Showing results for 
Search instead for 
Did you mean: 
Cisco Employee
Cisco Employee

Beginning with the 6.3 release, the Firepower software supports FTD multi-instance capability. With this support, administrators can create and run multiple independent instances of the FTD software on the same hardware appliance. For now, this multi-instance feature is supported only on 4100 and 9300 devices.

Each FTD instance has dedicated hardware resources allocated to it, which guarantees the performance of an instance. In addition to meeting the traffic processing isolation requirements, multi-instance ensures that the management plane for each instance is fully independent of the other instances. In the first phase, it is preferable to manage all the instances on the same hardware from the same FMC.

The Multi-instance Internals
With FXOS, you can create two types of FTD multi-instances:

  • Native instances consume all the existing hardware.
  • Container Instances use only the hardware and resources allocated by the administrator. Each container has its own dedicated CPU, RAM, and HDD, which are not shared between other instances. Hardware-specific features like flow offload, crypto hardware, and so on do not work in the container instance. 

With 6.4, you can create one instance that can be used for TLS HW specific operations, and share physical network interfaces with multiple logical FTDs. The number of instances is dependent on the available hardware. 

The Factors that Limit the Creation of Instances

Supervisor module resources contribute to limiting the number of maximum container instances. All traffic to security modules comes through the hardware switch available on the supervisor. The following hardware resources on the supervisor contribute to limiting the number of maximum instances that can be created:

  • Switch forwarding path entries available on the hardware switch
    • Nonshared logical interface assigned to an instance requires a physical interface to create a path between the two
    • The number of switch forwarding path entries becomes more important if interfaces are shared between instances. When interfaces are shared between instances, inter-instance traffic flows through the shared interfaces via the hardware switch on the supervisor. For this, the supervisor needs to program a path between every pair of instances using every pair of shared interfaces between them. This exponentially increases the consumption of switch forwarding path entries and thus limits the number of instances that can be created.
  • Ingress VLAN group entry counts

Besides, the ingress VLAN group entry count restricts the maximum number of VLAN subinterfaces that can be created on the supervisor. This may restrict the number of instances that can be created. The VLAN group entry table tracks ingress VLAN IDs on the subinterfaces configured on a physical interface on the supervisor. The maximum number is 500 entries, and there is at least one entry from this table consumed for every VLAN subinterface created.

The other factors that limit the creations of instances are:

  • Distribution of hardware resources available on the security module
  • Disk space
  • Size of an instance—resource profile

Benefits of Multi-instance Solutions

  • Hardware-level traffic processing isolation
  • Hardware-level fault isolation
  • Independent software version management
  • Independent upgrades and restarts
  • Full management isolation
  • Full feature parity between the container and native instances

For more information on multi-instance, see Cisco Firepower Threat Defense Multi-Instance Capability on Cisco Firepower 4100 and 9300 Series Appliances White Paper.

- Abhishek 


Do you know if there are any plans to allow multiple instances of the ASA on the firepower 4100 platform specifically? I currently have ASA on a set of 4110's in multi-context mode, but there are some ASA features that are only supported in single mode. My hope would be to run multiple ASA logical devices in single mode to get around these limitations.

Christopher Heffner
Cisco Employee
Cisco Employee

Please update link at bottom of article.  Link is broken or out-of-date. 


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: