topic Firepower 2130 IPS inline deployment with port-channel in Network Security

Firepower 2130 IPS inline deployment with port-channel

west33637 — Fri, 21 Feb 2020 15:35:23 GMT

Hello all. I'm trying to configure an IPS inline pair between an ASA and Nexus switch. The ASA is currently port-channeled down to the Nexus and I want to implement the Firepower 2130 inline in between them.

Is it possible to configure and 2 ether-channels on the IPS - 1 ether-channel for inside, 1 for outside and configure a single inline set between the ether-channel interfaces. or do I need to configure individual interfaces on the IPS and set up 2 independent inline sets?

When I configure the inline set between the 2 ether-channel interfaces, it does not automatically change the ether-channel interfaces to inline mode like it should. It works when I use physical links for the inline sets.

According to page 13 of the attached document, ether-channel with inline sets on the 4150 should work, but I am unable to get ether-channel to work with inline set on the 2130.

appreciate any help.

Re: Firepower 2130 IPS inline deployment with port-channel

Francesco Molino — Mon, 02 Apr 2018 15:25:31 GMT

As far as I recall, etherchannel in IPS mode only are supported only on FP4100 and 9300 chassis.

I had (don't remember how) an email from Cisco saying:

Answer: IPS-only interfaces support physical interfaces only, and cannot be EtherChannels, redundant interfaces, VLANs, and so on.
The exception is for EtherChannels (Port-channel) configured on the Firepower 4100/9300 chassis, which are supported.

Re: Firepower 2130 IPS inline deployment with port-channel

west33637 — Mon, 02 Apr 2018 15:51:26 GMT

Any documentation to back this? I believe your statement is accurate, but I need some documentation to point my client to. Thanks,

Re: Firepower 2130 IPS inline deployment with port-channel

Francesco Molino — Mon, 02 Apr 2018 15:53:44 GMT

Nope. I can try to found it later tonight otherwise, you can open a case to Partner Helpline and ask this question, they will reply with a doc certainly.

Re: Firepower 2130 IPS inline deployment with port-channel

maur7311 — Fri, 14 Dec 2018 19:02:26 GMT

Hello Francesco

I’m a little confused cause by the following situation and I would like have an explanation: According to your response the Firepower 4100 series can be deployed transparently for LACP with inline-pairs, but there is a colleague doing another Inline deployment with Firepower 7120s IPS-Only located among a Link-Aggregation between FW and LoadBalancer and there is VLAN Tagged Traffic through it. When he deployed the Firepower 7120s (Using a Inline interface pairs instead of LinkAggregation configuration towards FW and LoadBalancer) there were troubles with the Tagged Traffic and it doesn't works. Then he had to configure a LinkAggregation Interfaces on Firepower 4100 and Logical(Tagged) interface for resolving it. Could happen the same thing with Firepower 4100 ? Please let me know your point of view about it.

And I want to know If you can help me to confirm how must be deployed the FP4100 according to the "Best Practices":

1. First Stage: The FP4100 must be deployed in Passive Mode (SPAN or Port Mirror) for Learning stage ?
2. Second Stage: After the learning stage the FP4100 must be deployed Inline using Interface-Pairs or LACP Interface? What feature inspections can gain or loose in any of those modes? Could I inspect tagged Traffic in any f those modes? Which mode could guarantee the well function of Hardware Bypass? I've attached a generic Topology.

Thank a lot

Edgar