cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

570
Views
0
Helpful
0
Replies
estadlercisco
Beginner

FirePOWER Threat Defense for Integrated Services Routers

I'm running into one issue with an inline deployment, that is figuring out a way to fail-open. We are doing router-on-a-stick essentially at the remote site where FirePOWER for ISR is deployed. It was only deployed for a week and we had an issue where snort deadlocked during production hours.  

The expert webcast that Ms. Sankar did was excellent, but it left out some information about doing fail-open with spanning-tree port cost.

Our service instances are tied to the UCS interface, so if the sensor failed how would we route traffic around it? even if we had a second interface coming from our layer 2 switch that didn't plug into the UCS front panel port, the routed interfaces would be unavailable if traffic stopped flowing through the sensor. 

Here is a snippet of our router configuration: VLAN 51 for instance always routes around the sensor. The layer 2 VLANs for our clients exist on a layer 2 switch trunked to the router on the UCS front panel port. Any layer 3 traffic enters the UCS front panel port and it routed at the BDI interface. If the sensor fails we still need these interfaces to route.

Or do I need to look at another design option to fail-open?
!
ucse subslot 1/0
imc access-port shared-lom console
imc ip address 10.10.250.10 255.255.255.0 default-gateway 10.10.250.5
!
interface GigabitEthernet0/0/0.51

**internal remote site**
encapsulation dot1Q 51
ip address 10.10.51.1 255.255.255.0
ip helper-address 10.0.0.213
ip helper-address 10.0.0.214
!
interface GigabitEthernet0/0/2

Desc **corporate side**
ip address 10.254.2.250 255.255.255.248
negotiation auto
service-policy input Inbound
!
interface ucse1/0/0
ip address 10.10.250.5 255.255.255.0
no negotiation auto
switchport mode trunk
!
interface ucse1/0/1
no ip address
no negotiation auto
switchport mode trunk
service instance 3 ethernet
encapsulation dot1q 3
rewrite ingress tag pop 1 symmetric
bridge-domain 3
!
service instance 10 ethernet
encapsulation dot1q 10
rewrite ingress tag pop 1 symmetric
bridge-domain 10
!
interface BDI3
ip address 10.10.10.1 255.255.255.0
!
interface BDI10
ip address 10.10.2.1 255.255.248.0
!

ip route 0.0.0.0 0.0.0.0 10.254.2.249
ip route 10.10.250.10 255.255.255.255 ucse1/0/0
ip route 10.10.250.15 255.255.255.255 ucse1/0/0
ip route 10.10.250.20 255.255.255.255 ucse1/0/0

0 REPLIES 0
Content for Community-Ad