Re: Managing Firepower Management Centre 2000 (FMC) appliance using two IP addresses on different su...

dam0c0nr0y · ‎11-08-2018

Hi All

We have a Firepower Management Centre 2000 appliance (i.e. FS2000-K9) running 6.1.0.3 (build 57) software.

Currently we have the FMC appliance managed via it's eth0 interface i.e. physical NIC "1".

We have a request for the FMC appliance to be also manageable from a second subnet.

The question is, can the FMC appliance be managed by two interfaces? i.e. if we configure eth1 (physical NIC "2") with an IP address which is on a different subnet to the IP address which eth0 is allocated, will that work? is it a supported configuration?

Note: The FMC appliance currently manages Firepower SFR software modules which are installed in ASA 5500-Xs and we want those Firepower SFR modules to remain unaffected and managed by the FMC via it's existing IP address on eth1. The proposed use of eth1 (physical NIC "2") is purely to enable GUI and CLI access to the FMC appliance for operational management purposes from another subnet.

I have research this online and looked through documentation on the Cisco Support Portal but cannot find it clearly stated anywhere that this will proposed configuration will work, or is a Cisco supported configuration, or if there are any banana skins lurking around to slip up on here.

If any of you have already done this and proven it to work, would appreciate your feedback.

Thanks

Damian

Abheesh Kumar · ‎11-08-2018

Hi Damian,

As per document you can do this, but i didn't do this kind of configuration anywhere.

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/system_configuration.html#concept_szp_wx2_dfb

Management and Event Traffic Channel Examples

The following example shows the Firepower Management Center and managed devices using only the default management interfaces.

Figure 1. Single Management Interface on the Firepower Management Center

The following example shows the Firepower Management Center using separate management interfaces for devices; and each managed device using 1 management interface.

Figure 2. Mutliple Management Interfaces on the Firepower Management Center

The following example shows the Firepower Management Center and managed devices using a separate event interface.

Figure 3. Separate Event Interface on the Firepower Management Center and Managed Devices

The following example shows a mix of multiple management interfaces and a separate event interface on the Firepower Management Center and a mix of managed devices using a separate event interface, or using a single management interface.

Figure 4. Mixed Management and Event Interface Usage

I think you can enable eth1 interface and assign IP then add the static route to your desired network.

HTH

Abheesh

dam0c0nr0y · ‎03-07-2019

For the record, have proven this work in our lab, with an FMC 4000 appliance (rather than an FMC 2000) under the following setup:

- Physical NIC “1” (logical interface “eth0”) – ORIGINAL interface connected to subnet/VLAN X

- Physical NIC “M” (CIMC/LOM) – ORIGINAL interface connected to subnet/VLAN X

- Physical NIC “2” (logical interface “eth1”) – NEW interface connected to subnet/VLAN Y

Note: Additional static route is required to be configured on the FMC appliance (under "Management Interfaces") in order to route traffic to certain subnets via eth1 i.e. any traffic which you do not want routed via the Default Gateway.

Managing Firepower Management Centre 2000 (FMC) appliance using two IP addresses on different subnets

Management and Event Traffic Channel Examples