cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14729
Views
5
Helpful
5
Replies

FTD ECMP with multiple interfaces

Patrick Moubarak
Enthusiast
Enthusiast

ASA 9.3(2) introduced the concept of zones with ECMP support across different interfaces (in the same zone):

You can group interfaces together into a traffic zone to accomplish traffic load balancing (using Equal Cost Multi-Path (ECMP) routing), route redundancy, and asymmetric routing across multiple interfaces.

 

Any idea when FTD will support this? the interface zone in FMC seems to be for Snort, not for ASA Lina, only nameif is present in Lina CLI:


firepower# show nameif
Interface Name Security
Ethernet1/5 inside1 0
Ethernet1/6 inside2 0

 

firepower# show zone
firepower#

 

EIGRP neighbors come up on both interfaces but routes are only present on inside1.

Is there a recommended design for FTD using L3 routing to 2 Nexus switches? I can't have EIGRP neighbors on vPC VLANs... so I opted for L3 routed interfaces between the 2 Nexus and between each Nexus and FTD.

 

Thanks

Patrick

 

1 Accepted Solution

Accepted Solutions

Bogdan Nita
VIP Alumni
VIP Alumni

You could use FlexConfig.

If you want to configure Equal-Cost-Multi-Path (ECMP) routing using traffic zones, the zone command differs for Firepower Threat Defense devices compared to the one used on ASA. Although you can still follow the instructions in the ASA general configuration guide, use zone name ecmp instead of the ASA version of the command.

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/flexconfig_policies.html

 

HTH

Bogdan

View solution in original post

5 Replies 5

Bogdan Nita
VIP Alumni
VIP Alumni

You could use FlexConfig.

If you want to configure Equal-Cost-Multi-Path (ECMP) routing using traffic zones, the zone command differs for Firepower Threat Defense devices compared to the one used on ASA. Although you can still follow the instructions in the ASA general configuration guide, use zone name ecmp instead of the ASA version of the command.

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/flexconfig_policies.html

 

HTH

Bogdan

Thanks Bogdan, I just tried it and it works like a charm!

 

The FMC doc under ECMP routing says it is not supported across different interfaces.

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/routing_overview_for_firepower_threat_defense.html#ID-2101-0000004d

 

It is the same text as ASA doc before the zone feature was introduced, they just forgot to correct it. They should have a reference to the FlexConfig zone name ecmp.

 

Patrick

Hello Patrick

 

Do you still have the script to configure the FlexConfig policy?

Can you share it, please?

 

Thanks

This worked for me:

 

zone <zone-name> ecmp

!
interface EthernetX/X
  zone-member <zone-name>
interface EthernetY/Y
  zone-member <zone-name>

Hi all, A FYI Warning.  I just did the FMC upgrade to 7.2 and push policy as per the process.  My FTD's all lost their Zone config and everything went to S41t.  Devices were still running 7.0.  FMC 7.2 has added Zones to the Device -> Routing - ECMP.  recreate the Zones and assigned the interfaces here.  Then remove the flex config from the device.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: