05-25-2015 02:27 AM - edited 03-10-2019 06:23 AM
i have a design as attached where 2 firewalls connected to two IPS in cross connects, i want to ensure Active/standby in my design, but not sure whther IPS interface can be bundled like BVI to ensure sensing of ASA1-ASA2 failover.
Does the new FP8350 support all modes of operation where previously cisco 4200 IPS supported. Design mode like inline interfacce pair,vlan interface pair etc.
Solved! Go to Solution.
05-25-2015 09:06 AM
If I understand your diagram correctly, none of the interfaces are Etherchannel or LAGs. So you would just setup multiple interfaces in inline sets on each FP8350. Reference.
The 8350 doesn't care whether a given ASA is Active or Standby - it just inspects the traffic presented to its interfaces and applies policies as configured.
05-25-2015 09:06 AM
If I understand your diagram correctly, none of the interfaces are Etherchannel or LAGs. So you would just setup multiple interfaces in inline sets on each FP8350. Reference.
The 8350 doesn't care whether a given ASA is Active or Standby - it just inspects the traffic presented to its interfaces and applies policies as configured.
04-24-2016 01:23 AM
Dear Marvin,
I am facing same issue here. Could you please explain
ASA 5585X--------- ASA 5585 X (Active / Standby)
| | | | (Port-channel) (Trunk (VLAN A)
FP 8350--------------FP 8350 (Active / standby)
| | | | (Port-channel) (Trunk VLAN A)
6807====VSS====6807
| |
Server Farm
My basic requirement is to used port-channel features with inline feature. However, i am confused, whether i need to use virtual switch or inline set to fulfill my requirement.
on top of FP appliance, ASA is configured as Layer III link, If i will configured FP & use two physical interfaces in inline set (total interface on FP are four, two for inside zone and two for external zone), then how i will put ip address on ASA having two physical interface connected from active ASA
Thanks in advance.
04-25-2016 07:05 AM
[@farhan.bhatti1] ,
An inline set works fine. The caveat is that a given FirePOWER appliance must monitor all of the links in a given portchannel.
See this document for confirmation: http://www.cisco.com/c/en/us/support/docs/security/sourcefire-firepower-8000-series-appliances/117897-cinfig-sourcefire-00.html
When you ASA uses a portchannel you assign IP addresses either the the Portchannel logical interface itself (i.e. Po1) or build subinterfaces, also with IP addresses (i.e., Po1.1, 1.2 etc.). Either way, that's distinct from the physical interfaces. They don't have IP addresses per se when they are members of a portchannel.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide