside and outside
Separated: 2 x 1 Gb/s port-channel for ISPs inside and another 2 x 1 Gb/s for outside, both with VLAN subinterfaces
No port-channel and no VLAN subinterfaces at all, hardwired 1:1 connections
It doesn't matter

Thanks in advance,

Bernd

Re: Firepower 1120 transparent mode interface best practises?

Network Diver — Wed, 26 Mar 2025 12:34:37 GMT

Will a 4 x 1 Gb/s port-channel across two Nexus C9348GC switches with vPC work as expected using VLAN trunking and separate VLANs for outside and inside? Each Nexus switch as two ISP routers (active/standby) connected. All the tutorials I have found on the internet use simple configurations like one VLAN per physical interface. Or are there some undocumented easter eggs to be expected?

Example configuration:

interface Ethernet1/17 description ftd-ips1 gi1 switchport mode trunk spanning-tree port type edge trunk spanning-tree guard root mtu 9216 channel-group 17 mode active no shutdown interface Ethernet1/18 description ftd-zh-ips1 gi2 switchport mode trunk spanning-tree port type edge trunk spanning-tree guard root mtu 9216 channel-group 17 mode active no shutdown interface port-channel17 description ftd-zh-ips1 switchport mode trunk spanning-tree port type edge trunk spanning-tree guard root mtu 9216 vpc 17

Re: Firepower 1120 transparent mode interface best practises?

Sheraz.Salim — Thu, 27 Mar 2025 12:32:47 GMT

Separated: 2 x 1 Gb/s port-channel for ISPs inside and another 2 x 1 Gb/s for outside, both with VLAN subinterfaces

This configuration provides the best balance of throughput and failover resiliencyHere's why:

Separate bridge groups for each ISP allow for isolated traffic flows and easier management of different IP ranges and routing.Using port-channels increases bandwidth and provides link redundancy.VLAN subinterfaces allow for logical separation of traffic within each port-channel, accommodating multiple ISPs and inside/outside interfaces.

regarding your specific setup with Nexus C9348GC switches using vPC.

Yes, a 4 x 1 Gb/s port-channel across two Nexus C9348GC switches with vPC will work as expected using VLAN trunking and separate VLANs for outside and inside. This configuration is supported and provides high availability and load balancing.Your example configuration for the Nexus switches is correct and follows best practice/s.

The above configuration sets up a trunk port-channel with edge port and root guard features, which is appropriate/helpful for connecting to firewalls which you can take into account.

Re: Firepower 1120 transparent mode interface best practises?

Sheraz.Salim — Thu, 27 Mar 2025 12:35:58 GMT

The best practice for interface assignments in a Firepower 1120 FTD setup with multiple ISPs is to use separated port-channels 2 x 1 Gb/s for ISPs inside and another 2 x 1 Gb/s for outside, both with VLAN subinterfaces. This configuration optimizes throughput and failover resiliency by segregating traffic, enhancing security zone management, and providing better control over routing and security policies.

Re: Firepower 1120 transparent mode interface best practises?

Network Diver — Thu, 03 Apr 2025 07:27:12 GMT

Hm. When I enable the bridge interfaces then BPDUGuard sets it to errDisable. Firepower1120 has a 4 x 1 Gb/s port-channel and four VLAN subinterfaces. Pone pair VLAN-in/VLAN-out for each bridge group and ISP network range.

Spanning-tree interface options on Nexus switch:

nexus-1(config-if)# spanning-tree ? bpdufilter Don't send or receive BPDUs on this interface bpduguard Don't accept BPDUs on this interface cost Change an interface's spanning tree port path cost guard Change an interface's spanning tree guard mode link-type Specify a link type for spanning tree tree protocol use mst Multiple spanning tree port Spanning tree port options port-priority Change an interface's spanning tree port priority vlan VLAN Switch Spanning Trees

Disable guard root ???

nexus-1(config-if)# spanning-tree guard ? loop Set guard mode to loop guard on interface none Set guard mode to none root Set guard mode to root guard on interface

Use bpdufilter ???

nexus-1(config-if)# spanning-tree bpdufilter disable enable

Disable bpduguard ???

nexus-1(config-if)# spanning-tree bpduguard ? disable Disable BPDU Guard for this interface enable Enable BPDU Guard for this interface

I'm a bit reluctant to play around with interface settings on production switch, although the transparent firewall is new and disconnected. Didn't find a best practises guide.

CheatGPT recommends to remove "spanning-tree guard root", but that's just a language model juggling words together that have thi highest probability and it has been so many times wrong in other situations and topics. 🙂

Re: Firepower 1120 transparent mode interface best practises?

Network Diver — Thu, 03 Apr 2025 07:38:29 GMT

Interface configuration on Firepower.

Cheat GPT answers: