Re: FTD Redundancy

deypuchka · ‎08-12-2022

Hello guys,

I have a a question regarding network security using firewalls like FTD and FMC.
Can I have like this kind of topology and if I do can then how many outside zone and Inside zone should I have.
My purpose is just to have a redundant links for each device. Can someone please help me out?

MHM Cisco World · ‎08-12-2022

for FTD HA you need L2 SW in OUT of FTD, that mandatory for HA in FTD

Karsten Iwen · ‎08-12-2022

For inside, you are likely good with one logical inside interface that consists of two Etherchannel members. Your internal switch has to be one logical system for that (stack, VSS, VCP, ...).

For outside, you have to make sure that both devices outside1 goest to ISP1 and both outside2 go to ISP2. That is different in your drawing. And the interfaces on both devices (like outside1 on device one and device 2) need to be L2 adjacent Which means the two links on the Routers have to end up in a single VLAN.

feld4125 · ‎02-10-2023

I'm in the process of designing this now. Can you connect a FTD HA pair's outside interfaces to two disparate L2 switches? I don't want to use StackWise on my WAN switches because any software upgrades will require the entire stack to reboot. But with FTD not supporting redundant interfaces, I don't see how else I can connect them.

Karsten Iwen · ‎02-10-2023

Yes, I typically use two 10-Port Catalyst 1000 or CBS350 for the WAN-Switches:

VLAN X for ISP1
VLAN Y for ISP2
VLAN Z for Management
Port 1-4 are VLAN X, Port 5-8 are VLAN Y, Port 9 Access VLAN Z, Port 10 Trunk
ISP1-Router on SW1-1
ISP2-Router on SW2-5
FW1-Outside1 on SW1-2
FW1-Outside2 on SW2-6
FW2-Outside1 on SW1-3
FW2-Outside2 on SW2-7
SW1-10 to SW2-10 as a trunk
SW1 and SW2 Port 9 connect to a DMZ interface on both Firewalls