Re: cisco Firepower 2100 mulitple ISP LOAD Balancing

Cisco-Associate-62177 · ‎02-05-2020

Hi guys,

I would like to ask how can we manage muliple ISP connection and Partner Connections in Cisco 2100 Firepower Firewall

1- Mulitple context

2- Zone base firewall

3- policy base routing/ flex-config

Thanks for your repsonse

Muhammad Awais Khan · ‎02-06-2020

Hi,

If you are using FTD code in FPR2100, then you don't have option for multi-context/multi-instance.

For failover, you can do IP SLA. For load balancing, you can achieve only equal cost milulti-path load balancing if you define multiple static routes across single interface.

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/routing_overview_for_firepower_threat_defense.html

Alternatively you have also option to do PBR. For partner traffic segregation, you can rely on zones base interfaces and policies.

So in summary, options you have with FTD code are:

PBR, IP SLA ( if failover required), Equal cost multi-path and zone base policies

Cisco-Associate-62177 · ‎02-07-2020

Thanks awais for your reply.

Could you confirm the following for IPSEC VPN License requirment for FIREWPOWER 2140 ?

if we have this License,Threat, Malware and URL License with 3 years subscription. this licence includes flex vpn license for ipsec vpn or should we purchase flex-vpn License seperately. thanks

Muhammad Awais Khan · ‎02-08-2020

Hi,

There is no seperated license required for ipsec site-to-site VPN, only seperate license required for any connect Remote Access VPN

Regarding Flexvpn, it is supported on Cisco IOS Routers not on ASA/FTD firewalls.