Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
816
Views
0
Helpful
6
Replies

Cisco Switch Stack

Go to solution
mark.stewart1
Level 1
Level 1

ā€Ž08-03-2022 06:16 AM

Hi,

We have an issue where we have two fpr2100's in HA mode connected to a stack of switches which are then on a fibre ring.

Currently the HA cables are connected to the primary switch in each of the stacks, which work until one of the primary switches fails.

in this situation the firewalls both become master and all hell breaks lose on the network.

what I am hoping for is that if a member of the switch stack dies, then the whole switch stack stop processing data. Now i understand the idea of the switch stack is to keep going, but does anybody know of a setting or something that can be done?

 

many thanks,

 

Mark.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to mark.stewart1

ā€Ž08-03-2022 07:05 AM

In order for the firewall clustering to work correctly, you need a direct link between the 2 firewalls. I also, think if you connect all the HA links to only one stack, it would be a simpler design, but that would mean you need fiber between the stacks.

HTH

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

ā€Ž08-03-2022 06:41 AM

Hi,

Can you post a simple diagram showing how the stacks are connected to the FWs for both data traffic and HA?

Are the firewalls in active/passive mode?

HTH

0 Helpful

Go to solution
mark.stewart1
Level 1
Level 1

ā€Ž08-03-2022 06:50 AM

here layout of network.

my other options are create a dedicated link between the firewalls, but they are not local to each other.

or remove second trunk link to secondary switch, so firewall can still go master master, but no comms to network.

Preview file
65 KB
0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to mark.stewart1

ā€Ž08-03-2022 07:05 AM

In order for the firewall clustering to work correctly, you need a direct link between the 2 firewalls. I also, think if you connect all the HA links to only one stack, it would be a simpler design, but that would mean you need fiber between the stacks.

HTH

0 Helpful

Go to solution
mark.stewart1
Level 1
Level 1

ā€Ž08-03-2022 07:07 AM

Thankyou for your reply, but we are  having to look at all failure modes, and if that fibre failed between the firewalls for the HA, we would be in the same situation so we are trying to work something out 'outside of the box' as they say.

As when the fault happens the whole network basically is knackered...

0 Helpful

Go to solution
IP_Cartel
Level 1
Level 1

ā€Ž08-03-2022 07:14 AM

Go through this document.  It will help you get the two 2100s connected in HA.  You are missing some connection.  One is the heartbeat.  You can use a simple switch or cross the connection between the 2100s.

https://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/firepower_threat_defense_high_availability.html 

0 Helpful

Go to solution
mark.stewart1
Level 1
Level 1

ā€Ž08-05-2022 01:36 AM

Thankyou for the replies everyone, still no further as this is just what is listed on Cisco site.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card