cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2027
Views
0
Helpful
2
Replies

Firepower 4110 with FTD HA/Cluster deployment between two DCs

DeX
Level 1
Level 1

Hi,

 

Is there any limitation in deploying HA or Clustering between two FPRs that are located in two datacenters 10km (optical cable distance) apart? Is there something that is not considered good practice in such a deployment? The services running behind the FPRs are on a VMware streched cluster, so all network and hardware resources are available and are the same on both sites (storage virtualization with mirroring is in place as well, so the storage is shared via iSCSI between the sites and can sustain total storage failure at one of the DCs). The connection between the sites (DCI) is 2x10Gb dark fibers (DF) at the core level, encrypted, with fabric path (runned by two 7702s, one at each site) Behind the 7702s are two N5Ks at each site. Upstream from the FPRs are two ASR 1001X (one at each site), and a stack of 3x3850s at each site. There is also another DCI connection (2x10Gb DF) between the stacks of 3850s. Both sites have the same external connections (WAN/Internet). All four DFs used are by alternative routes with the longest beeing ~10km. My goal is to have redundancy in case one of the sites fails (power, or some other type of disaster). I am considering to implement anycast at some point, but don't have time at the moment. My main concern at this point are the FPRs and can I deploy them in clustered or HA configuration, so we can maintain one configuration on both, and in case one fails the other will take over. I know that i will have to accept the drawback of running external traffic via the DCI (Service A is living on site B, but FPR at site A is the active one), but that is somethig that is not a concernt at the moment (here DFs are cheap enough, so if the core DCI becomes a bottle neck at some point, we can get another 2 or 4 DFs). 

 

Thanks in advance.

2 Replies 2

Oliver Kaiser
Level 7
Level 7

You must have < 20ms RTT between your DCs. If that is the case you may go ahead and stretch your cluster across sites. It is a supported setup, but I would not recommend it to anybody. Stretching a cluster across sites is a bad idea. In case your DCI fails you will have a lot of fun with split brain. If that is of no concern to go ahead. :)

 

EDIT: For more information you can checkout the FTD Clustering Guide: https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/clustering/ftd-cluster-solution.html

blong
Level 1
Level 1

DeX we are looking to deploy the same type of design.  Did you ever get this deployment working?  And did you run into any issues?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: