Cisco 4100 Clustering. Part 2: FTD Setup

Now once Network side is configured we can move on to FTD setup. Deep dive here with CiscoLive presentation on clustering setup.

Start with CCL configuration. By default, CCL uses PO 48 so start by adding physical interfaces to it on Firepower Chassis Manager (FCM) > Interfaces tab.

Add physical interfaces and hit OK.

Add Data interfaces. Best practice dictates to use Post-Channel (PO) and redundant up-link switches. Create PO interface under Interfaces tab for Data traffic.

Assign PO id, set Type to Data and add Available Interfaces.

Next, add new logical device. Select Cluster and Create New Cluster.

Interfaces will be added automatically to the new logical device. Click it to edit.

Assign Chassis and Site ID. For intra-site Clustering site id 0 can be used. I used 1 in this example to replicate the error you will see later on in the post. The rest of configuration is self-explanatory.

Click Save to provision device. When provisioning is done copy cluster configuration to be imported to Slave device. I’ve tried to build slave device without importing Master configuration file and cluster did not form so I’d suggest to stick with copy/paste. Save output in the text file.

Now we are done with Master unit and can move on to Slave. On the second FCM repeat Interface and Logical Device configuration steps. Under device configuration select Join Existing Cluster and Copy config.

Paste cluster config in pop-up dialog and hit OK. Logical device will be provisioned. Continue configuration by clicking on the device.

On the Cluster Information tab, you will find most of the fields populated. You will need to change Chassis ID to unique number and logically Site ID should have the same number as Master for intra-site clustering. However, if you attempt to keep it same you will get this error message.

The only way to fix it is changing it to a different number and that seems to work however it is unknown to me if this will create issues in production going forward.

So my final configuration had Site ID set to 0 (zero) on both units as it was suggested by TAC.

Under Settings, nothing needs to change other than the Hostname because by default it will be same as on Master. A few times I negated to change it and had weird issues with clustering so just change it to be on the safe side.

Same goes for the Interface Information tab. Make sure and change to proper IP address. Click OK to finish device provisioning.

If logical device is not installing new configuration try soft reboot of the chassis.

When Slave device restarts it should join the cluster. You can check status in the FCM GIU

or CLI.

4110-1-A# conn mod 1 console
Firepower-module1>connect ftd
Connecting to ftd console… enter exit to return to bootCLI
>
> show cluster info
Cluster CLUSTER1: On
Interface mode: spanned
This is “unit-1-1” in state SLAVE
ID        : 0
Version   : 9.7(1)
<snip>
Other members in the cluster:
Unit “unit-2-1” in state MASTER
ID        : 1
Version   : 9.7(1)
<snip>
>

At this point, Master and Slave units are properly provisioned and it is time to add this cluster to Firepower Management Center.

Leave a reply:

Your email address will not be published.

Site Footer

Sliding Sidebar