Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
723
Views
2
Helpful
7
Replies

Interface breakout and PO on 2 FP9300 runnin logical device ASA in HA

Go to solution
mbshankr
Level 1
Level 1

‎04-19-2023 01:06 AM - edited ‎04-19-2023 01:30 AM

Hi,

My network has 2 FPs 9300 running an ASA logical device on each chassis. The 2 ASAs are deployed in HA pair. 

My requirement is to:

1. Create 2 breakout interfaces (using 40G interfaces) on each Firepower chassis.

2. Bundle these breakout interfaces into a Port-channel on each chassis.

3. Add the Port-channel interface to the logical ASA device on each chassis (ASA running in HA pair)

Then on I will configure these Port-channel interfaces from Active ASA as per my requirement. I need to do all this without any network downtime (except for the failover time).

Now my questions are:

1. On which Firepower should I initiate the activity? The chassis running active ASA or the chassis running standby ASA?

2. After I finish the config/reboot on one Firepower and it comes up after reboot, would the ASA running on that Chassis have the port-channel present already (blank PO though)? Would this affect the config sync between the ASA pair?

3. What is the best way to carry out the activity with best practices?

Many thanks

1 Accepted Solution

Accepted Solutions

Go to solution
mbshankr
Level 1
Level 1
In response to MHM Cisco World

‎04-19-2023 06:38 AM

Yes, that is the same plan of action I was planning as well. Just a minor change to gracefully failover the firewall before proceeding with the other Firepower.

we start with standby <<- this will not effect the traffic there is no downtime 
then reboot, there is NO failover in this case.

After the standby is up and config fully synced, we gracefully failover the firewall.

then we config breakout in now Standby 
after that the OLD active will not become active again, the standby will continues to be active FW

Then create new PO with port members on the FP chassis running the current Active ASA and add it to the logical device.

Then create new PO with port members on the FP chassis running the current Standby ASA and add it to the logical device.

Then configure the new PO from the active ASA which would sync to the standby.

Last Question:

1. Are there any challenges/restrictions/limitations/special points to consider while adding Breakout interface/s in Port-channel?

View solution in original post

0 Helpful
7 Replies 7

Go to solution
MHM Cisco World
VIP
VIP

‎04-19-2023 01:28 AM - edited ‎04-19-2023 03:06 AM

let me check

0 Helpful

Go to solution
mbshankr
Level 1
Level 1
In response to MHM Cisco World

‎04-19-2023 01:41 AM

As per my understanding, the FP will require a reboot after configuring breakout interface/s. So when I do this on the FP running active ASA, the reboot would trigger failover and the ASA running on the other chassis will become new active. Hence I am confused how to go about this.

I was considering downtime assuming if I needed to apply config and reboot on both the FPs parallelly (but I don't think that would be the case).

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to mbshankr

‎04-19-2023 02:41 AM - edited ‎04-19-2023 02:45 AM

I will make deep dive and update you, but are the two FW run HA or cluster ?

0 Helpful

Go to solution
mbshankr
Level 1
Level 1
In response to MHM Cisco World

‎04-19-2023 02:49 AM

The 2 ASA are in HA pair. Each ASA is running on different Firepower 9300 chassis.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to mbshankr

‎04-19-2023 03:07 AM

Cisco Firepower 4100/9300 FXOS CLI Configuration Guide, 2.7(1) - Interface Management [Cisco Firepower 9300 Series] - Cisco

commit-buffer

This will cause an automatic reboot. If you are configuring more than one breakout, you should create all of them before you issue the commit-buffer command.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎04-19-2023 04:09 AM

Now let build strategy here 
FW HA.png

we see from my previous post that the breakout 40G will automatic reboot the FPR 
and using the table above 
so we start with standby <<- this will not effect the traffic there is no downtime 
then reboot, there is NO failover in this case. 
then we config breakout in Active <<- here the standby will become the new Active, here you can see some downtime because other network device must notice this change via ARP 
after that the OLD active will not become active again, the standby will continues to be active FW. 

Go to solution
mbshankr
Level 1
Level 1
In response to MHM Cisco World

‎04-19-2023 06:38 AM

Yes, that is the same plan of action I was planning as well. Just a minor change to gracefully failover the firewall before proceeding with the other Firepower.

we start with standby <<- this will not effect the traffic there is no downtime 
then reboot, there is NO failover in this case.

After the standby is up and config fully synced, we gracefully failover the firewall.

then we config breakout in now Standby 
after that the OLD active will not become active again, the standby will continues to be active FW

Then create new PO with port members on the FP chassis running the current Active ASA and add it to the logical device.

Then create new PO with port members on the FP chassis running the current Standby ASA and add it to the logical device.

Then configure the new PO from the active ASA which would sync to the standby.

Last Question:

1. Are there any challenges/restrictions/limitations/special points to consider while adding Breakout interface/s in Port-channel?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card