Re: FPR1010 with 9200/9300 Etherchannel

kaghytayu2 · ‎03-20-2024

Hi all,

We are using FPR1010's on remote sites and 9300 or 9200 series switches. Firepower runs Asa code 9.18.3.56

Today the 9300 hiccupped and kept thinking the interface eth1/2 was up on the standby firepower, however on the firepower side it's admin disabled.

This caused certain traffic to go the wrong way.

My question, is it even possible to use port-channels with 9000 catalyst and FPR1010?

Because both sides are the same config, channel group 1 mode active, interface Eth1/1 and eth1/2 in separate port channel of both firewalls. Firewalls are active/standby.

If this is not possible, disregard my question, because basically we wanted a backup link to each firewall.

Thanks in advance,

Kaghy2

MHM Cisco World · ‎03-20-2024

You can not cross port channel between two FW to one SW.

You must config PO two port or more in one FW (active and passive) to SW.

MHM

Ruben Cocheno · ‎03-20-2024

@kaghytayu2

You can't mix the Firewall interfaces across the Port-channels, because the Standby Firewall would not do anything with the traffic, and dropped instead.

The same Pair of Firewall Interfaces must connect to the same switch or across switches (if using MLAG).

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

kaghytayu2 · ‎03-20-2024

@MHM Cisco World @Ruben Cocheno

As you've both replied the same answer, I tagged you both.

This is live config:

interface GigabitEthernet1/0/21
description FW2-Eth1/1
switchport trunk allowed vlan 1-3
switchport mode trunk
channel-group 2 mode active

!

interface GigabitEthernet1/0/22
description FW2-Eth1/2
switchport trunk allowed vlan 1-3,
switchport mode trunk
channel-group 2 mode active

!

interface GigabitEthernet1/0/23
description FW1-Eth1/1
switchport trunk allowed vlan 1-3
switchport mode trunk
channel-group 1 mode active

!

interface GigabitEthernet1/0/24
description FW1-Eth1/2
switchport trunk allowed vlan 1-3
switchport mode trunk
channel-group 1 mode active

FW1/2:

interface Ethernet1/1
description Uplink_CORE_GI1/0/21<>23
no switchport
channel-group 1 mode active
no nameif
no security-level
no ip address

!

interface Ethernet1/2
description Uplink_CORE_1/0/22<>24
no switchport
channel-group 1 mode active
shutdown
no nameif
no security-level
no ip address

Firewalls are also in Active/Standby configuration with connected statelink en HA-link connected.

As per above, is it possible to even configure Channel-group 2 on the standby without breaking the config sync?

If I'm thinking overly complicated or I'm just not getting it, please enlighten me as we've tried to solve it already on multiple occasions, yet failing.

MHM Cisco World · ‎03-20-2024

Connect second port channel to standby

We need to check

If config sync to active fw

If that effect stability of HA in such the active role is change to standby FW.

But why you need to do that' can I ask?

MHM

kaghytayu2 · ‎03-20-2024

I will check this tomorrow in a test environment if I have time.

Design wise and for backup reasons cable wise, we wanted to have separate portchannels for both nodes.

MHM Cisco World · ‎03-20-2024

If you add new NSK SW and connect it to both FW HA via backup port channel and allow vlan in trunk same as primary port channel it work as I see

In end you use vlan not subinterface so the FW accept connect multi l2 port to SW.

In this design you need to connect new NSK standalone SW to NSK vpc pair I think.

MHM