Re: 3100 Clustering on 7.2 (FMC & Clustered FTD's) w/ PBR, NAT and

red2play · ‎01-05-2023

We have a 3100 Cluster with two 10G Diverse Internet connections with two different Internet providers and are also using NAT. We want to use both pipes with failover. I have a number of questions:

1. Should I just use NAT instead of PBR? I can just NAT the Address of internal IP's and that will basically serve as a PBR right? or should I just use PBR w/ NAT? The documentation states that it can be unstable if both are used.

2. In the example from here:

Firepower Management Center Device Configuration Guide, 7.1 - Policy Based Routing [Cisco Secure Firewall Management Center] - Cisco I can see that they are using PBR with ECMP, is there a reason for that?

Marius Gunnerud · ‎01-05-2023

First off, are you planning on setting up a true cluster or just an active/standby HA setup? It is just that some people use cluster interchangeably for both active/standby HA and, well, clustering.

So to answer your questions:

1. I would suggest using PBR instead of NAT to route traffic out the second ISP interface. The reason being is that PBR will most likely be set up once and then forgotten...for the most part. While NAT is constantly being configured. This will reduce the risk of a possible misconfiguration affecting the traffic. You will still need a default NAT for the second interface though.

2. I suppose the document is trying to show the possibilities and provide some use cases so the reader can start to formulate an idea of how they need to implement PBR. In this case it is trying to show how you can reduce load on the ISPs. So for example, if you are maxing out a 1Gig link on ISP1 and you have a 500Mb link towards ISP2 then you can send some traffic to ISP2 to reduce the load on ISP1.

--
Please remember to select a correct answer and rate helpful posts

3100 Clustering on 7.2 (FMC & Clustered FTD's) w/ PBR, NAT and ECMP?