cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4364
Views
12
Helpful
9
Replies

DUAL ISP Active\Active WAN aggregate Cisco FTD 1010 Firepower FMC 6.5

keithcclark71
Level 3
Level 3

Customer ISP not providing enough bandwidth and was told a secondary WAN connection could be added and aggregated with the original circuit. This firewall is a Cisco 1010 FTD used with FMC and has anyconnect VPN established. Is this even possible without adding additional hardware? The customer was told he could just aggregate the two separate WAN circuits into one aggregate circuit using two physical interfaces on the FTD 1010 and the bandwidth would be total for the two circuits up/down combined. I don't understand how this would be possible as an aggregate link would still need public IP assignment for the VPN etc Can anyone help here?

1 Accepted Solution

Accepted Solutions

Hi @Aref Alsouqi I might be wrong, as I've never used the feature. ECMP uses traffic zones, if the outside interfaces are assigned to the zone, then you can configure multiple default routes via multiple interfaces.

 

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/routing-ecmp.html

 

View solution in original post

9 Replies 9

Hi @keithcclark71 not used it myself, but FTD supports ECMP

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-cen

 

Pay attention to the interfaces guidelines section, for example RAVPN is not supported.

Inside Subnet divide into two new Subnet each one will use one ISP, 
this done by PBR.

I don't believe that would be possible. Although the FTD would support ECMP but that would still be using the same exit interface. Essentially with the ECMP ( @Rob Ingram please keep me honest here) on the FTD you can configure multiple default routes pointing out of the same exit interface, but using multiple next hops. The ASA/FTD won't allow using multiple default routes pointing to multiple interfaces.

One thing probably could be done in this case would be to ask the ISP to configure HSRP as an example, so you can use a single default gateway on the FTD, and then the ISP would need to configure multiple default routes on their CPEs, on CPE1 they would have the normal default route to the WAN next hop, and another default route pointing to CPE2. Similar would also be configured on the CPE2 device.

Hi @Aref Alsouqi I might be wrong, as I've never used the feature. ECMP uses traffic zones, if the outside interfaces are assigned to the zone, then you can configure multiple default routes via multiple interfaces.

 

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/routing-ecmp.html

 

Hi @Rob Ingram , very nice! Defo worth labbing this up and see how it works in action.

This sounds like security contexts from ASA now named Virtual Routers. This is good info here but unfortunately this site I am referring to is FTD 1010. This discussion has helped greatly and appreciate all of those who responded and PBR using multiple internal subnets would seem to work from an outbound standpoint but from an aggregation standpoint I don't understand how 2 physical WAN interfaces could be aggregated and one public IP assigned for internal published services. It would seem to me that there would not be aggregation here but just two separate gateways divided per outbound subnet designation. If one had a ton of outbound rules restrictions which I do I would think you would need both interfaces associated with the "Outside" zone some how to keep outbound firewall rules in place against both internal PBR subnets?

The virtual routers are just a definition to VRFs on the firewalls. I agree with you, in this case probably it shouldn't be called aggregation as much as load balancing. If you configure the ECMP as @Rob Ingram suggested (the 1010 still seems to support it using the global VR), you would have two default routes on the FTD to load balance the outbound traffic. Now regarding the internal published services NAT rules, I think you would need to edit the existing NAT rules using "any" for the mapped interface, and the outside interface for the source translation. However, I can't see how you can achieve this if you are using dedicated public IP addresses, because in that case you still would need to define multiple NAT rules, one for each public IP associated to each outside interface. Alternatively, I was thinking about creating an etherchannel connection, but not sure if that would be supported on the ISP device! and I think that would also depend on what mechanism they would use when they say aggregate the two WAN circuits.

Do you have same SP for both WAN?

ASN
Level 1
Level 1

How would it work on the NAT's?
Trying to figure this one out since to my knowledge if you have both NAT entry's the last one will be processed and only one of the links will be active or i am missing something?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: