Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2193
Views
0
Helpful
4
Replies

FTD Redundancy

deypuchka
Frequent Visitor
Frequent Visitor

‎08-12-2022 02:21 AM

1.jpg

 

Hello guys,

I have a a question regarding network security using firewalls like FTD and FMC.
Can I have like this kind of topology and if I do can then how many outside zone and Inside zone should I have.
My purpose is just to have a redundant links for each device. Can someone please help me out?

 

Labels:
0 Helpful
4 Replies 4

MHM Cisco World
VIP
VIP

‎08-12-2022 03:20 AM

for FTD HA you need L2 SW in OUT of FTD, that mandatory for HA in FTD

0 Helpful

Karsten Iwen
VIP
VIP

‎08-12-2022 03:33 AM

For inside, you are likely good with one logical inside interface that consists of two Etherchannel members. Your internal switch has to be one logical system for that (stack, VSS, VCP, ...).

For outside, you have to make sure that both devices outside1 goest to ISP1 and both outside2 go to ISP2. That is different in your drawing. And the interfaces on both devices (like outside1 on device one and device 2) need to be L2 adjacent Which means the two links on the Routers have to end up in a single VLAN. 

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Helpful

feld4125
Frequent Visitor
Frequent Visitor

‎02-10-2023 06:12 AM

I'm in the process of designing this now.  Can you connect a FTD HA pair's outside interfaces to two disparate L2 switches?  I don't want to use StackWise on my WAN switches because any software upgrades will require the entire stack to reboot.  But with FTD not supporting redundant interfaces, I don't see how else I can connect them.

0 Helpful

Karsten Iwen
VIP
VIP
In response to feld4125

‎02-10-2023 06:20 AM

Yes, I typically use two 10-Port Catalyst 1000 or CBS350 for the WAN-Switches:

  • VLAN X for ISP1
  • VLAN Y for ISP2
  • VLAN Z for Management
  • Port 1-4 are VLAN X, Port 5-8 are VLAN Y, Port 9 Access VLAN Z, Port 10 Trunk
  • ISP1-Router on SW1-1
  • ISP2-Router on SW2-5
  • FW1-Outside1 on SW1-2
  • FW1-Outside2 on SW2-6
  • FW2-Outside1 on SW1-3
  • FW2-Outside2 on SW2-7
  • SW1-10 to SW2-10 as a trunk
  • SW1 and SW2 Port 9 connect to a DMZ interface on both Firewalls
--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card