Solved: Monitoring interfaces on active/standby FTD HA pair

atsukane · ‎07-02-2021

Hi all,

I've been tasked with building active/standby HA pairs of FTDs.

Eventually I'll have to complete 1120, 2130 and 2140s, but I'm currently working on the first pair of 1120s.

This is our first FTD and my first for configuring HA pair, and I'm following the design by my senior colleague.

Onboarding FTDs to FMC and configuring HA was relatively simple task.

Since then, I've bought Todd Lammle's 'CCIE/CCNP Security Exam 300-710 Securing Netwroks with Cisco Firepower' book for reference and in it, he says 'You need to add all your hardware interfaces in here if they aren't enabled to be monitored by default. Just remember not to monitor your subinterfaces or other logical interfaces.' Although I kinda understand why, it doesn't state any reason for not monitoring sub/logical interfaces. - Can someone explain why we shouldn't monitor sub/logical interfaces for my better understanding?

The design I'm using uses a port-channel (LACP) consisting of 4 interfaces, and inside interface and other vlan interfaces are all subinterfaces of this Po (except the outside interface is a dedicated hardware interface), which makes me think that it's not the best design as we can't monitor any of the interfaces like this?

And wondering if I should ask my colleague to consider redesigning so at least the inside interface uses a physical interface so we can enable monitoring and allocate a standby IP etc.

Any thoughts?

Many thanks,

Sheraz.Salim · ‎07-02-2021

Since then, I've bought Todd Lammle's 'CCIE/CCNP Security Exam 300-710 Securing Netwroks with Cisco Firepower' book for reference and in it, he says 'You need to add all your hardware interfaces in here if they aren't enabled to be monitored by default. Just remember not to monitor your subinterfaces or other logical interfaces.' Although I kinda understand why, it doesn't state any reason for not monitoring sub/logical interfaces. - Can someone explain why we shouldn't monitor sub/logical interfaces for my better understanding?

- I think is completely depend what you want to acheive. Each network requriment/setup is different on the company/Desgin needs.By default, monitoring of physical interfaces is enabled, and monitoring of subinterfaces is disabled if you monitor the logic/sub-interface incase there is a blip in that sub-interface it will cause a failover. which make sense not to monitor the sub-interface. but the question arise the network setup demand we need to monitor the sub-interface In that case it left you no-choice but to monitor the sub-interface.

The design I'm using uses a port-channel (LACP) consisting of 4 interfaces, and inside interface and other vlan interfaces are all subinterfaces of this Po (except the outside interface is a dedicated hardware interface), which makes me think that it's not the best design as we can't monitor any of the interfaces like this?

- it would be good if you create a port-channel for each decidated interface let say 2xInterface port-channel for Inside and 2xInterace port-channel for outside (than do the subinterface or load-blace the subinterace on the port-channels) This will give you more stability. in case when things goes wrong.

And wondering if I should ask my colleague to consider redesigning so at least the inside interface uses a physical interface so we can enable monitoring and allocate a standby IP etc

- Agree.

please do not forget to rate.

View solution in original post

Sheraz.Salim · ‎07-02-2021

Since then, I've bought Todd Lammle's 'CCIE/CCNP Security Exam 300-710 Securing Netwroks with Cisco Firepower' book for reference and in it, he says 'You need to add all your hardware interfaces in here if they aren't enabled to be monitored by default. Just remember not to monitor your subinterfaces or other logical interfaces.' Although I kinda understand why, it doesn't state any reason for not monitoring sub/logical interfaces. - Can someone explain why we shouldn't monitor sub/logical interfaces for my better understanding?

- I think is completely depend what you want to acheive. Each network requriment/setup is different on the company/Desgin needs.By default, monitoring of physical interfaces is enabled, and monitoring of subinterfaces is disabled if you monitor the logic/sub-interface incase there is a blip in that sub-interface it will cause a failover. which make sense not to monitor the sub-interface. but the question arise the network setup demand we need to monitor the sub-interface In that case it left you no-choice but to monitor the sub-interface.

The design I'm using uses a port-channel (LACP) consisting of 4 interfaces, and inside interface and other vlan interfaces are all subinterfaces of this Po (except the outside interface is a dedicated hardware interface), which makes me think that it's not the best design as we can't monitor any of the interfaces like this?

- it would be good if you create a port-channel for each decidated interface let say 2xInterface port-channel for Inside and 2xInterace port-channel for outside (than do the subinterface or load-blace the subinterace on the port-channels) This will give you more stability. in case when things goes wrong.

And wondering if I should ask my colleague to consider redesigning so at least the inside interface uses a physical interface so we can enable monitoring and allocate a standby IP etc

- Agree.

please do not forget to rate.