High Availability Setup

gcook0001 · ‎11-09-2020

I have been doing a lot of reading but I haven't found what I am looking for. We recently purchased two Firepower 1140's to replace our Meraki appliances. We have two Catalyst 3850 switches in a non-stacked configuration.

I would like to setup them up using the following but I can't find any documentation that I can follow.

FP1 - port 1 to ISP

FP1 - port 3 to 3850-1 carrying vlans 3,4,5,6 (port-channel 1)

FP1 - port 4 to 3850-1 carrying vlans 3,4,5,6 (port-channel 1)

FP1 - port 5 to 3850-2 carrying vlans 3,4,5,6 (port-channel 2)

FP1 - port 6 to 3850-2 carrying vlans 3,4,5,6 (port-channel 2)

FP1 - port 8 to FP2 - port 8 - failover link

FP2 - port 1 to ISP

FP2 - port 3 to 3850-1 carrying vlans 3,4,5,6 (port-channel 3)

FP2 - port 4 to 3850-1 carrying vlans 3,4,5,6 (port-channel 3)

FP2 - port 5 to 3850-2 carrying vlans 3,4,5,6 (port-channel 4)

FP2 - port 6 to 3850-2 carrying vlans 3,4,5,6 (port-channel 4)

We currently have

3850-1 to 3850-2 port-channel 20 carrying vlans 3,4,5,6

If someone could point me to some decent documentation on doing this it would be great.

balaji.bandi · ‎11-09-2020

why not follow the below guide what is recommended for the HA environment, what is not recommended.

if you have 2 ISP is thei active failover you like to both the ISP ?

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/fdm/fptd-fdm-config-guide-630/fptd-fdm-ha.html

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212699-configure-ftd-high-availability-on-firep.html

read the above document, make a small network diagram which gives you a clear picture and understands what you looking do.

still have questions post the high-level diagram of your network so we can look and suggest what suitable approach you can take.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

gcook0001 · ‎11-09-2020

Thanks for the quick reply.

I read both those documents previously. What is missing is how to create port-channels carrying multiple vlans/subnets.

I attached a document showing the layout.

balaji.bandi · ‎11-09-2020

the best approach is FW on a stick with Port-channel with sub-interface.

each FW go with respected Parent switch port-channel and dedicated interface for HA sync link if they are in same location.

Terminated your ISP into Switch with a different VLAN segment.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

gcook0001 · ‎11-09-2020

OK. I have no idea what you said. I the firewalls setup as in the diagram. I just can't figure out how to handle the different vlan/subnets between the switch and the firewalls.

balaji.bandi · ‎11-09-2020

here is a high level, if you still not sure, suggest hiring a consultant, rather make it difficult to make it, and eventually you can learn from them so you can maintain the network.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

gcook0001 · ‎11-09-2020

I would love to hire a consultant. We just can't afford it. I am making progress I think. I created sub-interfaces on one of the ports and I created a port-channel on the switch and it looks like I am getting some kind of connection.

gcook0001 · ‎11-10-2020

So there is no documentation on how to implement this design. I have worked with two other firewall vendors previously and there was always a couple of default senarios that were well documented. I have looked everyone on the Cisco site and I don't find anything. I must not be the first person to want to use their firewalls for handling traffic between multiple VLANs. I am not asking for someone to design this for me, I am asking for clear documentation that explains how to do this.