Eterchannel on CAT 4500 in VSS for cisco FTD Firewall

O.Zang · ‎03-06-2019

Hello Expert,

I am trying to interconnect two CAT 4500 in VSS to cisco Firewall FTD.

I have Configure Eterchannel on FTD Firewall. Below is the architecture that I am trying to do.

My ip adresses are on the Etherchanel ports.

I am thinking that port-channel 3 and port-channel 2 on the vss can't us the same IP adress.

so how can this work ?

Please Help me.

Regards,

Zanga

balaji.bandi · ‎03-06-2019

Lets Look at Failure Scenarios here.

FTD is Active / Standby, Means if the Active Fails, Standby kick on and process all request by Becoming Active.

In this Case all the IP address will move from Active to Standby (depends on how you configure)

in this above scenario if you looking, then you need to introduce SVI with HSRP on both the SWITCHES.

Look at some reference document :

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212699-configure-ftd-high-availability-on-firep.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ngkin2010 · ‎03-07-2019

Hi,

1. Configure the port channel on VSS switch as trunk to allow only the dedicated transitional VLAN (E.g. vlan99).
2. Configure SVI of VLAN99, assign IP address to it.
3. Configure subinterface with dot1q encapsulation (vlan 99) on firewall, assign IP address to it.

It should now able to communicate between the primary unit and to the VSS.

I think HSRP is not needed if VSS is formed on both C4500 unit..

paul driver · ‎03-07-2019

Hello

The FW PC's will be in the same subnet anyway so unless I am missing something here whats wrong with having one PC on the VSS (same subnet as the FW active/standby pc interfaces) with all 4 ports assigned to it?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul