FirePower Cluster Question

red2play · ‎09-22-2023

I'm in the process of adding more switches to support the FTD 3140 Cluster. Here's the question, won't the Firepower devices go down if the switches that it's connected to also goes down? Wouldn't that make the Switches (even more importantly, the connections as well, if they go down) that it's connected to as a single point of failure? Why won't Cisco support direct connect Clustering or even better Direct connect clustering as well as connected through a switch? That way if one of the Clustered devices go down, you'll still have the Switches to uphold the line protocol and if the connections to the switches or the switches themselves go down, the Cluster will survive.

For instance,

Cluster Mem A port1 -->C9500-->Cluster Mem B port1

Cluster Mem A port2 -->C9500-->Cluster Mem B port2

Cluster Mem A port3 -->Cluster Mem B port3

Cluster Mem A port4 -->Cluster Mem B port4

To me, that makes 10x more sense than the current setup.

balaji.bandi · ‎09-23-2023

Most of the use case have Dual Switches they are part of VSS or SVL or Stack or vPC

So if you looking more failure scenario adding more Links to Dual switch is appropriate rather a singe device.

If all the devices in same place next each other (that is another drawback if the single comm room power failure) - so cluster streched in different place (if one can invest dark fiber between cluster that is good idea - depends on use case and cost )

more guide lines can be find here :

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/clustering/ftd-4100-9300-cluster.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎09-23-2023

You meaning interconnect both cluster FW.