Buy or Renew
Buy or Renew
Register Here! - Join us 11/13 for the "Navigating DHCP Processes in SD-Access Network" Community Live event
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1051
Views
0
Helpful
3
Replies

FTD as fusion device

e-chuah
Level 1
Level 1

‎08-15-2022 08:37 AM

Hi,

I have some questions related to FTD as fusion device.

(1) Ciscolive 2022 Las Vagas BRKSEC-2845 (see attached) shows two possible topology.
- Direct FTD attachement
DNAC can only provision L3 handoff using /30, not /29 or /28. Hence, if i do this, does it mean that it has to be done manually instead of using DNAC to provision the IP transit?

(2) Anything i need to take note if i configure L3 handoff manually vs using DNAC?
I believe the recommendation is to let DNAC to the IP transit provisioning.

(3) another method is to use Direct FTD attachement with ECMP.
With this, i should be able to use L3 handoff using /30 and use DNAC to do provision the L3 handoff.

Any comments/suggestions greatly appreciated.

THanks
Eng Wee

 

Labels:
Preview file
299 KB
0 Helpful
3 Replies 3

jedolphi
Cisco Employee
Cisco Employee

‎08-16-2022 10:22 PM

Hi Eng,

  1. At this stage you’ll need to configure the handoff manually if you need anything other than /30. We are working on DNAC automation to deliver custom handoff subnets (e.g. /29, /28, etc.) and your Account Manager or sales rep should be able to share details of how it will work and ETA on availability.
  2. You can configure by template or on the CLI. Some details covered in following presentation, see slide 27: https://www.ciscolive.com/on-demand/on-demand-library.html?search=dolphin#/session/163606009813000177hb
  3. BRKSEC-2845 shows these links are /29s. As far as I know /30 is not possible where FTD is in a HA pair. This is an SD-Access forum but let me check with Christopher to see if he can comment as an FTD SME.

Best regards, Jerome

0 Helpful

e-chuah
Level 1
Level 1

‎08-17-2022 08:46 AM

Hi Jerome,

Thanks for the reply.

We tested using DNAC to provision /30 using the attached topology. FTD failover is working fine as long as it is physical interface failure. No monitoring of individual sub-interfaces though as we cannot define standby ip in the standby FTD due to DNAC /30 restriction.

Rgds

Eng Wee

 

Preview file
58 KB
0 Helpful

Krzysztof Grabowski
Cisco Employee
Cisco Employee
In response to e-chuah

‎08-29-2022 02:19 AM

Hi Eng,

The Direct FTD Attachment option is not anticipated to work with /30 as it requires both borders to have an IP address in the extended subnet. Note that interface VLAN3001 in the example in BRKSEC-2845 is configured on both borders. 

The setup you depicted on diagram.JPG seems closer to the ECMP design as, logically, you have two /30 L3 connections towards each border (the equivalent of V3001 and V3002 in BRKSEC-2845 on the ECMP design slide). 

In the case of ECMP attachment, you could theoretically use /30, but it is not recommended. As you observed during your tests, without the standby IP address, the active unit cannot perform network tests towards standby, hence detecting only line state issues. Please have a look at the Failover Health Monitoring section in the configuration guide for more details: https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/high-availability.html#ID-2107-00000174

From the DNAC perspective, as per Jerome, you need to configure the handoff manually. 

Cheers,

Chris

 

0 Helpful
Customers Also Viewed These Support Documents