I trying to design a scalable solution using the FP9300 chassis.
I assume I can us only 2 security modules, as I seen that in other discussions, but what is the throughput?
The data sheet only mentions 1xSM44, 3xSM44, 1xSM56 & 3xSM56.
What is the throughput for 2xSM44 or 2xSM56, does anyone know or can someone point me at the relevant data, as its not in the spec sheets I've seen on line, thus far.
Thanks - P
A given (native) logical device uses a given security module exclusively. So a single FTD firewall for example uses one security module and we can see the specifications in the data sheet for that.
You only use multiple SMs when you have multiple logical devices - either each running as stand alone or as part of a cluster.
If you want to know more about clusters (or containerized) throughput please refer to Andrew Ossipov's Cisco Live presentations.
Thanks for taking the time to reply.
Yes that is interesting (YouTube) but it doesn’t answer my question.
I’m trying to scale throughput in IDS mode
1xSM-56 = 64Gbps
2xSM-56 = ?
3xSM-56 = 153Gbps
I have a load balancer in front to sort that side of things, I’m after 80Gbps so don’t want to go to the expense 3xSM-56 if I don’t need to.
Can you point me at any documentation that will help, because I’ve not been able to find the numbers myself?
Cheers - P
What do you mean by IDS mode? In the Firepower world that term is usually used to refer to running the classic Sourcefire/Cisco appliance with inline pairs. That image is not supported as a logical device on Firepower 9300 appliances. They support FTD or ASA images (and Radware Virtual Defense Pro).
For FTD, a given appliance runs as a logical device with one security module associated. So the maximum throughput for a single appliance FTD instance is that of the respective SM-44 or SM-46 it is associated with.
Multiple FTD instances on a Firepower 9300 (when designing for higher throughput) would normally be clustered. The Cisco Live presentation has lots of detail about that - much more than can be easily conveyed here.
Whether or an FTD cluster would work with your load balancer architecture is something you'd be best suited to engage with your partner or Cisco SE so that the end to end architecture can be validated. Such a design would entail many hundreds of thousands of dollars of investment and would not be well served by making decisions based on a public forum discussion.