Solved: Re: What does the Eventing interface do in FTD 4k?

SIMMN · ‎11-21-2022

I am reading the guide regarding the interface types on 4K FXOS in chassis manager. I am not sure I understand the "Eventing" interface. Is it supposed to be used as the dedicated link to FMC for sharing events, so the management interface on the FTD instance would only be used for pushing configuration by FMC? If so, I am not aware of an option in FMC to differentiate or sepearte the two...

Also within the guide linked below, what does this statement mean actually ? "If you later configure a data interface for management, you cannot use a separate eventing interface." You would need a management interface configured for the FTD instance to start with, right? I am a little bit lost here...

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fp4100/firepower-4100-gsg/chassis_setup.html

Marvin Rhoads · ‎11-21-2022

"Is it supposed to be used as the dedicated link to FMC for sharing events, so the management interface on the FTD instance would only be used for pushing configuration by FMC? " - correct.

"If so, I am not aware of an option in FMC to differentiate or sepearte the two..." When you register a device that has a separate eventing interface configured, it will take care of sending events to FMC on its own, without having to configure that aspect on FMC.

"If you later configure a data interface for management, you cannot use a separate eventing interface." There is an option to NOT use a dedicated management interface but instead manage the device using an interface that's also used for data. If you choose that option, you also forgo the option of having a separate eventing interface.

View solution in original post

Marvin Rhoads · ‎11-21-2022

"Is it supposed to be used as the dedicated link to FMC for sharing events, so the management interface on the FTD instance would only be used for pushing configuration by FMC? " - correct.

"If so, I am not aware of an option in FMC to differentiate or sepearte the two..." When you register a device that has a separate eventing interface configured, it will take care of sending events to FMC on its own, without having to configure that aspect on FMC.

"If you later configure a data interface for management, you cannot use a separate eventing interface." There is an option to NOT use a dedicated management interface but instead manage the device using an interface that's also used for data. If you choose that option, you also forgo the option of having a separate eventing interface.

SIMMN · ‎11-21-2022

Got you! Thanks!

So if I wanted to have eventing interface, I would have to set the device up day 1 with dedicated management and eventing interfaces, right?

Marvin Rhoads · ‎11-21-2022

You're welcome.

If you started with dedicated management and then later added eventing that should also work.

I've only ever used dedicated eventing once in a production deployment. It has 9300 6-device clusters and 100 Gbps interfaces where we expected significant event traffic.

SIMMN · ‎11-21-2022

Good to know that there are really customers using large 9k deployments...Curious did you use multi-instance on the 9K or just native instance?

Marvin Rhoads · ‎11-21-2022

Since the 9k deployment needed all the horsepower from each SM to reach the desired throughput for the cluster as a whole, those were native logical devices.

I've used multi-instance for a deployment that had just a pair of 4115s but wanted complete separation between separate user bases. It's a university with students (including their on-campus residences) in one instance and the faculty and staff systems in another.

For another university with similar requirements I used native instances with multiple VRFs. The VRFs are a bit harder to wrap your head around but they work fine.

SIMMN · ‎11-21-2022

Good information for me! Will reference a little bit in the future design.