Solved: Firepower 2100 HA vs Clustering

Jeremy Dubrulle · ‎05-15-2019

Hello,

I'm trying to understand the difference between HA and clustering.

I see in the datasheet 2 lines different https://www.cisco.com/c/en/us/products/collateral/security/firepower-ngfw/data_sheet-c78-736661.html#ModelOverview

But I read in a cisco doc that "FirePOWER Clustering means HA" https://learningnetwork.cisco.com/docs/DOC-30551

So for the 2110, we have HA but not clustering, but with the last citation, I have no HA because no clustering.

I'm lost ...

Marvin Rhoads · ‎05-15-2019

HA = High Availability. One device is Active and the other is Standby. For devices running ASA software and multiple contexts (think "virtual firewalls") the Active and Standby roles can be reversed across different contexts thus the concept of "Active-Active". A given context is always Active-Standby though. For devices running FTD software, HA is only Active-Standby. Firepower 4100 and 9300 models (NOT 2100 series) can run multiple instances of FTD in containers and those can in turn be each configured Active-Standby across multiple chassis.

Clustering = combining multiple hardware appliances into a logical cluster for both high availability and scalability. Firepower 4100 and 9300 series appliances running FTD support clustering, as do most devices running ASA software (exception - ASAv, low end hardware like the ASA 5506-X and 5508-X, and the Firepower 2100 series running ASA software). In a cluster, all functional members are simultaneously active and there is some advanced software taking care of distributing flows and connections among the cluster members.

View solution in original post

Marvin Rhoads · ‎05-15-2019

The Cisco Learning Network document you cited refers to classic Firepower NGIPS devices. It does not describe the capabilities of Firepower Threat Defense (FTD) on Firepower 2100 or any other hardware platform. Also, it is written by a contributor and is not an official Cisco publication.

The data sheet rightly notes that clustering (for FTD) is available on the Firepower 4100 and 9300 series appliances. The 2100 series does not currently offering clustering support but does offer Active-Standby high availability.

Jeremy Dubrulle · ‎05-15-2019

Ok thanks but I don't understand the difference between cluster and HA. I may be dumb but could you explain me the difference between HA and cluster ?

More over it's written that the active/active is supported on HA for the 2100 series

Marvin Rhoads · ‎05-15-2019

HA = High Availability. One device is Active and the other is Standby. For devices running ASA software and multiple contexts (think "virtual firewalls") the Active and Standby roles can be reversed across different contexts thus the concept of "Active-Active". A given context is always Active-Standby though. For devices running FTD software, HA is only Active-Standby. Firepower 4100 and 9300 models (NOT 2100 series) can run multiple instances of FTD in containers and those can in turn be each configured Active-Standby across multiple chassis.

Clustering = combining multiple hardware appliances into a logical cluster for both high availability and scalability. Firepower 4100 and 9300 series appliances running FTD support clustering, as do most devices running ASA software (exception - ASAv, low end hardware like the ASA 5506-X and 5508-X, and the Firepower 2100 series running ASA software). In a cluster, all functional members are simultaneously active and there is some advanced software taking care of distributing flows and connections among the cluster members.

Jeremy Dubrulle · ‎05-16-2019

Ok thanks very clear Marvin !