Solved: Firepower 4115 - FTD Container Instance Questions

a12288 · ‎11-04-2021

I am in the process to migrate our aging data center ASA 5585 to Firepower 4115 running FTD, our current ASA 5585 is the L3 default gateway of a number of data center networks (50+) for both north-south and east-west firewalling, so I need to use VLAN sub-interface according to the document I am reading, and this requires me to run FTD container instance where I need to create & assign a resource profile even though I just need to run one single FTD container instance. According to the Cisco document, I can allocate all the available CPUs then arguably all the available MEM but the disk space is set to 40G limit.

I have 2 questions hope to find some clarifications from the community:

1. Any reason why Native FTD with all the resources (CPU, MEM, HD) cannot leverage VLAN sub-interface? will this "feature" be offered in the future?

2. Down to earth, how to interpret the 40G limit? does it mean my single FTD instance can only use 40G for everything, OS, logs, updates, tcp-dumps, etc, etc? Here is my Firepower disk usage at lab, which I hope someone can shed lights on how to interpret it, which seems I can use more than 40G, Thanks in advance!

admin@dc-ftd-annu:/ngfw/Volume/home/admin$ cd /
admin@dc-ftd-annu:/$ df -h
Filesystem Size Used Avail Use% Mounted on
overlay 339G 53G 287G 16% /
tmpfs 64M 0 64M 0% /dev
tmpfs 94G 0 94G 0% /sys/fs/cgroup
/dev/sda6 40G 4.1G 36G 11% /mnt
tmpfs 94G 248K 94G 1% /run
shm 80G 1.2G 79G 2% /dev/shm
tmpfs 94G 4.0K 94G 1% /var/config
tmpfs 94G 3.1M 94G 1% /var/volatile/tmp
/dev/sda5 28G 45M 26G 1% /var/data/cores
/dev/sda2 978M 28M 899M 3% /opt/cisco/config/host-common
/dev/sda3 2.9G 9.3M 2.8G 1% /opt/cisco/csp/applications/cisco-ftd.6.4.0.102__ftd_001_JMX2515X22N21W5BU2/app_data/disk0/log/.ntp.log
tmpfs 94G 0 94G 0% /sys/firmware

Octavian Szolga · ‎11-04-2021

Hi,

Regarding the 1st question.. have you tried out?

I think (I'm not 100% sure) that you got it wrong...

From FMC 6.6 Config Guide (page 577):

FXOS Interfaces vs. Application Interfaces
The Firepower 4100/9300 manages the basic Ethernet settings of physical interfaces, VLAN subinterfaces
for container instances, and EtherChannel (port-channel) interfaces. Within the application, you configure
higher level settings. For example, you can only create EtherChannels in FXOS; but you can assign an IP
address to the EtherChannel within the application.
The following sections describe the interaction between FXOS and the application for interfaces.
VLAN Subinterfaces
For all logical devices, you can create VLAN subinterfaces within the application.
For container instances in standalone mode only, you can also create VLAN subinterfaces in FXOS (on
interfaces without FXOS subinterfaces).

My understanding is that you can't create subinterfaces from within FXOS for a 'native' instance in order to allocate that to your FTD.

Still, you should be able to allocate to your 'native' instance a entire physical interface, than use FMC to divide it into multiple dot1q subinterfaces.

Long story short, it should be like this:

- native instance - gets all resources - assign physical interfaces (does not have any resource profile to attach in terms of CPU)

- container instance - has to have a resource profile attached (based on CPU which in turn dictates RAM assigned) + can be assigned an entire physical interface or subinterfaces

Regarding your 2nd question, I'm not sure there either. My understanding is that only when you use container instances you get a fixed HDD allocation of 48GB disk space (check this whitepaper: https://www.cisco.com/c/en/us/products/collateral/security/firewalls/white-paper-c11-744750.html)

I don't have acces right now to a FPR4k with a native instance on it, but I think all space is allocated.

Nevertheless, I wouldn't be concerned about logs and so on, because this is where FMC comes in place. After all, FMC has all data regarding ips events, connections, etc.

On my FTDv lab this is the disk space allocation

> expert
**************************************************************
NOTICE - Shell access will be deprecated in future releases
and will be replaced with a separate expert mode CLI.
**************************************************************
admin@ftdv-A:~$ df -h
Filesystem Size Used Avail Use% Mounted on
rootfs 3.9G 378M 3.5G 10% /
devtmpfs 3.9G 6.1M 3.9G 1% /dev
tmpfs 3.9G 2.4M 3.9G 1% /run
tmpfs 3.9G 748K 3.9G 1% /var/volatile
/dev/sda1 510M 230M 281M 46% /mnt/boot
/dev/sda2 8.0G 2.0M 8.0G 1% /mnt/disk0
/dev/sda6 3.8G 572M 3.1G 16% /ngfw
/dev/sda8 28G 5.9G 21G 23% /home
tmpfs 3.9G 0 3.9G 0% /dev/cgroups
admin@ftdv-A:~$

And this is for a FPR2k:

admin@fpr2k:/$ df -h
Filesystem Size Used Avail Use% Mounted on
rootfs 7.6G 547M 7.0G 8% /
devtmpfs 7.7G 704M 7.0G 10% /dev
tmpfs 7.7G 492K 7.7G 1% /run
tmpfs 7.7G 82M 7.7G 2% /var/volatile
/dev/sda1 923M 172M 705M 20% /opt/cisco/config
/dev/sda2 922M 38M 838M 5% /opt/cisco/platform/logs
/dev/sda3 11G 29M 11G 1% /var/data/cores
/dev/sda4 81G 17G 64G 22% /opt/cisco/csp
/dev/sdb1 7.4G 2.2G 5.2G 30% /mnt/boot
cgroup_root 7.7G 0 7.7G 0% /dev/cgroups
tmpfs 7.7G 0 7.7G 0% /sys/fs/cgroup
tmpfs 7.7G 0 7.7G 0% /sys/fs/cgroup/pm
tmpfs 93M 1.2M 92M 2% /ngfw/var/common/lmdb_db
tmpfs 1.0M 0 1.0M 0% /var/data/cores/sysdebug/tftpd_logs
admin@fpr2k:/$

BR,

Octavian

View solution in original post

Octavian Szolga · ‎11-04-2021

Hi,

Regarding the 1st question.. have you tried out?

I think (I'm not 100% sure) that you got it wrong...

From FMC 6.6 Config Guide (page 577):

FXOS Interfaces vs. Application Interfaces
The Firepower 4100/9300 manages the basic Ethernet settings of physical interfaces, VLAN subinterfaces
for container instances, and EtherChannel (port-channel) interfaces. Within the application, you configure
higher level settings. For example, you can only create EtherChannels in FXOS; but you can assign an IP
address to the EtherChannel within the application.
The following sections describe the interaction between FXOS and the application for interfaces.
VLAN Subinterfaces
For all logical devices, you can create VLAN subinterfaces within the application.
For container instances in standalone mode only, you can also create VLAN subinterfaces in FXOS (on
interfaces without FXOS subinterfaces).

My understanding is that you can't create subinterfaces from within FXOS for a 'native' instance in order to allocate that to your FTD.

Still, you should be able to allocate to your 'native' instance a entire physical interface, than use FMC to divide it into multiple dot1q subinterfaces.

Long story short, it should be like this:

- native instance - gets all resources - assign physical interfaces (does not have any resource profile to attach in terms of CPU)

- container instance - has to have a resource profile attached (based on CPU which in turn dictates RAM assigned) + can be assigned an entire physical interface or subinterfaces

Regarding your 2nd question, I'm not sure there either. My understanding is that only when you use container instances you get a fixed HDD allocation of 48GB disk space (check this whitepaper: https://www.cisco.com/c/en/us/products/collateral/security/firewalls/white-paper-c11-744750.html)

I don't have acces right now to a FPR4k with a native instance on it, but I think all space is allocated.

Nevertheless, I wouldn't be concerned about logs and so on, because this is where FMC comes in place. After all, FMC has all data regarding ips events, connections, etc.

On my FTDv lab this is the disk space allocation

> expert
**************************************************************
NOTICE - Shell access will be deprecated in future releases
and will be replaced with a separate expert mode CLI.
**************************************************************
admin@ftdv-A:~$ df -h
Filesystem Size Used Avail Use% Mounted on
rootfs 3.9G 378M 3.5G 10% /
devtmpfs 3.9G 6.1M 3.9G 1% /dev
tmpfs 3.9G 2.4M 3.9G 1% /run
tmpfs 3.9G 748K 3.9G 1% /var/volatile
/dev/sda1 510M 230M 281M 46% /mnt/boot
/dev/sda2 8.0G 2.0M 8.0G 1% /mnt/disk0
/dev/sda6 3.8G 572M 3.1G 16% /ngfw
/dev/sda8 28G 5.9G 21G 23% /home
tmpfs 3.9G 0 3.9G 0% /dev/cgroups
admin@ftdv-A:~$

And this is for a FPR2k:

admin@fpr2k:/$ df -h
Filesystem Size Used Avail Use% Mounted on
rootfs 7.6G 547M 7.0G 8% /
devtmpfs 7.7G 704M 7.0G 10% /dev
tmpfs 7.7G 492K 7.7G 1% /run
tmpfs 7.7G 82M 7.7G 2% /var/volatile
/dev/sda1 923M 172M 705M 20% /opt/cisco/config
/dev/sda2 922M 38M 838M 5% /opt/cisco/platform/logs
/dev/sda3 11G 29M 11G 1% /var/data/cores
/dev/sda4 81G 17G 64G 22% /opt/cisco/csp
/dev/sdb1 7.4G 2.2G 5.2G 30% /mnt/boot
cgroup_root 7.7G 0 7.7G 0% /dev/cgroups
tmpfs 7.7G 0 7.7G 0% /sys/fs/cgroup
tmpfs 7.7G 0 7.7G 0% /sys/fs/cgroup/pm
tmpfs 93M 1.2M 92M 2% /ngfw/var/common/lmdb_db
tmpfs 1.0M 0 1.0M 0% /var/data/cores/sysdebug/tftpd_logs
admin@fpr2k:/$

BR,

Octavian

Marvin Rhoads · ‎11-05-2021

@Octavian Szolga is correct. No need to use containers here. Just assign the physical interfaces to a single logical device (FTD instance) in FCM and then create the subinterfaces in FMC for that logical device.

It will have all the eligible/available memory disk and CPU resources assigned to it. (Note some always are carved out for FXOS itself which manages the physical chassis)

a12288 · ‎11-07-2021

Thanks, Octavian.

You are right, I re-deploy FTD in native mode and can indeed provision VLAN sub-interface and with all the available resources, much appreciated! It really helps.

Leo