FirePOWER Threat Defense for Integrated Services Routers
I'm running into one issue with an inline deployment, that is figuring out a way to fail-open. We are doing router-on-a-stick essentially at the remote site where FirePOWER for ISR is deployed. It was only deployed for a week and we had an issue where snort deadlocked during production hours.
The expert webcast that Ms. Sankar did was excellent, but it left out some information about doing fail-open with spanning-tree port cost.
Our service instances are tied to the UCS interface, so if the sensor failed how would we route traffic around it? even if we had a second interface coming from our layer 2 switch that didn't plug into the UCS front panel port, the routed interfaces would be unavailable if traffic stopped flowing through the sensor.
Here is a snippet of our router configuration: VLAN 51 for instance always routes around the sensor. The layer 2 VLANs for our clients exist on a layer 2 switch trunked to the router on the UCS front panel port. Any layer 3 traffic enters the UCS front panel port and it routed at the BDI interface. If the sensor fails we still need these interfaces to route.
Or do I need to look at another design option to fail-open? ! ucse subslot 1/0 imc access-port shared-lom console imc ip address 10.10.250.10 255.255.255.0 default-gateway 10.10.250.5 ! interface GigabitEthernet0/0/0.51
**internal remote site** encapsulation dot1Q 51 ip address 10.10.51.1 255.255.255.0 ip helper-address 10.0.0.213 ip helper-address 10.0.0.214 ! interface GigabitEthernet0/0/2
Desc **corporate side** ip address 10.254.2.250 255.255.255.248 negotiation auto service-policy input Inbound ! interface ucse1/0/0 ip address 10.10.250.5 255.255.255.0 no negotiation auto switchport mode trunk ! interface ucse1/0/1 no ip address no negotiation auto switchport mode trunk service instance 3 ethernet encapsulation dot1q 3 rewrite ingress tag pop 1 symmetric bridge-domain 3 ! service instance 10 ethernet encapsulation dot1q 10 rewrite ingress tag pop 1 symmetric bridge-domain 10 ! interface BDI3 ip address 10.10.10.1 255.255.255.0 ! interface BDI10 ip address 10.10.2.1 255.255.248.0 !
ip route 0.0.0.0 0.0.0.0 10.254.2.249 ip route 10.10.250.10 255.255.255.255 ucse1/0/0 ip route 10.10.250.15 255.255.255.255 ucse1/0/0 ip route 10.10.250.20 255.255.255.255 ucse1/0/0
When we said the word “hybrid” in the past, it usually recalled the image of a new variety of plant or maybe an electric car. These days, it applies to the workplace too.
The future of work isn’t “changing” to a h...
Thanks for attending our Ask the Experts (ATXs) session! Here’s the post-session resources for easy reference.
New to ATXs? An ATXs session, offered at no cost, is an hour of real-time learning led by Cisco experts, who will answer your technology q...
Cisco Secure Endpoint
New packages fit for every organization
Every Cisco Secure Endpoint (formerly AMP for Endpoints) package comes with Cisco SecureX built-in. It’s our cloud-native platform that integrates all your security solutions into one view wit...
Our Cisco experts and guests chat about how the integration of Cisco Secure Firewall + Secure Workload is securely accelerating application delivery by allowing NetOps to start running at DevOps speed, and what that means for business success.