cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1430
Views
10
Helpful
4
Replies

Firepower 2130 IPS inline deployment with port-channel

west33637
Level 1
Level 1

Hello all. I'm trying to configure an IPS inline pair between an ASA and Nexus switch. The ASA is currently port-channeled down to the Nexus and I want to implement the Firepower 2130 inline in between them.

 

Is it possible to configure and 2 ether-channels on the IPS - 1 ether-channel for inside, 1 for outside and configure a single inline set between the ether-channel interfaces. or do I need to configure individual interfaces on the IPS and set up 2 independent inline sets?

 

When I configure the inline set between the 2 ether-channel interfaces, it does not automatically change the ether-channel interfaces to inline mode like it should. It works when I use physical links for the inline sets.

 

According to page 13 of the attached document, ether-channel with inline sets on the 4150 should work, but I am unable to get ether-channel to work with inline set on the 2130.

 

appreciate any help.

4 Replies 4

Francesco Molino
VIP Alumni
VIP Alumni

Hi

 

As far as I recall, etherchannel in IPS mode only are supported only on FP4100 and 9300 chassis.

 

I had (don't remember how) an email from Cisco saying:

Answer: IPS-only interfaces support physical interfaces only, and cannot be EtherChannels, redundant interfaces, VLANs, and so on.
The exception is for EtherChannels (Port-channel) configured on the Firepower 4100/9300 chassis, which are supported.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Any documentation to back this? I believe your statement is accurate, but I need some documentation to point my client to. Thanks,

Nope. I can try to found it later tonight otherwise, you can open a case to Partner Helpline and ask this question, they will reply with a doc certainly.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hello Francesco

 

I’m a little confused cause by the following situation and I would like have an explanation: According to your response the Firepower 4100 series can be deployed transparently for LACP with inline-pairs, but there is a colleague doing another Inline deployment with Firepower 7120s IPS-Only located among a Link-Aggregation between FW and LoadBalancer and there is VLAN Tagged Traffic through it. When he deployed the Firepower 7120s (Using a Inline interface pairs instead of LinkAggregation configuration towards FW and LoadBalancer) there were troubles with the Tagged Traffic and it doesn't works. Then he had to configure a LinkAggregation Interfaces on Firepower 4100 and Logical(Tagged) interface for resolving it. Could happen the same thing with Firepower 4100 ? Please let me know your point of view about it.

 

And I want to know If you can help me to confirm how must be deployed the FP4100 according to the "Best Practices":

1. First Stage: The FP4100 must be deployed in Passive Mode (SPAN or Port Mirror) for Learning stage ?
2. Second Stage: After the learning stage the FP4100 must be deployed Inline using Interface-Pairs or LACP Interface? What feature inspections can gain or loose in any of those modes? Could I inspect tagged Traffic in any f those modes? Which mode could guarantee the well function of Hardware Bypass? I've attached a generic Topology.

 

Thank a lot

 

Edgar

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: