Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1805
Views
5
Helpful
3
Replies

Do FirePower NGIPS Support Interface bridging/inline interface pair mode

Go to solution
syedbadruddoja
Level 1
Level 1

‎05-25-2015 02:27 AM - edited ‎03-10-2019 06:23 AM

i have a design as attached where 2 firewalls connected to two IPS in cross connects, i want to ensure Active/standby in my design, but not sure whther IPS interface can be bundled like BVI to ensure sensing of ASA1-ASA2 failover.

 

Does the new FP8350 support all modes of operation where previously cisco 4200 IPS supported. Design mode like inline interfacce pair,vlan interface pair etc.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-25-2015 09:06 AM

If I understand your diagram correctly, none of the interfaces are Etherchannel or LAGs. So you would just setup multiple interfaces in inline sets on each FP8350. Reference.

The 8350 doesn't care whether a given ASA is Active or Standby - it just inspects the traffic presented to its interfaces and applies policies as configured.

View solution in original post

3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-25-2015 09:06 AM

If I understand your diagram correctly, none of the interfaces are Etherchannel or LAGs. So you would just setup multiple interfaces in inline sets on each FP8350. Reference.

The 8350 doesn't care whether a given ASA is Active or Standby - it just inspects the traffic presented to its interfaces and applies policies as configured.

Go to solution
farhan.bhatti1
Level 1
Level 1
In response to Marvin Rhoads

‎04-24-2016 01:23 AM

Dear Marvin,

I am facing same issue here. Could you please explain

ASA 5585X--------- ASA 5585 X (Active / Standby)

     | |                             | | (Port-channel) (Trunk (VLAN A)

FP 8350--------------FP 8350 (Active / standby)

     | |                             | |  (Port-channel) (Trunk VLAN A)

  6807====VSS====6807

                   | |

            Server Farm

My basic requirement is to used port-channel features with inline feature. However, i am confused, whether i need to use virtual switch or inline set to fulfill my requirement. 

on top of FP appliance, ASA is configured as Layer III link, If i will configured FP & use two physical interfaces in inline set (total interface on FP are four, two for inside zone and two for external zone), then how i will put ip address on ASA having two physical interface connected from active ASA

Thanks in advance.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to farhan.bhatti1

‎04-25-2016 07:05 AM

[@farhan.bhatti1]  ,

An inline set works fine. The caveat is that a given FirePOWER appliance must monitor all of the links in a given portchannel.

See this document for confirmation:  http://www.cisco.com/c/en/us/support/docs/security/sourcefire-firepower-8000-series-appliances/117897-cinfig-sourcefire-00.html

When you ASA uses a portchannel you assign IP addresses either the the Portchannel logical interface itself (i.e. Po1) or build subinterfaces, also with IP addresses (i.e., Po1.1, 1.2 etc.). Either way, that's distinct from the physical interfaces. They don't have IP addresses per se when they are members of a portchannel.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card