Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2546
Views
5
Helpful
5
Replies

FTD Failover

dijeshkeloth
Level 1
Level 1

‎10-20-2020 10:02 PM

Hi,

 

We have the following setup:

 

MPLS switch--Cisco FTD--Switch

 

Cisco FTD is configured in high availability mode. The primary FTD is connected to the primary MPLS switch and the standby FTD to the standby MPLS switch. Recently, the ftd failover happened and the standby ftd became active, however the MPLS switch did not failover as the link connecting the switch to the ftd was still up. Is there anyway to make the link down when the ftd is in standby mode?

0 Helpful
5 Replies 5

Mohammed al Baqari
Level 11
Level 11

‎10-20-2020 10:42 PM

Hi,

The best option for full HA is to connect your switches using a trunk cable
and get full mesh. This means that primary FTD can communicate to
primary/secondary MPLS and same for secondary FTD. You can also use
stackwise if supported by the switches. This is the best design.

I don't recommend you to start using custom solutions to failover. Things
like EEM and tracking can be used as workaround but do it right to live
forever.

**** please remember to rate useful posts

balaji.bandi
Hall of Fame
Hall of Fame

‎10-21-2020 12:26 AM

we do see that kind of environment, some places they want to extend Layer 2 using the different path in the network layer2 switch

to meet the best do you have an alternative layer 2 paths for that? if not you need to use some kind of tracking, but Layer2 will be always up once side, others go down also. this is a bit tricky, as suggested you can use EEM script to keep monitor each side and shutdown or failover.

 

but it will have a small interruption of traffic.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

dijeshkeloth
Level 1
Level 1
In response to balaji.bandi

‎10-22-2020 11:51 PM

Thanks All,

 

can you please share a sample EEM script that i can use?

 

Thanks,

0 Helpful

AKK
Level 1
Level 1

‎10-21-2020 01:25 AM

Hi,

 

I would suggest to use the switch in stack for MPLS and in LAN side you can use both the switches connected via Trunk.

In this condition if case active firewall failover also you do not need to do switch side failover.

IN HA at a time only one firewall will be processing traffic and other will be in standby mode hence even it secondary firewall port is up also it does not create any issue.

 

Regards,

AKK

0 Helpful

Aref Alsouqi
VIP
VIP

‎10-23-2020 01:25 AM

I don't think using EEM would be recommended tbh, I think best practice would be as already mentioned to connect MPLS and FTD devices to the same switch or switch stack. That way, when failover happens, the traffic will still flowing out of the active MPLS, regardless which one is going to be.

Or maybe if you are pointing to a floating IP address for MPLS routes with HSRP or VRRP, you can ask your ISP to condition HSRP or VRRP to failover the MPLS circuit if they can't reach a specific IP behind your primary FTD.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card