cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4957
Views
0
Helpful
0
Comments
Kureli Sankar
Cisco Employee
Cisco Employee

Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA

Documentation

UCS E-Series Configuration Guide:
http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/e/2-0/gs/guide/b_2_0_Getting_Started_Guide.html

Cisco UCS E-Series Getting Started Guide:
https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/e/3-1-1/gs/guide/b_Getting_Started_Guide.html#task_B4052C8757D74555A073C0BD759B211D

 

UCS E-Series Troubleshooting Guide:
http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/e/ts/guide/e_series_ts.html

Firepower Virtual Appliance and Defense Center Data Sheet:
https://na8.salesforce.com/sfc/p/#80000000dRH9KXPLJqkSwWBoW3e_vtLbnXOyiNg=

 

Firepower 3D System Virtual Installation Guide:
http://www.cisco.com/c/en/us/support/security/ngips-virtual-appliance/tsd-products-support-series-home.html

 

Firepower Management Center User Guide:
https://www.cisco.com/c/en/us/support/security/defense-center/products-installation-and-configuration-guides-list.html

Code download links

Firepower Management Center VM Download:
https://software.cisco.com/download/release.html?mdfid=286259687&softwareid=286271056&release=5.4.1.6&relind=AVAILABLE&rellifecycle=&reltype=latest

Firepower Sensor VM Download:
https://software.cisco.com/download/release.html?mdfid=286259690&softwareid=286271056&release=5.3.0.8&relind=AVAILABLE&rellifecycle=&reltype=latest

ESXi 5.0 or above. You can download VMWare customized image for Cisco here:
https://my.vmware.com/web/vmware/details?downloadGroup=CISCO-ESXI-5.1.0-GA-25SEP2012&productId=284

UCS E-Series Images:
https://software.cisco.com/download/navigator.html?mdfid=284467266

 

Download the latest CIMC HUU and upgrade the BIOS, CIMC and other firmware components per this link: http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/e/2-0/gs/guide/b_2_0_Getting_Started_Guide/b_2_0_Getting_Started_Guide_chapter_01010.html#task_B4052C8757D74555A073C0BD759B211D

Goal

To implement Firepower (NGFWv) in Transparent High Availability Mode using two UCS-E blades on ISR 4K

Requirement

NGFW VM requirement is 8X4X40 (8 GB RAM, 4 vCPUs and 40 GB drive space). ESXi takes up 11 GB of space. So clearly a 50 GB drive is not sufficient.

Limitations

  • Restrictions for Bridge Domain Interfaces
    • Only 4096 bridge domain interfaces are supported per system.
    • Bridge domain interfaces do not support the following features:
      • Bidirectional Forwarding Detection (BFD) protocol
      • Netflow
      • QOS
      • Network-Based Application Recognition (NBAR) or Advanced Video Coding (AVC)
      • ZBF Refer: CSCui86271
      • For a BDI, the maximum transmission unit (MTU) size can be configured between 1500 and 9216 bytes.
      • Cryptographic VPNs are not supported in combination with BDI.
      • MPLS is not supported on bridge domain interfaces.
      • PPP over Ethernet (PPPoE)

Supported ISR and UCS-E Model

Supported ISRG2 and UCS-E Blades:

ISR Platform

Cisco UCS EN140N

Cisco UCS EN120S and E140S

Cisco UCS E140D and E160D-M2

Cisco UCS E160D-M1 and E180D

1921

No

No

No

No

1941

No

No

No

No

2901

No

No

No

No

2911

No

1

No

No

2921

No

1

1

No

2951

No

2

1

No

3925

No

2

1

1

3945

No

4

1

1

3925E

No

2

1

1

3945E

No

4

1

1

 

Supported ISR4K and UCS-E Blades:

ISR Platform

Cisco UCS EN120E

Cisco UCS EN140N

Cisco UCS EN120S and E140S

Cisco UCS E140D and E160D-M2

Cisco UCS E160D-M1 and E180D

4321

No

2

No

No

No

4331

No

2*

1

No

No

4351

No

3*

2

1

1

4431

No

3

No

No

No

4451

No

3*

2

1

1

 

TopologyTrasparent Mode HA Topology.jpg

Step by Step Configuration

Configure one of the connectivity options to access the Cisco IMC from the network

1. Dedicated Management Access
ISR4k(config)#ucse subslot 1/0
ISR4k(config-ucse)# imc access-port dedicated
ISR4k(config-ucse)# imc ip address 10.20.20.100 255.255.255.0 default-gateway 10.20.20.1

2. Shared Management Access with External ports
ISR4k(config)#ucse subslot 1/0
ISR4k(config-ucse)#imc access-port shared-lom GE2
ISR4k(config-ucse)# imc ip address 10.20.20.100 255.255.255.0 default-gateway 10.20.20.1

3. Shared Management Access with Internal ports
ISR4k(config)#ucse subslot 1/0
ISR4k(config-ucse)#imc access-port shared-lom console
ISR4k(config-ucse)# imc ip address 10.20.20.100 255.255.255.0 default-gateway 10.20.20.1

TFW-Management.jpg

 

Router Configuration for management

bridge-domain 10
bridge-domain 40
interface GigabitEthernet0/0/2
 no ip address
 media-type rj45
 negotiation auto
 service instance 10 ethernet
  encapsulation dot1q 10
  rewrite ingress tag pop 1 symmetric
  bridge-domain 10
 !
service instance 40 ethernet
  encapsulation dot1q 40

  rewrite ingress tag pop 1 symmetric
  bridge-domain 40
!

interface BDI10
 vrf forwarding mgmt
 ip address 10.20.20.1 255.255.255.0
!

interface  ucse 1/0/0 and ucse 2/0/0
no ip address
 no negotiation auto
service instance 40 ethernet
  encapsulation dot1q 40
  rewrite ingress tag pop 1 symmetric
  bridge-domain 40
!

interface BDI40
 vrf forwarding mgmt
 ip address 10.20.40.1 255.255.255.0

Upgrade CIMC to the latest firmware

Get the latest XE, IOS and CIMC images

Download the latest CIMC HUU and upgrade the BIOS, CIMC and other firmware components per this link: http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/e/2-0/gs/guide/b_2_0_Getting_Started_Guide/b_2_0_Getting_Started_Guide_chapter_01010.html#task_B4052C8757D74555A073C0BD759B211D

Install the ESXi 5.5 or ESXi 6.0 on UCS-E via CMIC

From the admin PC connect to CIMCVMWare-Install.jpg

Map the ESXi image

Install-VMWare-1.jpg

 

Change the boot order to boot into the mapped image

Install-VMWare-2.jpg

Continue installing ESXi

Install-VMWare-3.png

Configure the ESXi management settings to access it from the network

 Install-VMWare-4.jpg

Configure the Vswitch and Port Groups with the appropriate VNIC NGFW-Port-Group-Mapping.jpg

 Make sure to set the network adapter to accept the following modes:

promiscuous, MAC address Changes and Forged Transmits.

promiscuous.jpg

 

FMC

Use sudo /usr/local/sf/bin/configure-network to configure the management settings
Configure Management IP, Subnet and Default Gateway
Open https GUI connection to add the NGFWv to FMC

FTD

User is prompted for EULA and post-boot configuration
configure manager add <manager ip> <user chosen id>

Install the NGFWv (FTDv) on ESXi running on two different UCS-E modules

Repeat the steps above on the second UCS-E blade if configuring HA.

Router Configuration for FTD in HA in Transparent Mode

 

EVC Configuration in ISR 4451  For UCSE 1/0/1, UCSE 2/0/1 and static configuration

interface ucse2/0/1 and ucse 1/0/1
 no ip address
 no negotiation auto
 switchport mode trunk
 service instance 20 ethernet
  encapsulation dot1q 20
  rewrite ingress tag pop 1 symmetric
  bridge-domain 20
 !
 service instance 30 ethernet
  encapsulation dot1q 30
  rewrite ingress tag pop 1 symmetric
  bridge-domain 30
 !
 service instance 41 ethernet
  encapsulation dot1q 41
  rewrite ingress tag pop 1 symmetric
  bridge-domain 41
!

ip route 0.0.0.0 0.0.0.0 128.107.213.129
ip nat inside source list NAT-ACL interface GigabitEthernet0/0/3 overload
!

BDI interface for VLAN 20 and VLAN 30
interface BDI20
 mac-address 0002.0002.0002
 ip address 10.20.20.1 255.255.255.0
 ip nat inside
end
interface BDI30
 mac-address 0003.0003.0003
 ip address 10.20.30.1 255.255.255.0
 ip nat inside
!

 

UCS-E Exernal Ports (G2) for VLAN 21 and VLAN 31

 

No Configuration required in Router for the external interfaces connected to the Switch directly

The switch port connected to the UCS-E external ports should be enabled with the trunk port for VLANs ( in this use case vlan 21 and vlan 31)

Vmware ESXi host Network Configuration

 

ESXi Host Network Configuration.jpg

NGFWv Interface to Port-Group Mapping

NGFW-Port-Group-Mapping.jpg

Note:

In case of E1000,  FTDv use only one network adapter for mgmt. In case of VMXNET3, it consume two adapter for mgmt. 
Using E1000,  the FTDv interface to Network adapter mapping is in order, but using VMXNET3 it is random. when you change from E1000 to VMXNET3, you need to do correct mapping properly

Configure the NGFWv High Availability between them through Firepower Management Center(FMC)


FMC-HA-Config.jpg

 

 

NGFWv Interface Configuration and StatusFMC-HA-1-Config.jpg

 

NGFWv HA Failover Function (External Link failure Testing)

FMC-HA-Testing-External-Int.jpg

 

 

NGFWv HA Failover Function (Internal Link failure Testing)

NGFWv HA failover not triggered during the internal interface failure

FMC-HA-Testing-Internal-Int.jpg

 

NGFWv HA Failover Function


When NGFWv Failover Triggers?

 

 

FMC-HA-Testing-Result.jpg

 

 

Failures

Physical status failure

IP Connectivity failure

Triggers

Failover

UCS-E Module Failure

Yes

Yes

Yes

FTDv software Failure

Yes

Yes

Yes

External Interface failure.

No

Yes

Yes

Internal Interface Failure

No

No

No

 

 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: