Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1269
Views
13
Helpful
23
Replies

FPR-2110 HA configuration for Interface monitoring and Software

Go to solution
inhamit
Level 1
Level 1

‎04-23-2023 08:22 PM

Hi, Do we need to have the same type of interface for FPR-2110 HA Active/Standby configuration to core switches? For example, From FW 1, we have fibre connection to core switch A and from FW 2, we have copper connection to core switch B. will HA work on this design? 

inhamit_0-1682306210037.png

I wanted to use FPR-2110 for Internal routing or as a router on stick option. Please suggest which Firewall software I should purchase to full fill this requirement to work with C9300x switches? Firepower threat defense software or ASA software? 

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to inhamit

‎04-24-2023 02:05 AM - edited ‎04-24-2023 02:09 AM

NO you can not must same interface Number
if you use SFP in FW1 then you must use SFP in FW2
and ALSO same INTERFACE NUMBER 

View solution in original post

23 Replies 23

Go to solution
Rob Ingram
VIP
VIP

‎04-24-2023 01:43 AM

@inhamit the cisco documentation states you must have the same number and type of interfaces in an HA. On your diagram you've got different interfaces for the inside interfaces (port 3 an 4), that would not work.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/high-availability.html

Ideally you'll have the FMC management software then deploy the FTD software image on the Firewalls, managing the FTD locally using FDM is not very good.

Go to solution
inhamit
Level 1
Level 1
In response to Rob Ingram

‎04-24-2023 01:51 AM

Thanks. 

Ok. we will use the same port on the inside network that is port 3. IF we use fibre interface on port 3 at FW 1 and Copper SFP on port 3 at FW 2, will it be ok for HA or we should have fibre interfaces on port 3 at FW 1 and FW 2 to achieve the HA.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to inhamit

‎04-24-2023 01:56 AM

@inhamit dcoumentation states it should have the same interface type. I would use fibre for both interfaces when building the failover pair.

Go to solution
inhamit
Level 1
Level 1
In response to Rob Ingram

‎04-24-2023 02:02 AM

Thanks. can we use FPR-1120 in place of FPR-2110? what will be the limitation on the network if we go for FPR-1120. We wanted to use firewall as router (via trunk or sub-interfaces on the firewall side) for the inside network on the same link it is connect to core switch. Means, Firewall will be a gateway for Inside network via core switch.

0 Helpful

Go to solution
inhamit
Level 1
Level 1
In response to Rob Ingram

‎04-24-2023 02:11 AM

We are looking for 1GBPS throughput with 150 users.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to inhamit

‎04-24-2023 02:15 AM

@inhamit the FPR1120 supports up to 4.5Gbps stateful inspection, so may suffice. What other features will be used on the Firewall?

Go to solution
inhamit
Level 1
Level 1
In response to Rob Ingram

‎04-24-2023 02:26 AM

We are looking for IPS throughput. 

Stateful inspection is indicated with ASA features. I think we can deploy either FTD or ASA on the firewall. Which Software version I should purchase to have IPS and routing function on the firewall. Is firewall comes with default routing option or do we need to ask our supplier to include in software version. 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to inhamit

‎04-24-2023 02:30 AM

@inhamit if you wish to use IPS then you will need the FTD image, you should also purchase the FMC to manage the FTD HA pair.

Routing comes with the Base license, you will need to purchase the Threat IPS license.

Go to solution
inhamit
Level 1
Level 1
In response to Rob Ingram

‎04-24-2023 02:36 AM

Ok. So we can go for FPR-1120 in place of FPR 2120. We shall achieve the same functionality with FPR-1120 with less throughout or users. 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to inhamit

‎04-24-2023 02:39 AM

@inhamit yes you have the same functionality, just less performance on the FPR1120 compared to the FPR2110.

Go to solution
inhamit
Level 1
Level 1
In response to Rob Ingram

‎04-24-2023 02:42 AM

Last question, In place of using firewall as router on stick option or via sub-interfaces to use firewall as router for the inside network, what are the other possible option for routing in firewall?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to inhamit

‎04-24-2023 02:47 AM

@inhamit sub-interfaces and routing between VLANs via the firewall seems to be the most straight forward option.

Go to solution
MHM Cisco World
VIP
VIP
In response to inhamit

‎04-24-2023 02:50 AM

FW as Router in stick and subinterface in FW is same freind.

I think you meaning using subinterface or vlan SVI in FW.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card