Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
187
Views
2
Helpful
3
Replies

SVIs on FTD or not?

Go to solution
Jeff Horton
Level 1
Level 1

‎03-20-2025 09:47 AM

I am implementing new Cisco FTD firewalls in HA mode. I have one question I need advice on:

Should I have all my SVI interfaces on the firewalls or leave them on my Nexus switch?

My thought was to move them to the firewall.

I have two separate locations where the firewalls will be housed. I do have a Nexus switch in each location that I was going to configure VRRP on for the SVIs.

 

Jeff

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎03-20-2025 09:56 AM

@Jeff Horton the benefit of having the SVIs on the FTD is traffic routed between VLANs can be filtered by the firewall. This would have an administrative overhead to configure manage the rules and the FTD hardware must be correctly sized to cope with the additional throughput.

If you leave the SVIs on the nexus switch then only traffic destined outside the network would be routed to the FTD, the FTD itself may not have to be as powerful as if it were inspecting all the intervlan traffic.

View solution in original post

3 Replies 3

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-20-2025 09:55 AM

Depends on the deployment and where the Gateway need to be.

if this is DC environment, then Firewall should be gateway for the host inside and outside. kind of setup.

FTD to nexus to have port-channel and use sub-interface on FTD standard setup in my views.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Rob Ingram
VIP
VIP

‎03-20-2025 09:56 AM

@Jeff Horton the benefit of having the SVIs on the FTD is traffic routed between VLANs can be filtered by the firewall. This would have an administrative overhead to configure manage the rules and the FTD hardware must be correctly sized to cope with the additional throughput.

If you leave the SVIs on the nexus switch then only traffic destined outside the network would be routed to the FTD, the FTD itself may not have to be as powerful as if it were inspecting all the intervlan traffic.

Go to solution
Jeff Horton
Level 1
Level 1

‎03-20-2025 12:31 PM

Thank you for the input. I think I am going to try the VRRP on my Nexus switches. I had tried to do this years ago with some Nexus 5548s but could not get it to work correctly. Even Cisco TACACS could not fix it as they tried it in their lab. I have yet to see what the new Nexus 9000 will do. These will be put in place with the new FTDs.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card