cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2270
Views
0
Helpful
4
Replies

Firepower 1120 redundant ports

dvidurban
Level 1
Level 1

Hi all,

 

I would like to ask, if I can set-up redundant ports on Cisco Firepower 1120 ? 

 

My scenario is : I would need to connect this device to 2 ISPs . And when one ISP (connected to 1 port) goes down, all traffic should be redirected to go through second ISP (connect to another port). I found out , that this functionality can be achieved by seeting ports as "redundant". (if I am wrong, please correct me).

 

Can you please help, if Firepower 1120 support such functionality ? And if yes, how could I set it up ?

 

Thanks in advance

4 Replies 4

That is not what redundant ports are for.

Redundant ports give you two links to your two external switches where the two ISPs are connected. For the two ISPs you have two subinterfaces on these redundant ports.

With two ISPs there are a couple of options available:

1) One physical interface for ISP1, one physical interface for ISP2

2) One interface or a channel with subinterfaces going to an external switch, On the switch you have one VLAN for ISP1 and one VLAN for ISP2.

3) Fully redundant solution: Same as 2), but Firewall1 and ISP1 connects to Switch1, Firewall2 and ISP2 connects to Switch2.

@Karsten Iwen thank you for your explanation.

 

I would like to set up option 1 )  One physical interface for ISP1, one physical interface for ISP2,

so one ISP as passive and one as active. We do not need any subinterfaces.

 

When one ISP "goes down", all traffic should be directed to another ISP.

 

Can you please tell me, how to set it up ?

You configure both interfaces individually with all needed information like IPs and NAT. The default-route for your primary ISP is configured as usual, but the default-route pointing to your secondary ISP is configured with a larger Metric.

It should be added that your default route to ISP1 with a lower metric will remain in the routing table unless the physical interface or ip connectivity to ISP1's next hop goes down. This is not always the desired behavior.

 

Usually you'd want some sort of IP SLA setup so that if connectivity to external resources go down it will failover to ISP2 even if the next hop is still available. Cisco has an article with an ASA on version 9.1(5) here that you could check out: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118962-configure-asa-00.html

 

The important bits are really:

 

Primary ISP Route

route outside 0.0.0.0 0.0.0.0 203.0.113.2 1 track 1

 Secondary ISP Route

route backup 0.0.0.0 0.0.0.0 198.51.100.2 254

SLA Probe setup

sla monitor 123
 type echo protocol ipIcmpEcho 4.2.2.2 interface outside
 num-packets 3
 frequency 10

sla monitor schedule 123 life forever start-time now

track 1 rtr 123 reachability

 

Review Cisco Networking for a $25 gift card