Beginning with the 6.3 release, the Firepower software supports FTD multi-instance capability. With this support, administrators can create and run multiple independent instances of the FTD software on the same hardware appliance. For now, this multi-instance feature is supported only on 4100 and 9300 devices.
Each FTD instance has dedicated hardware resources allocated to it, which guarantees the performance of an instance. In addition to meeting the traffic processing isolation requirements, multi-instance ensures that the management plane for each instance is fully independent of the other instances. In the first phase, it is preferable to manage all the instances on the same hardware from the same FMC.
The Multi-instance Internals With FXOS, you can create two types of FTD multi-instances:
Native instances consume all the existing hardware.
Container Instances use only the hardware and resources allocated by the administrator. Each container has its own dedicated CPU, RAM, and HDD, which are not shared between other instances. Hardware-specific features like flow offload, crypto hardware, and so on do not work in the container instance.
With 6.4, you can create one instance that can be used for TLS HW specific operations, and share physical network interfaces with multiple logical FTDs. The number of instances is dependent on the available hardware.
The Factors that Limit the Creation of Instances
Supervisor module resources contribute to limiting the number of maximum container instances. All traffic to security modules comes through the hardware switch available on the supervisor. The following hardware resources on the supervisor contribute to limiting the number of maximum instances that can be created:
Switch forwarding path entries available on the hardware switch
Nonshared logical interface assigned to an instance requires a physical interface to create a path between the two
The number of switch forwarding path entries becomes more important if interfaces are shared between instances. When interfaces are shared between instances, inter-instance traffic flows through the shared interfaces via the hardware switch on the supervisor. For this, the supervisor needs to program a path between every pair of instances using every pair of shared interfaces between them. This exponentially increases the consumption of switch forwarding path entries and thus limits the number of instances that can be created.
Ingress VLAN group entry counts
Besides, the ingress VLAN group entry count restricts the maximum number of VLAN subinterfaces that can be created on the supervisor. This may restrict the number of instances that can be created. The VLAN group entry table tracks ingress VLAN IDs on the subinterfaces configured on a physical interface on the supervisor. The maximum number is 500 entries, and there is at least one entry from this table consumed for every VLAN subinterface created.
The other factors that limit the creations of instances are:
Distribution of hardware resources available on the security module
Size of an instance—resource profile
Benefits of Multi-instance Solutions
Hardware-level traffic processing isolation
Hardware-level fault isolation
Independent software version management
Independent upgrades and restarts
Full management isolation
Full feature parity between the container and native instances