Cisco FTD inline set support for VLAN pairs

SHABEEB KUNHIPOCKER · ‎08-19-2024

Hello Everyone,

I am migrating from a ASA with SFR module to aFTD running ASA image and another FTD running inline sets. The plan is to replace ASA with FTD running ASA image and SFR with an FTD running inline sets. In the current ASA we have around 31 sub interfaces and our target is to connect the FTD (running ASA image) and FTD (IPS) to a switch , then direct the traffic to IPS using VLAN pairs. Since there are sub interfaces in the ASA we would need the same in FTD inline sets to properly direct the traffic to the IPS so that the device connectivity can be done through a switch. Does the FTD support sub interfaces to configured as inline pairs or does it have something like VLAN pairs like old Cisco IPS?. What would be the approach I should follow in such a scenario?.

Kindly advise

Shabeeb

ccieexpert · ‎08-19-2024

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/interfaces-settings-ifcs-ips.html

Inline sets and passive interfaces support physical interfaces and EtherChannels only, and cannot use VLANs or other virtual interfaces, including multi-instance chassis-defined subinterfaces.
But you should be able to define a trunk on switch connecting to the FTD and FTD can pass the VLANs seamlessly. this works just fine. since it is a inline pair it will just propagate the vlan just fine.

**Please rate as helpful if this was useful**

SHABEEB KUNHIPOCKER · ‎08-19-2024

Hello,

Thanks a lot for your response. So we need to put the IPS physically between the switch and the ASA right?.

MHM Cisco World · ‎08-19-2024

I am not so sure you need to try
SW(trunk)-link-FTD1 IPS-only-link-FTD2 with subinterface
FTD IPS-only not remove the header which include the VLAN

if it remove header then config
SW(access port)-link-FTD1 IPS-only-link-FTD2
here the IPS even if it remove the l2 header the traffic not drop

MHM

ccieexpert · ‎08-19-2024

Correct.. put the FTD in the middle and it should work just fine.

**Please rate as helpful if this was useful**

SHABEEB KUNHIPOCKER · ‎08-20-2024

Hello,

Thanks a lot for your reply. We have 3 segments, and I am planning to put the FTD inline pair in all the three segments. Please find the attached diagram.

I have the below concerns

If you take the traffic flow from server to internet, the traffic will be inspected first by the IPS layer placed in the inside segment of the ASA and then it will be inspected by the IPS layer placed in the outside interface of the ASA. Is there any way to avoid this double inspection?
Initially I was planning to build HA between the IPS FTDs but seems like with the above design it is not possible. If the ASA-01 is made standby from the CLI then the IPS-02 should become active which it will not as there will not be any interface failure. So in that scenario, IPS-01 and ASA-02 will be active and the traffic will be blocked. So either I need to add switches in every segment, or I will keep the IPS appliances as stand alone. Kindly advise what is the best practice.

Thanks

Shabeeb

MHM Cisco World · ‎08-27-2024

Hi friend

Can we review your issue here,

Why you use ftd ips-only and ftd in series why you not use ftd and run IPS with it?

Did yoh have a load traffic?

MHM

SHABEEB KUNHIPOCKER · ‎08-27-2024

Hello,

Thanks a lot for your reply. The customer currently has ASA with SFR modules. They have around 30 VPN tunnels in the firewall, and they are a bank. They would like to make sure the migration is very smooth. When we checked with local cisco team for design suggestion, they informed that FTD with ASA image + Separate FTD with IPS is the recommended design for banking customers.