11-12-2017 08:48 PM - edited 03-08-2019 07:02 PM
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
UCS E-Series Configuration Guide:
http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/e/2-0/gs/guide/b_2_0_Getting_Started_Guide.html
Cisco UCS E-Series Getting Started Guide:
https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/e/3-1-1/gs/guide/b_Getting_Started_Guide.html#task_B4052C8757D74555A073C0BD759B211D
UCS E-Series Troubleshooting Guide:
http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/e/ts/guide/e_series_ts.html
Firepower Virtual Appliance and Defense Center Data Sheet:
https://na8.salesforce.com/sfc/p/#80000000dRH9KXPLJqkSwWBoW3e_vtLbnXOyiNg=
Firepower 3D System Virtual Installation Guide:
http://www.cisco.com/c/en/us/support/security/ngips-virtual-appliance/tsd-products-support-series-home.html
Firepower Management Center User Guide:
https://www.cisco.com/c/en/us/support/security/defense-center/products-installation-and-configuration-guides-list.html
Firepower Management Center VM Download:
https://software.cisco.com/download/release.html?mdfid=286259687&softwareid=286271056&release=5.4.1.6&relind=AVAILABLE&rellifecycle=&reltype=latest
Firepower Sensor VM Download:
https://software.cisco.com/download/release.html?mdfid=286259690&softwareid=286271056&release=5.3.0.8&relind=AVAILABLE&rellifecycle=&reltype=latest
ESXi 5.0 or above. You can download VMWare customized image for Cisco here:
https://my.vmware.com/web/vmware/details?downloadGroup=CISCO-ESXI-5.1.0-GA-25SEP2012&productId=284
UCS E-Series Images:
https://software.cisco.com/download/navigator.html?mdfid=284467266
Download the latest CIMC HUU and upgrade the BIOS, CIMC and other firmware components per this link: http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/e/2-0/gs/guide/b_2_0_Getting_Started_Guide/b_2_0_Getting_Started_Guide_chapter_01010.html#task_B4052C8757D74555A073C0BD759B211D
To implement Firepower (NGFWv) in Transparent High Availability Mode using two UCS-E blades on ISR 4K
NGFW VM requirement is 8X4X40 (8 GB RAM, 4 vCPUs and 40 GB drive space). ESXi takes up 11 GB of space. So clearly a 50 GB drive is not sufficient.
ISR Platform |
Cisco UCS EN140N |
Cisco UCS EN120S and E140S |
Cisco UCS E140D and E160D-M2 |
Cisco UCS E160D-M1 and E180D |
1921 |
No |
No |
No |
No |
1941 |
No |
No |
No |
No |
2901 |
No |
No |
No |
No |
2911 |
No |
1 |
No |
No |
2921 |
No |
1 |
1 |
No |
2951 |
No |
2 |
1 |
No |
3925 |
No |
2 |
1 |
1 |
3945 |
No |
4 |
1 |
1 |
3925E |
No |
2 |
1 |
1 |
3945E |
No |
4 |
1 |
1 |
ISR Platform |
Cisco UCS EN120E |
Cisco UCS EN140N |
Cisco UCS EN120S and E140S |
Cisco UCS E140D and E160D-M2 |
Cisco UCS E160D-M1 and E180D |
4321 |
No |
2 |
No |
No |
No |
4331 |
No |
2* |
1 |
No |
No |
4351 |
No |
3* |
2 |
1 |
1 |
4431 |
No |
3 |
No |
No |
No |
4451 |
No |
3* |
2 |
1 |
1 |
1. Dedicated Management Access
ISR4k(config)#ucse subslot 1/0
ISR4k(config-ucse)# imc access-port dedicated
ISR4k(config-ucse)# imc ip address 10.20.20.100 255.255.255.0 default-gateway 10.20.20.1
2. Shared Management Access with External ports
ISR4k(config)#ucse subslot 1/0
ISR4k(config-ucse)#imc access-port shared-lom GE2
ISR4k(config-ucse)# imc ip address 10.20.20.100 255.255.255.0 default-gateway 10.20.20.1
3. Shared Management Access with Internal ports
ISR4k(config)#ucse subslot 1/0
ISR4k(config-ucse)#imc access-port shared-lom console
ISR4k(config-ucse)# imc ip address 10.20.20.100 255.255.255.0 default-gateway 10.20.20.1
bridge-domain 10
bridge-domain 40
interface GigabitEthernet0/0/2
no ip address
media-type rj45
negotiation auto
service instance 10 ethernet
encapsulation dot1q 10
rewrite ingress tag pop 1 symmetric
bridge-domain 10
!
service instance 40 ethernet
encapsulation dot1q 40
rewrite ingress tag pop 1 symmetric
bridge-domain 40
!
interface BDI10
vrf forwarding mgmt
ip address 10.20.20.1 255.255.255.0
!
interface ucse 1/0/0 and ucse 2/0/0
no ip address
no negotiation auto
service instance 40 ethernet
encapsulation dot1q 40
rewrite ingress tag pop 1 symmetric
bridge-domain 40
!
interface BDI40
vrf forwarding mgmt
ip address 10.20.40.1 255.255.255.0
Get the latest XE, IOS and CIMC images
Download the latest CIMC HUU and upgrade the BIOS, CIMC and other firmware components per this link: http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/e/2-0/gs/guide/b_2_0_Getting_Started_Guide/b_2_0_Getting_Started_Guide_chapter_01010.html#task_B4052C8757D74555A073C0BD759B211D
Make sure to set the network adapter to accept the following modes:
promiscuous, MAC address Changes and Forged Transmits.
Use sudo /usr/local/sf/bin/configure-network to configure the management settings
Configure Management IP, Subnet and Default Gateway
Open https GUI connection to add the NGFWv to FMC
User is prompted for EULA and post-boot configuration
configure manager add <manager ip> <user chosen id>
Repeat the steps above on the second UCS-E blade if configuring HA.
EVC Configuration in ISR 4451 For UCSE 1/0/1, UCSE 2/0/1 and static configuration
interface ucse2/0/1 and ucse 1/0/1
no ip address
no negotiation auto
switchport mode trunk
service instance 20 ethernet
encapsulation dot1q 20
rewrite ingress tag pop 1 symmetric
bridge-domain 20
!
service instance 30 ethernet
encapsulation dot1q 30
rewrite ingress tag pop 1 symmetric
bridge-domain 30
!
service instance 41 ethernet
encapsulation dot1q 41
rewrite ingress tag pop 1 symmetric
bridge-domain 41
!
ip route 0.0.0.0 0.0.0.0 128.107.213.129
ip nat inside source list NAT-ACL interface GigabitEthernet0/0/3 overload
!
BDI interface for VLAN 20 and VLAN 30
interface BDI20
mac-address 0002.0002.0002
ip address 10.20.20.1 255.255.255.0
ip nat inside
end
interface BDI30
mac-address 0003.0003.0003
ip address 10.20.30.1 255.255.255.0
ip nat inside
!
UCS-E Exernal Ports (G2) for VLAN 21 and VLAN 31
No Configuration required in Router for the external interfaces connected to the Switch directly
The switch port connected to the UCS-E external ports should be enabled with the trunk port for VLANs ( in this use case vlan 21 and vlan 31)
NGFWv Interface to Port-Group Mapping
Note:
NGFWv HA failover not triggered during the internal interface failure
When NGFWv Failover Triggers?
Failures |
Physical status failure |
IP Connectivity failure |
Triggers Failover |
UCS-E Module Failure |
Yes |
Yes |
Yes |
FTDv software Failure |
Yes |
Yes |
Yes |
External Interface failure. |
No |
Yes |
Yes |
Internal Interface Failure |
No |
No |
No |
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: