hit counter code
Download
Share
Print this page
Cisco 310 Manual
  1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Network Hardware
  5. 310
  6. Manual
Cisco 310 Manual

Cisco 310 Manual

Multi-instance mode for the secure firewall
Hide thumbs

Advertisement

Quick Links

Download this manual
Multi-Instance Mode for the Secure Firewall
3100
You can deploy the Secure Firewall 3100 as a single device (appliance mode) or as multiple container instances
(multi-instance mode). This chapter describes how to deploy the device in multi-instance mode.
About Multi-Instance Mode
In multi-instance mode, you can deploy multiple container instances on a single chassis that act as completely
independent devices.
Multi-Instance Mode vs. Appliance Mode
You can run the device in either multi-instance mode or appliance mode.
Appliance Mode
Appliance mode is the default. The device runs the native threat defense image and acts as a single device.
The only chassis-level configuration available (on the Chassis Manager page) is for network module
management (breakout ports or enabling/disabling a network module).
Multi-Instance Mode
If you change to multi-instance mode, the device runs the Secure Firewall eXtensible Operating System
(FXOS) on the chassis, while each instance runs separate threat defense images. You can configure the mode
using the FXOS CLI.
Because multiple instances run on the same chassis, you need to perform chassis-level management of:
• CPU and memory resources using resource profiles.
About Multi-Instance Mode, on page 1
Licenses for Instances, on page 14
Requirements and Prerequisites for Instances, on page 14
Guidelines and Limitations for Instances, on page 16
Configure Instances, on page 18
Monitoring Multi-Instance Mode, on page 61
History for Multi-Instance Mode, on page 64
Multi-Instance Mode for the Secure Firewall 3100
1

Advertisement

loading

Related Manuals for Cisco 310

Summary of Contents for Cisco 310

  • Page 1 Multi-Instance Mode for the Secure Firewall 3100 You can deploy the Secure Firewall 3100 as a single device (appliance mode) or as multiple container instances (multi-instance mode). This chapter describes how to deploy the device in multi-instance mode. • About Multi-Instance Mode, on page 1 •...
  • Page 2 Multi-Instance Mode for the Secure Firewall 3100 Chassis Management Interface • Interface configuration and assignment. • Deployment and monitoring of instances. For a multi-instance device, you add the chassis to the management center and configure chassis-level settings on the Chassis Manager page. Chassis Management Interface Chassis Management The chassis uses the dedicated Management interface on the device.
  • Page 3 Multi-Instance Mode for the Secure Firewall 3100 Chassis Interfaces vs. Instance Interfaces traffic must exit the chassis on one interface and return on another interface to reach another instance. You can add VLAN subinterfaces to a data interface to provide separate failover links per High Availability pair.
  • Page 4 Multi-Instance Mode for the Secure Firewall 3100 Chassis Interfaces vs. Instance Interfaces Figure 1: VLANs in the Chassis vs. the Instance Independent Interface States in the Chassis and in the Instance You can administratively enable and disable interfaces in both the chassis and in the instance. For an interface to be operational, the interface must be enabled in both locations.
  • Page 5 Multi-Instance Mode for the Secure Firewall 3100 Shared Interface Scalability Shared Interface Scalability Instances can share data-sharing type interfaces. This capability lets you conserve physical interface usage as well as support flexible networking deployments. When you share an interface, the chassis uses unique MAC addresses to forward traffic to the correct instance.
  • Page 6 Multi-Instance Mode for the Secure Firewall 3100 Shared Interface Best Practices Port-Channel3, and Port-Channel4. When you share subinterfaces from a single parent, the VLAN group table provides better scaling of the forwarding table than when sharing physical/EtherChannel interfaces or subinterfaces across parents. Figure 2: Best: Shared Subinterface Group on One Parent If you do not share the same set of subinterfaces with a group of instances, your configuration can cause more resource usage (more VLAN groups).
  • Page 7 Multi-Instance Mode for the Secure Firewall 3100 How the Chassis Classifies Packets Figure 4: Fair: Shared Subinterfaces on Separate Parents 3. Worst—Share individual parent interfaces (physical or EtherChannel). This method uses the most forwarding table entries. Figure 5: Worst: Shared Parent Interfaces How the Chassis Classifies Packets Each packet that enters the chassis must be classified, so that the chassis can determine to which instance to send a packet.
  • Page 8 Multi-Instance Mode for the Secure Firewall 3100 Classification Examples Classification Examples Packet Classification with a Shared Interface Using MAC Addresses The following figure shows multiple instances sharing an outside interface. The classifier assigns the packet to Instance C because Instance C includes the MAC address to which the router sends the packet. Figure 6: Packet Classification with a Shared Interface Using MAC Addresses Incoming Traffic from Inside Networks Note that all new incoming traffic must be classified, even from inside networks.
  • Page 9 Multi-Instance Mode for the Secure Firewall 3100 Classification Examples Figure 7: Incoming Traffic from Inside Networks Transparent Firewall Instances For transparent firewalls, you must use unique interfaces. The following figure shows a packet destined to a host on the Instance C inside network from the internet. The classifier assigns the packet to Instance C because the ingress interface is Ethernet 1/2.3, which is assigned to Instance C.
  • Page 10 Multi-Instance Mode for the Secure Firewall 3100 Classification Examples Figure 8: Transparent Firewall Instances Inline Sets For inline sets, you must use unique interfaces and they must be physical interfaces or EtherChannels. The following figure shows a packet destined to a host on the Instance C inside network from the internet. The classifier assigns the packet to Instance C because the ingress interface is Ethernet 1/5, which is assigned to Instance C.
  • Page 11 Multi-Instance Mode for the Secure Firewall 3100 Cascading Instances Figure 9: Inline Sets Cascading Instances Placing an instance directly in front of another instance is called cascading instances; the outside interface of one instance is the same interface as the inside interface of another instance. You might want to cascade instances if you want to simplify the configuration of some instances by configuring shared parameters in the top instance.
  • Page 12 Multi-Instance Mode for the Secure Firewall 3100 Typical Multi-Instance Deployment Figure 10: Cascading Instances Note Do not use cascading instances (using a shared interface) with High Availability. After a failover occurs and the standby unit rejoins, MAC addresses can overlap temporarily and cause an outage. You should instead use unique interfaces for the gateway instance and inside instance using an external switch to pass traffic between the instances.
  • Page 13 Multi-Instance Mode for the Secure Firewall 3100 Automatic MAC Addresses for Instance Interfaces • Outside—All instances use the Port-Channel2 interface (data-sharing type). This EtherChannel includes two 10 Gigibit Ethernet interfaces. Within each application, the interface uses a unique IP address on the same outside network.
  • Page 14 50% of the throughput. Moreover, the throughput available to an instance may be less than that available to an appliance. For detailed instructions on calculating the throughput for instances, see https://www.cisco.com/c/en/us/ products/collateral/security/firewalls/white-paper-c11-744750.html. Instances and High Availability You can use High Availability using an instance on 2 separate chassis; for example, if you have 2 chassis, each with 10 instances, you can create 10 High Availability pairs.
  • Page 15 Multi-Instance Mode for the Secure Firewall 3100 Requirements and Prerequisites for Instances • Secure Firewall 3120 • Secure Firewall 3130 • Secure Firewall 3140 Note The Secure Firewall 3105 is not supported. Maximum Container Instances and Resources per Model For each container instance, you can specify the number of CPU cores (or more specifically, threads) to assign to the instance.
  • Page 16 Multi-Instance Mode for the Secure Firewall 3100 Guidelines and Limitations for Instances Guidelines and Limitations for Instances General Guidelines • A single management center must manage all instances on a chassis, as well as manage the chassis itself. • For instances, the following features are not supported: •...
  • Page 17 • The chassis does not support LACPDUs that are VLAN-tagged. If you enable native VLAN tagging on the neighboring switch using the Cisco IOS vlan dot1Q tag native command, then the chassis will drop the tagged LACPDUs. Be sure to disable native VLAN tagging on the neighboring switch.
  • Page 18 Multi-Instance Mode for the Secure Firewall 3100 Configure Instances • You cannot use a data-sharing interface for the failover link. Default MAC Addresses • MAC addresses for all interfaces are taken from a MAC address pool. For subinterfaces, if you decide to manually configure MAC addresses, make sure you use unique MAC addresses for all subinterfaces on the same parent interface to ensure proper classification.
  • Page 19 Multi-Instance Mode for the Secure Firewall 3100 Onboard the Multi-Instance Chassis Hello admin. You must change your password. Enter new password: ******** Confirm new password: ******** Your password was updated successfully. [...] firepower# Step 3 Check your current mode, Native or Container. If the mode is Native, you can continue with this procedure to convert to multi-instance (Container) mode.
  • Page 20 Multi-Instance Mode for the Secure Firewall 3100 Onboard the Multi-Instance Chassis scope fabric-interconnect scope ipv6-config set out-of-band static ipv6 ipv6_address ipv6-prefix prefix_length ipv6-gw gateway_address Example: IPv4: firepower-3110# scope fabric-interconnect firepower-3110 /fabric-interconnect # set out-of-band static ip 10.5.23.8 netmask 255.255.255.0 gw 10.5.23.1 IPv6: firepower-3110# scope fabric-interconnect firepower-3110 / fabric-interconnect # scope ipv6-config...
  • Page 21 Multi-Instance Mode for the Secure Firewall 3100 Configure Chassis Interfaces Step 9 When prompted for the Registration Key at the FXOS CLI, click Copy ( ) on the Add Chassis dialog box for the generated registration key and paste it at the FXOS CLI. You can disconnect from the FXOS CLI at this point.
  • Page 22 Multi-Instance Mode for the Secure Firewall 3100 Configure a Physical Interface Note To configure breakout ports and perform other network module operations, see Manage the Network Module for the Secure Firewall 3100/4200. Note For information about the Sync Device button, see Sync Interface Changes with the Management Center.
  • Page 23 Multi-Instance Mode for the Secure Firewall 3100 Configure a Physical Interface Figure 16: Interfaces Step 3 Click Edit ( ) for the interface you want to edit. Multi-Instance Mode for the Secure Firewall 3100...
  • Page 24 Multi-Instance Mode for the Secure Firewall 3100 Configure a Physical Interface Figure 17: Edit Physical Interface Step 4 Enable the interface by checking the Enabled check box. Step 5 For the Port Type, choose Data or Data Sharing. Figure 18: Port Type Step 6 Set the Admin Duplex.
  • Page 25 Multi-Instance Mode for the Secure Firewall 3100 Configure an EtherChannel sending a pause frame to stop sending until the condition clears. Upon receipt of a pause frame, the sending device stops sending any data packets, which prevents any loss of data packets during the congestion period. Note The threat defense supports transmitting pause frames so that the remote peer can rate-control the traffic.
  • Page 26 Multi-Instance Mode for the Secure Firewall 3100 Configure an EtherChannel Procedure Step 1 From Devices > Device Management, click Manage in the Chassis column or click Edit ( ). Figure 19: Manage Chassis The Chassis Manager page opens for the chassis to the Summary page. Step 2 Click Interfaces.
  • Page 27 Multi-Instance Mode for the Secure Firewall 3100 Configure an EtherChannel Figure 21: Add EtherChannel Step 4 Set the following Interfaces parameters. Figure 22: Interfaces Settings a) For the EtherChannel ID, specify an ID between 1 and 48. b) Check Enabled. c) For the Port Type, choose Data or Data Shared.
  • Page 28 Multi-Instance Mode for the Secure Firewall 3100 Configure an EtherChannel Many of these settings (excluding the LACP settings) set the requirements for interfaces to be included in the EtherChannel; they do not override the settings of member interfaces. So if you check LLDP Transmit, for example, you should only add interfaces that have that setting.
  • Page 29 Multi-Instance Mode for the Secure Firewall 3100 Configure a Subinterface The default is Fast. e) Choose the required Link Layer Discovery Protocol (LLDP) settings for member interfaces by checking LLDP Transmit and/or LLDP Receive. f) Check the required Flow Control Send setting for member interfaces. Step 6 Click Save and then Save in the top right of the Interfaces page.
  • Page 30 Multi-Instance Mode for the Secure Firewall 3100 Configure a Subinterface Figure 25: Interfaces Step 3 Click Add > Subinterface. Figure 26: Add Subinterface Step 4 Set the following parameters. Multi-Instance Mode for the Secure Firewall 3100...
  • Page 31 Multi-Instance Mode for the Secure Firewall 3100 Add an Instance Figure 27: Subinterface Settings Step 5 Click Save and then Save in the top right of the Interfaces page. You can now Deploy the policy to the chassis. The changes are not active until you deploy them. Add an Instance You can add one or more instances to a chassis in multi-instance mode.
  • Page 32 Multi-Instance Mode for the Secure Firewall 3100 Add an Instance Figure 29: Instances Step 3 On Agreement, check I understand and accept the agreement, then click Next. Figure 30: Agreement Multi-Instance Mode for the Secure Firewall 3100...
  • Page 33 Multi-Instance Mode for the Secure Firewall 3100 Add an Instance Step 4 On Instance Configuration, set the instance parameters, then click Next. Figure 31: Instance Configuration • Display Name • Device Version—Versions listed are packages currently downloaded to the chassis. To upgrade to a new package, see Devices >...
  • Page 34 Expert Mode. We recommend disabling this option to increase isolation between instances. Use Expert Mode only if a documented procedure tells you it is required, or if the Cisco Technical Assistance Center asks you to use it. To enter this mode, use the expert command in the threat defense CLI.
  • Page 35 Multi-Instance Mode for the Secure Firewall 3100 Add an Instance • You can assign cores as an even number (6, 8, 10, 12, 14 etc.) up to the maximum. • The maximum number of cores available depends on the model; see Requirements and Prerequisites for Instances, on page If you later assign a different resource profile, then the instance will reload, which can take approximately...
  • Page 36 Multi-Instance Mode for the Secure Firewall 3100 Add an Instance Figure 34: Device Management • Device Group • Access Control Policy—Choose an existing access control policy, or create a new policy. • Platform Settings—Choose an existing platform setting policy, or create a new policy. •...
  • Page 37 Multi-Instance Mode for the Secure Firewall 3100 Add an Instance Figure 35: Summary You can edit any settings on this screen before saving the instance. After you save, the instance is added to the Instances screen. Step 8 On the Instances screen, click Save. Step 9 Deploy the chassis configuration.
  • Page 38 Multi-Instance Mode for the Secure Firewall 3100 Customize the System Configuration Customize the System Configuration You can configure chassis-level settings such as SNMP. You can also import or export the chassis FXOS configuration. Configure SNMP You can access chassis-level MIBs through the data interface of one of the instances, which you specify in the chassis system configuration.
  • Page 39 Multi-Instance Mode for the Secure Firewall 3100 Import or Export the Chassis Configuration Import or Export the Chassis Configuration You can use the configuration export feature to export an XML file containing chassis configuration settings to your local computer. You can later import that configuration file to quickly apply the configuration settings to your chassis to return to a known good configuration or to recover from a system failure.
  • Page 40 Multi-Instance Mode for the Secure Firewall 3100 Import or Export the Chassis Configuration Figure 39: Create Export File b) Monitor the notifications for the Export file created successfully message. Figure 40: Export File Created Successfully c) Download the export file by clicking the notification message (Download Export Package) or by clicking Download.
  • Page 41 Multi-Instance Mode for the Secure Firewall 3100 Configure Chassis Platform Settings The file is saved with the .sfo extension. Step 5 To import a configuration, drag the .sfo file on the Import > Drop File here area. Figure 42: Import Configure Chassis Platform Settings Chassis platform settings configure a range of features for managing the chassis.
  • Page 42 Multi-Instance Mode for the Secure Firewall 3100 Configure DNS The system creates the policy and opens it for editing. Step 4 To change the target chassis for a policy, click Edit ( ) next to the platform settings policy that you want to edit.
  • Page 43 Multi-Instance Mode for the Secure Firewall 3100 Configure SSH and SSH Access List Figure 44: Add DNS Server Group Step 5 Either select an existing DNS server group (see Creating DNS Server Group Objects), or click New Group. If you add a new group, you see the following dialog box. Provide a name and up to four DNS server IP addresses as comma-separated values, and click Add.
  • Page 44 Multi-Instance Mode for the Secure Firewall 3100 Configure SSH and SSH Access List Procedure Step 1 Choose Devices > Platform Settings and create or edit the chassis policy. Step 2 Choose SSH. Step 3 To enable SSH access to the chassis, enable the Enable SSH Server slider. Figure 46: SSH Step 4 To set the allowed Algorithms, click Edit ( ).
  • Page 45 Multi-Instance Mode for the Secure Firewall 3100 Configure SSH and SSH Access List Figure 47: Add Algorithms a) Select the Encryption algorithms. b) Select the Key Exchange algorithms. The key exchange provides a shared secret that cannot be determined by either party alone. The key exchange is combined with a signature and the host key to provide host authentication.
  • Page 46 Multi-Instance Mode for the Secure Firewall 3100 Configure SSH and SSH Access List Figure 48: SSH • Strict Host Keycheck—Choose enable, disable, or prompt to control SSH host key checking. • enable—The connection is rejected if the host key is not already in the FXOS known hosts file. You must manually add hosts at the FXOS CLI using the enter ssh-host command in the system/services scope.
  • Page 47 Multi-Instance Mode for the Secure Firewall 3100 Configure SSH and SSH Access List Figure 49: SSH Access List Step 10 Click Edit ( ) to add network objects and click Save. You can also manually enter IP addresses. Multi-Instance Mode for the Secure Firewall 3100...
  • Page 48 Multi-Instance Mode for the Secure Firewall 3100 Configure Syslog Figure 50: Network Objects Step 11 Click Save to save all policy changes. Configure Syslog You can enable syslogs from the chassis. These syslogs come from the chassis' FXOS operating system. Procedure Step 1 Choose Devices >...
  • Page 49 Multi-Instance Mode for the Secure Firewall 3100 Configure Syslog Figure 51: Syslog Local Destinations Name Description Console Section Whether the chassis displays syslog messages on the console. Admin State field Check the Enable check box if you want to have syslog messages displayed on the console as well as added to the log.
  • Page 50 Multi-Instance Mode for the Secure Firewall 3100 Configure Syslog Name Description Admin State field Whether the chassis displays syslog messages on the monitor. Check the Enable check box if you want to have syslog messages displayed on the monitor as well as added to the log. If the Enable check box is unchecked, syslog messages are added to the log but are not displayed on the monitor.
  • Page 51 Multi-Instance Mode for the Secure Firewall 3100 Configure Syslog Figure 52: Syslog Remote Destinations By sending syslog messages to a remote destination, you can archive messages according to the available disk space on the external syslog server, and manipulate logging data after it is saved. For example, you could specify actions to be executed when certain types of syslog messages are logged, extract data from the log and save the records to another file for reporting, or track statistics using a site-specific script.
  • Page 52 Multi-Instance Mode for the Secure Firewall 3100 Configure Syslog Name Description Level drop-down list Select the lowest message level that you want the system to store. The system stores that level and above in the remote file. This can be one of the following: •...
  • Page 53 Multi-Instance Mode for the Secure Firewall 3100 Configure Time Synchronization Figure 53: Syslog Local Sources Name Description Faults > Enable Admin State Enable system fault logging. Audits > Enable Admin State Enable audit logging. Events > Enable Admin State Enable system event logging. Step 6 Click Save to save all policy changes.
  • Page 54 Multi-Instance Mode for the Secure Firewall 3100 Configure Time Synchronization Procedure Step 1 Choose Devices > Platform Settings and create or edit the chassis policy. Step 2 Choose Time Synchronization. Figure 54: Time Synchronization Step 3 If you want to obtain the time from the management center, click Via NTP from Management Center. This option ensures both the chassis and the management center have the same time.
  • Page 55 Multi-Instance Mode for the Secure Firewall 3100 Configure Time Zones Figure 56: Add New NTP Server c) For a new server, enter the following fields, and click Add. • NTP Server Name—A name to identify this server. • IP/FQDN—The IP address or hostname of the server. •...
  • Page 56 Multi-Instance Mode for the Secure Firewall 3100 Manage Multi-Instance Mode Figure 57: Time Zones Step 3 Choose your Time Zone from the drop-down menu. Step 4 Click Save to save all policy changes. Manage Multi-Instance Mode This section describes less common tasks, including changing settings at the FXOS CLI or changing interfaces assigned to the chassis.
  • Page 57 Multi-Instance Mode for the Secure Firewall 3100 Change Interfaces Assigned to an Instance Before you begin • Configure your interfaces according to Configure Instances, on page • If you want to add an already-allocated interface to an EtherChannel, you need to unallocate the interface from the instance first, then add the interface to the EtherChannel.
  • Page 58 Multi-Instance Mode for the Secure Firewall 3100 Change Chassis Management Settings at the FXOS CLI Figure 60: Interface Assignment Shared interfaces show the sharing icon ( Step 4 Make your interface changes, and then click Next. Step 5 Click Save on the Summary screen. Step 6 For high availability, you need to make the same interface changes for the other unit.
  • Page 59 Multi-Instance Mode for the Secure Firewall 3100 Change Chassis Management Settings at the FXOS CLI The console port connects to the FXOS CLI. We recommend using the console port. You can also connect using SSH to the management interface, Note if configured in the chassis platform settings in the management center;...
  • Page 60 Multi-Instance Mode for the Secure Firewall 3100 Change Chassis Management Settings at the FXOS CLI set the NAT ID even when you specify a hostname or IP address. The NAT ID must not exceed 37 characters. Valid characters include alphanumerical characters (A–Z, a–z, 0–9) and the hyphen (-). This ID cannot be used for any other devices registering to the management center.
  • Page 61 Multi-Instance Mode for the Secure Firewall 3100 Monitoring Multi-Instance Mode Monitoring Multi-Instance Mode This section helps you troubleshoot and diagnose your multi-instance mode chassis and instances. Monitoring Multi-Instance Setup show system detail This FXOS command shows the current mode, Native or Container. If the mode is Native (also known as appliance mode), you can convert to multi-instance (Container) mode.
  • Page 62 Multi-Instance Mode for the Secure Firewall 3100 Monitoring Instance Interfaces Monitoring Instance Interfaces show portmanager switch forward-rules hardware mac-filter This command shows the internal switch-forwarding rule for two instances with a dedicated physical interface assigned to each instance. Ethernet 1/2 is assigned to ftd1 and Ethernet 1/1 is assigned to ftd2. ECMP group 1540 is assigned to ftd1 and ECMP group 1541 is assigned to ftd2.
  • Page 63 Multi-Instance Mode for the Secure Firewall 3100 Monitoring Instance Interfaces Note Physical-Port 18 is the backplane uplink interface between the internal switch and the instance. firepower-3140(local-mgmt)# show portmanager switch ecmp-groups detail ECMP-GROUP VPORT PHYSICAL-PORT 1536 1537 1538 1539 1540 1541 1542 1543 1544...
  • Page 64 New/modified FXOS CLI commands: create device-manager, set deploymode Platform restrictions: Not supported on the Secure Firewall 3105. See: Use Multi-Instance Mode for the Secure Firewall Cisco Secure Firewall Threat Defense Upgrade Guide for Cloud-Delivered Firewall Management Center Multi-Instance Mode for the Secure Firewall 3100...