Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1793
Views
0
Helpful
2
Replies

Firepower 4150, 4100, FPR-4150 CCL Options for 2 or more Data Centers

Akin Utku
Level 1
Level 1

‎03-10-2020 06:22 PM

I would like to create a cluster of 4 4150's over 2 Data Centers.  Each Data Center has one member of a VSS pair and there is not enough physical links between the two to connect each FPR Chassis redundantly to each VSS member. 

I'm attempting to explore the currently supported options for CCL (Cluster Control Link) in this scenario.  

 

1) Is a single CCL link on each FPR supported?  What are the implications if the Master loses connectivity only to the CCL for instance?  I can't find any documentation around this. 

 

Let me explain further what I'd like to achieve: 

The FPR uses a port-channel for CCL, and I'm limited to only a single link on each FPR to the single VSS switch in each DC.   

So DC1 and DC2 would be identical and would be as follows: 

[FPR1 Int1 Po48] -CCL- [VSS-SW Int1/1 Po100 - VLAN 400]

[FPR2 Int1 Po48] -CCL- [VSS-SW Int1/2 Po101 - VLAN 400]

And VSS would be used to extend the CCL VLAN, 400 for example to extend to the second DC.

 

There is a presentation I found by Andrew Ossipov that speaks to clustering ASA's running on the FPR but I can't assume this is supported over the FTD as well. If he's still around and could assist that would be very awesome ;) 

The link is https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2016/pdf/BRKSEC-3032.pdf

The scenario that most closely resembles what I have in mind is "Extended Spanned Etherchannel Cluster in Inter DC"

There are no constraints as to bandwidth between DC1 and DC2, only qty of physical connections are constrained. 

 

Thank you all so much for any assistance or wisdom you could part on me. 

 

 

 

 

0 Helpful
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎03-11-2020 03:37 AM

have you looked at the configuration guide and limitation :

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/clustering/ftd-cluster-solution.html#concept_137A7038B1054555B0D17EE5D45DF351

 

Are you looking Active / Active DC ? design need to be controlled traffic flow.  Symmetric routing may have other issue.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Akin Utku
Level 1
Level 1
In response to balaji.bandi

‎03-12-2020 03:46 AM

Thanks Balaji, 

Yea the configuration guide was the first thing I had looked at.  It's a bit unclear about whether or not I can use spanned ether-channels as the CCL or if it has to be a unique ether-channel per FPR chassis but then aggregating to a single ether-channel on the VSS switch.  

Anyhow the issue/uncertainty I have is that the VSS pair is split across the DC and I won't be able redundantly connect the FPR chassis to each VSS member.  Just wondering if this would be an issue or not.  I'm attaching a diagram of what I'm thinking it will look like. 

Thank you again for helping. 

 

Annotation 2020-03-12 214143.jpg

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card