Cisco Cisco Firepower Management Center 4000
6-25
FireSIGHT System User Guide
Chapter 6 Managing Devices
Clustering Devices
Caution
Do not attempt to install a hard drive that was not supplied by Cisco in your device. Installing an
unsupported hard drive may damage the device. Malware storage pack kits are available for purchase
only from Cisco, and are for use only with 8000 Series devices running Version 5.3 or later of the
FireSIGHT System. Contact Support if you require assistance with the malware storage pack. See the
FireSIGHT System Malware Storage Pack Guide for more information.
unsupported hard drive may damage the device. Malware storage pack kits are available for purchase
only from Cisco, and are for use only with 8000 Series devices running Version 5.3 or later of the
FireSIGHT System. Contact Support if you require assistance with the malware storage pack. See the
FireSIGHT System Malware Storage Pack Guide for more information.
Clustering Failover and Maintenance Mode
With a device cluster, the system fails over either manually or automatically. You manually trigger
failover by placing one of the clustered devices or stacks in maintenance mode. For more information
about maintenance mode, see
failover by placing one of the clustered devices or stacks in maintenance mode. For more information
about maintenance mode, see
.
Automatic failover occurs when the health of the active device or stack becomes compromised or during
a system update. If the health of the backup device or stack becomes similarly compromised, the system
does not fail over and enters a degraded state. The system also does not fail over when one of the devices
or device stacks is in maintenance mode. Note that disconnecting the stacking cable from an active stack
sends that stack into maintenance mode. Shutting down the secondary device in an active stack also
sends that stack into maintenance mode.
a system update. If the health of the backup device or stack becomes similarly compromised, the system
does not fail over and enters a degraded state. The system also does not fail over when one of the devices
or device stacks is in maintenance mode. Note that disconnecting the stacking cable from an active stack
sends that stack into maintenance mode. Shutting down the secondary device in an active stack also
sends that stack into maintenance mode.
Applying Policies and Updates
When you apply policies, you apply them to the device cluster instead of the individual devices or stacks.
If the policy fails, the system does not apply it to either device or stack. The policy first applies to the
active device or stack and then the backup, so that the cluster always has one peer handling network
traffic.
If the policy fails, the system does not apply it to either device or stack. The policy first applies to the
active device or stack and then the backup, so that the cluster always has one peer handling network
traffic.
Clustered devices receive updates as a single entity rather than individual devices or stacks. When the
update is started, the system first applies it to the backup device or stack, which goes into maintenance
mode until any necessary processes restart and the device begins processing traffic again. The system
then applies the update to the active device or stack, which follows the same process.
update is started, the system first applies it to the backup device or stack, which goes into maintenance
mode until any necessary processes restart and the device begins processing traffic again. The system
then applies the update to the active device or stack, which follows the same process.
Achieving Redundancy Without Clustering Devices
In most cases, you can achieve Layer 3 redundancy without clustering devices by using the Cisco
Redundancy Protocol (SFRP). SFRP allows devices to act as redundant gateways for specified IP
addresses. With network redundancy, you configure two devices or stacks to provide identical network
connections, ensuring connectivity for other hosts on the network. For more information about SFRP,
see
Redundancy Protocol (SFRP). SFRP allows devices to act as redundant gateways for specified IP
addresses. With network redundancy, you configure two devices or stacks to provide identical network
connections, ensuring connectivity for other hosts on the network. For more information about SFRP,
see
You determine how to configure device high availability depending on your FireSIGHT System
deployment: passive, inline, routed, or switched. You can also deploy your system in multiple roles at
once. Of the four deployment types, only passive deployments require that you cluster devices or stacks
to provide redundancy. You can establish network redundancy for the other deployment types with or
without device clusters. The following sections provide a brief overview of high availability in each
deployment type.
deployment: passive, inline, routed, or switched. You can also deploy your system in multiple roles at
once. Of the four deployment types, only passive deployments require that you cluster devices or stacks
to provide redundancy. You can establish network redundancy for the other deployment types with or
without device clusters. The following sections provide a brief overview of high availability in each
deployment type.
Passive Deployment Redundancy
Passive interfaces are generally connected to tap ports on central switches, which allows them to analyze
all of the traffic flowing across the switch. If multiple devices are connected to the same tap feed, the
system generates events from each of the devices. When clustered, devices act as either active or backup,
which allows the system to analyze traffic even in the event of a system failure while also preventing
duplicate events.
all of the traffic flowing across the switch. If multiple devices are connected to the same tap feed, the
system generates events from each of the devices. When clustered, devices act as either active or backup,
which allows the system to analyze traffic even in the event of a system failure while also preventing
duplicate events.