FTD Failover Link Recommendations

packet2020 · ‎01-04-2025

Hi All,

I'm currently implementing a pair of Cisco 3130 FTDs in active/stanby HA. The firewalls will be located within the same campus site but in different buildings. I'm trying to determine the recommendations and best practises for the failover link. My initial plan was to connect the firewalls back-to-back using a single 10G LR link (which I have done for other deployments without any issues), however in this instance I've been advised to either use a back-to-back port-channel, with each fibre link taking a seperate path for increased availability, or by connecting a single failover link via our inside or outside switch infrastrucutre, so an indirect failover link.

Is there a general recommendation or best practise for FTD failover connectivity that I should be following?

Rob Ingram · ‎01-04-2025

@packet2020 using an Etherchannel via different paths for the failover link would be sensible. The failover link can also be shared with the stateful failover link. Sharing a failover link is the best way to conserve interfaces, but consider a dedicated interface for the state link and failover link, if you have a large configuration and a high traffic network.

This are the different scenarios

The Cisco guides covers each option https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/760/management-center-device-config-76/high-availability.html#ID-2107-00000039

MHM Cisco World · ‎01-04-2025

Can I know SW form VSS or vPC or stack wise virtual?

MHM

packet2020 · ‎01-04-2025

The switches that the FTDs connect to are independant, so we have core switch 1 and core switch 2 that are connected togther using a trunk, with FTD1 connected only to core switch 1 and FTD2 connected only to core switch 2. We generally dont use VSS/SWV in the core/critical parts of our network