Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2323
Views
0
Helpful
2
Replies

FP 4100 & Nexus 7000 vPC Design

Sonugnair_2
Level 1
Level 1

‎05-14-2017 07:19 AM - edited ‎03-12-2019 02:21 AM

Hello There.

We have an upcoming project with the below items:-

1) FirePOWER 4100 with NGFW & threat subscriptions (Two Qty.) - DC firewalls

2) FirePOWER 5525X with TAMC subscriptions (Two Qty.) - Internet firewalls

3) FirePOWER management center virtual

DC firewalls will be connected to the Nexus core platforms in a vPC environment.

My doubt is about as to how the connectivity will be in case our plan is for active/standby FTDs (not clustering)

1) From each FirePOWER appliance there will be dual links, one each to Nexus 1 & Nexus 2 respectively (should this be part of a singe PO/vPC or dual PO/vPC)

2) Management port of each FirePOWER appliance will be connected to corresponding Nexus, i.e FirePOWER 1 management will be connected to Nexus 1 & FirePOWER 2 management will be connected to Nexus 

3) Do we need a separate physical link for active/standby fail over/state traffic? If yes, can we make use of the existing SFP+ slot & use GLCT since we are short on 10 Gig SFP?

2) For the FTD management, do we need a separate physical port? If yes, can we make use of the existing SFP+ slot & use GLCT since we are short on 10 Gig SFP?

Please help us here as this is our first time with 411.

Regards

Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-14-2017 08:54 AM

Each FirePOWER appliance should connect to a unique vPC on the Nexus pair. See the configuration guide here:

http://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/interfaces_for_firepower_threat_defense.html#ID-2077-00000026

You cannot use the built-in chassis management SFP port for either FirePOWER logical deivce failover/state or management. That port is for chassis management only (FirePOWER Chassis manager and FX-OS cli shell).

Thus you will need to allocate an interface for each of those purposes. If does burn SFP+ slots and require 10 Gbps transceivers but that's how you have to do it on these platforms.

I usually specify the relatively inexpensive twinax cables for this (and for the connecitons to the switches as well). The SFP-H10GB-CU1M= (or 2M) is only US$100 list price and covers both ends of the connection. Contrast that with a SFP-10G-SR-S= fiber transceiver where you need two each plus a fiber jumper per connection.

0 Helpful

DBDC_BCB_2011
Level 1
Level 1
In response to Marvin Rhoads

‎10-18-2017 08:38 AM

When you connect FTD 4110 in Active/Active mode, routed mode to VPC on Nexus 7K, you can configure SVI over the port-channel in the Nexus 7K???

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card