0%

FTD Multi-Instance Mode

Posted on by Anas
Category: Firepower

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/760/management-center-device-config-76/ha-scale-multi-instance.html#khoklhkl-chassis-management-interface

Secure Firewall 3100/4200 can be deployed in multi-instance mode

Data interface and Data-sharing interface are two types of interfaces that can be assigned to instances

Data interface and Data-sharing interface difference is whether multiple instances can use the same interface and talk to each other internally.

Data interface (exclusive to one instance)

  • A normal traffic interface used by only one instance.
  • Cannot be shared with other instances.
  • If Instance A wants to reach Instance B, traffic must leave the chassis and come back in via another interface
  • You want strong separation between tenants. Each instance has its own dedicated physical/VLAN interface
  • Like giving each firewall its own private cable.

Data-sharing interface (shared across instances)

  • A traffic interface that multiple instances can use simultaneously.
  • Instances can communicate internally over the chassis backplane if they share it.
  • Saves interfaces but slightly reduces isolation.
  • Not allowed for failover links, inline sets, or some transparent-mode configs
  • Like multiple firewalls plugged into the same internal switch port.
  • If not multi-tenant environment then it is used to share Internet link between multiple instances

Continue from “Chassis Interfaces vs. Instance Interfaces”



Leave a Reply

Your email address will not be published. Required fields are marked *

*
*