Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1278
Views
0
Helpful
2
Replies

Setting up FTD on 4110: Management and failover interfaces setup

Go to solution
ABaker94985
Spotlight
Spotlight

‎06-22-2021 01:31 PM

We are in the process of deploying an FTD on a 4110. We have access to the web interface of the firewall chassis manager and the fxos via ssh. I uploaded FTD-6.6.4 onto the appliance, and I'm trying to create a logical FTD device. There is the one management interface and four 10Gbps interfaces. I've selected Native instance type and Standalone usage. Here is what I can't figure out as I read through the Cisco documentation:

1) The management interfaces for FCM doesn't appear to be usable by the FTD, but there is no way I want to use a 10 Gbps interface. Is there a way to use the management interface for the chassis? There isn't an option to select this when creating a logical device.

2) We're wanting to use HA, but again I don't want to use a dedicated 10 Gbps module for failover and stateful. Is it possible to use a subinterface of one of the data interfaces?

Thank you.

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Chakshu Piplani
Cisco Employee
Cisco Employee

‎06-22-2021 11:55 PM

1) You will need to use an interface from the network module as a mgmt interface for communication with FMC/using it for mgmt as FDM. 6.7 does have a feature to use data interface for mgmt, but it can be used only for standalone units and not for HA.

 

2) You can use an unused, but enabled, data interface (physical) as the failover link; however, you cannot specify an interface that is currently configured with a name. The failover link interface is not configured as a normal networking interface; it exists for failover communication only. This interface can only be used for the failover link (and also for the state link). You cannot use a management interface or a subinterface for failover.

Source: https://www.cisco.com/c/en/us/td/docs/security/firepower/640/fdm/fptd-fdm-config-guide-640/fptd-fdm-ha.html#concept_ud1_j2b_d3b

 

HTH

Regards,

Chakshu

 

Do rate helpful posts !

 

View solution in original post

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-23-2021 01:28 AM

Like @Chakshu Piplani noted, you always have to allocate at least two of the physical data interfaces on a 4100 series (or 9300 series) HA pair:

(1) FTD management and

(2) failover

The "GE Mgmt" interface is only for chassis management. While you can get to the ftd cli through it, it requires some commands post-login and thus is not generally usable for system operations - only for manual troubleshooting in a pinch.

That's true up through the (current) latest 7.0 release.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Chakshu Piplani
Cisco Employee
Cisco Employee

‎06-22-2021 11:55 PM

1) You will need to use an interface from the network module as a mgmt interface for communication with FMC/using it for mgmt as FDM. 6.7 does have a feature to use data interface for mgmt, but it can be used only for standalone units and not for HA.

 

2) You can use an unused, but enabled, data interface (physical) as the failover link; however, you cannot specify an interface that is currently configured with a name. The failover link interface is not configured as a normal networking interface; it exists for failover communication only. This interface can only be used for the failover link (and also for the state link). You cannot use a management interface or a subinterface for failover.

Source: https://www.cisco.com/c/en/us/td/docs/security/firepower/640/fdm/fptd-fdm-config-guide-640/fptd-fdm-ha.html#concept_ud1_j2b_d3b

 

HTH

Regards,

Chakshu

 

Do rate helpful posts !

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-23-2021 01:28 AM

Like @Chakshu Piplani noted, you always have to allocate at least two of the physical data interfaces on a 4100 series (or 9300 series) HA pair:

(1) FTD management and

(2) failover

The "GE Mgmt" interface is only for chassis management. While you can get to the ftd cli through it, it requires some commands post-login and thus is not generally usable for system operations - only for manual troubleshooting in a pinch.

That's true up through the (current) latest 7.0 release.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card