04-23-2023 08:22 PM
Hi, Do we need to have the same type of interface for FPR-2110 HA Active/Standby configuration to core switches? For example, From FW 1, we have fibre connection to core switch A and from FW 2, we have copper connection to core switch B. will HA work on this design?
I wanted to use FPR-2110 for Internal routing or as a router on stick option. Please suggest which Firewall software I should purchase to full fill this requirement to work with C9300x switches? Firepower threat defense software or ASA software?
Solved! Go to Solution.
04-24-2023 02:05 AM - edited 04-24-2023 02:09 AM
NO you can not must same interface Number
if you use SFP in FW1 then you must use SFP in FW2
and ALSO same INTERFACE NUMBER
04-24-2023 03:22 AM
@inhamit maximum connections.
04-24-2023 01:43 AM
@inhamit the cisco documentation states you must have the same number and type of interfaces in an HA. On your diagram you've got different interfaces for the inside interfaces (port 3 an 4), that would not work.
Ideally you'll have the FMC management software then deploy the FTD software image on the Firewalls, managing the FTD locally using FDM is not very good.
04-24-2023 01:51 AM
Thanks.
Ok. we will use the same port on the inside network that is port 3. IF we use fibre interface on port 3 at FW 1 and Copper SFP on port 3 at FW 2, will it be ok for HA or we should have fibre interfaces on port 3 at FW 1 and FW 2 to achieve the HA.
04-24-2023 01:56 AM
@inhamit dcoumentation states it should have the same interface type. I would use fibre for both interfaces when building the failover pair.
04-24-2023 02:02 AM
Thanks. can we use FPR-1120 in place of FPR-2110? what will be the limitation on the network if we go for FPR-1120. We wanted to use firewall as router (via trunk or sub-interfaces on the firewall side) for the inside network on the same link it is connect to core switch. Means, Firewall will be a gateway for Inside network via core switch.
04-24-2023 02:07 AM
@inhamit possibly, looking at the datasheets the 2100 has better performance.
How many users and how much Firewall throughput are you expecting?
04-24-2023 02:11 AM
We are looking for 1GBPS throughput with 150 users.
04-24-2023 02:15 AM
@inhamit the FPR1120 supports up to 4.5Gbps stateful inspection, so may suffice. What other features will be used on the Firewall?
04-24-2023 02:26 AM
We are looking for IPS throughput.
Stateful inspection is indicated with ASA features. I think we can deploy either FTD or ASA on the firewall. Which Software version I should purchase to have IPS and routing function on the firewall. Is firewall comes with default routing option or do we need to ask our supplier to include in software version.
04-24-2023 02:30 AM
@inhamit if you wish to use IPS then you will need the FTD image, you should also purchase the FMC to manage the FTD HA pair.
Routing comes with the Base license, you will need to purchase the Threat IPS license.
04-24-2023 02:36 AM
Ok. So we can go for FPR-1120 in place of FPR 2120. We shall achieve the same functionality with FPR-1120 with less throughout or users.
04-24-2023 02:39 AM
@inhamit yes you have the same functionality, just less performance on the FPR1120 compared to the FPR2110.
04-24-2023 02:42 AM
Last question, In place of using firewall as router on stick option or via sub-interfaces to use firewall as router for the inside network, what are the other possible option for routing in firewall?
04-24-2023 02:47 AM
@inhamit sub-interfaces and routing between VLANs via the firewall seems to be the most straight forward option.
04-24-2023 02:50 AM
FW as Router in stick and subinterface in FW is same freind.
I think you meaning using subinterface or vlan SVI in FW.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide