We are currently working on a project to integrate a pair of 4150 FTD appliances into an existing physical topology. We need to overcome a few challengers/hurdles with the design. I've attached the topology to better explain the issues.
We have a two 10Gbps connections, one between each pair of 3850-Z1 and 3850-Z2 switches. To make best use of the bandwidth we would like to use both 10Gbps circuits.
We have a requirement to maintain state to support seamless failover if the primary (top) Firepower fails. So the plan is to deploy the Firepower in Active/Standby configuration. However, this would then potentially bring traffic from Vlan20, to Vlan3 to Eth1/1 (please excuse interface names of drawing) of primary (top) Firepower meaning we could have an aggregate bandwidth of 20Gbps going through a single 10Gbps interface. I appreciate I could create an EtherChannel for this, but we have plans for the other interfaces of the firewall. So the preference would be to go from Vlan 20 to Eth1/1 on the secondary (bottom) Firepower but I don't think this is possible?
In addition to this, we do not support dynamic routing on our firewalls. So in the Active/Standby deployment mode I need to deploy a NHRP protocol for the Firepowers to route either side of them. We prefer not to span Vlans between sites, but I can't think of another option given the mode the Firepowers are deployed in. We are also using a Vlan either side of the firewall (Layer 2 only) for the HA/state-failover.
It's all far from ideal, and we really shouldn't be trying to deploy the Firepower into a retrospective topology, but it is what it is unfortunately. I just want to be sure, with my limited experience and knowledge of Firepower, that our initial thoughts are optimal for the topology we are trying to incorporate the Firepowers into.
(Please excuse the topology, I've had to rip out lots of sensitive information)
its not clear to me what you mean, can you redraw the topology and include like arrrows of the current traffic flow and the traffic flow in a fail over scenario, may be that would help
Its not clear to me, could you answer some questions, your firewall are completely in Layer2 or are you using the mode in-line interfaces?
Some tips, I did some implemetations using Firepower with bridge group and with this kind of implemetation provides greater flexibility to position physically the Firewallpower since that of have connection Layer2 in the enviroment.
Please look my topology, in this example I'm using two vlans to create the bridge group vlan 100 <-> 110 in the Firepower the configuration of Layer3 are in Vlan110 on the switch and the configuration of the stations or server stay on vlan 100, whenever there is comunication to other networks the traffic begins in the vlan 100 and go to firepower and return to vlan 110 to do the routing, maybe that could help.