We have an upcoming project with the below items:-
1) FirePOWER 4100 with NGFW & threat subscriptions (Two Qty.) - DC firewalls
2) FirePOWER 5525X with TAMC subscriptions (Two Qty.) - Internet firewalls
3) FirePOWER management center virtual
DC firewalls will be connected to the Nexus core platforms in a vPC environment.
My doubt is about as to how the connectivity will be in case our plan is for active/standby FTDs (not clustering)
1) From each FirePOWER appliance there will be dual links, one each to Nexus 1 & Nexus 2 respectively (should this be part of a singe PO/vPC or dual PO/vPC)
2) Management port of each FirePOWER appliance will be connected to corresponding Nexus, i.e FirePOWER 1 management will be connected to Nexus 1 & FirePOWER 2 management will be connected to Nexus
3) Do we need a separate physical link for active/standby fail over/state traffic? If yes, can we make use of the existing SFP+ slot & use GLCT since we are short on 10 Gig SFP?
2) For the FTD management, do we need a separate physical port? If yes, can we make use of the existing SFP+ slot & use GLCT since we are short on 10 Gig SFP?
Please help us here as this is our first time with 411.
Each FirePOWER appliance should connect to a unique vPC on the Nexus pair. See the configuration guide here:
You cannot use the built-in chassis management SFP port for either FirePOWER logical deivce failover/state or management. That port is for chassis management only (FirePOWER Chassis manager and FX-OS cli shell).
Thus you will need to allocate an interface for each of those purposes. If does burn SFP+ slots and require 10 Gbps transceivers but that's how you have to do it on these platforms.
I usually specify the relatively inexpensive twinax cables for this (and for the connecitons to the switches as well). The SFP-H10GB-CU1M= (or 2M) is only US$100 list price and covers both ends of the connection. Contrast that with a SFP-10G-SR-S= fiber transceiver where you need two each plus a fiber jumper per connection.
When you connect FTD 4110 in Active/Active mode, routed mode to VPC on Nexus 7K, you can configure SVI over the port-channel in the Nexus 7K???