Communication between 2 instance in a Multi Instance setup

NeWGuy1109 · ‎09-24-2020

Hello,

I am planning to configure a multi instance setup where one instance will be prod and the other instance will be for non prod.. i understand that i have to configure port channel sub-interfaces in the firepower chassis and then allocate them to each of the instances as per the requirement.. My question is that how do i enable communication between one subnet of prod towards one subnet of non prod i.e from one instance to another.. do i create a data sharing interface and allocate it to both instances ? if this is correct then how will routing work in this case .. for example if i need to go from prod to non prod then i will have to define a route in prod with next hop ip of shared interface ?

Georg Pauwen · ‎09-24-2020

Hello,

exactly, you assign both instances to the same shared interface. As I understand it, you don't need to explicitly configure routes:

--> Inter-instance communications
If instances use shared interfaces, then communication between those instances happens through the
hardware switch on the supervisor module, reducing the need for traffic to leave the appliance and be
forwarded back into it externally. However, it does contribute to the traffic that flows over the backplane.

--> ... inter-instance traffic flows through the shared interfaces via the hardware
switch on the supervisor. For this, the supervisor needs to program a path between every pair of instances
using every pair of shared interfaces between them. This exponentially increases the consumption of switch
forwarding path entries and thereby limits the number of possible instances.

https://www.cisco.com/c/dam/en/us/products/collateral/security/firepower-ngfw-multi-instance-whitepaper.pdf