Introduction
You can increase the amount of traffic inspected on a network segment by stacking the 8000 Series appliances and use their combined resources in a single, shared, configuration. This document describes how to configure stack on the Firepower 8000 Series appliances.
In a stack deployment, one of the device connected to the network segments is designated as the primary device, wherein all other devices are designated as secondary devices and are deployed to provide additional resources to the primary device.
Prerequisites
Requirements
You must make sure all of the devices on the stack...
- Have the stacking cables physically connected to their stacking modules
Tip: If you do not have stacking cables, use the PID FP-NMSB-CABLE= to order it. Similarly, if you need to order stacking modules, use FP8000-STACK-MOD as the PID for stacking modules.
- Have the same hardware
- Have the same software versions
- Have the same Access Control Policy, and NAT policy (if any)
- Have the same licenses
Note: In case of higher end device models like 8360, you may have only one license to apply, after the stack is formed. The individual devices to be stacked may be unlicensed. After the devices are stacked, the license page appears under the stack section rather than the device section.
Supported Devices
The following chart summarizes the supported models of Firepower devices that you can use to build a stack. To learn the detail specification and throughput of each model, please read the related data sheet.
Product Family |
Supported Model |
Primary Device
|
Secondary Device
|
Total Rack Unit
|
81xx Family |
8140 |
A single 8140 does not constitute a stack |
1U |
8140* |
One 8140 as Primary, and |
One 8140 as Secondary |
2U |
82xx Family |
8250 |
A single 8250 does not constitute a stack |
2U |
8260 |
One 8250 as Primary, and |
One 8250 as Secondary |
4U |
8270 |
One 8250 as Primary, and |
Two 8250s as Secondary |
6U |
8290 |
One 8250 as Primary, and |
Three 8250s as Secondary |
8U |
83xx Family |
8350 |
A single 8350 does not constitute a stack |
2U |
8360 |
One 8350 as Primary, and |
One 8350 as Secondary |
4U |
8370 |
One 8350 as Primary, and |
Two 8350s as Secondary |
6U |
8390 |
One 8350 as Primary, and |
Three 8350s as Secondary |
8U |
* The chassis of a 8140 model device is identical to the chassis of 8120 and 8130 models. However, the stacking capability is available only in 8140 model. Unlike 82xx and 83xx family, the model number remains the same for a stack of two 8140 devices.
Registration Checklists
- In order to stack the devices, all of them should be registered to the FireSIGHT Management Center. If this requirement is not fulfilled, a Management Center does not allow you to add devices in the stack along with an error message stating there are not enough devices to stack.
For example, if you want to stack three 8370 devices, you need to register the primary device as well as the other two secondary devices to the Management Center.
- All of the stack members need to be configured with separate management IP addresses.
Components Used
The information in this document utilizes the following products:
- FireSIGHT Management Center Virtual Appliance (Software Version 5.4.1.2)
- Two Firepower 8140 devices (Both are running Version 5.4.0.3)
- Stacking cables
- Stacking network modules (NetMod)
Once a stacking network module is available, it is displayed in the user interface of the Management Center as below:
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Configuration Steps
Once the requirements are fulfilled, use the FireSIGHT Management Center to establish the stack. Follow the steps below to configure the stack:
Step 1. Login to the FireSIGHT Management Center. Navigate to the Devices > Device Management. In this page, you will be able to verify if the devices that you want to stack have the same licenses, OS version and Access Control Policy.
Note: It is not mandatory to keep the system policy and health policy same on both devices, but it is advisable to make sure all the applied policies are identical. All of the devices in a stack should have the same Access Control Policy applied.
Step 2. At the top right corner, select Add and from the drop down list. Select Add Stack > Primary Device.
Step 3. Add a name for the stack. At least one secondary stack member is necessary to successfully configure a stack. To add a secondary stack member, select Add.
Step 4. Once you click on Add, the following page appears. Select one of the available secondary devices.
Step 5. Select the stack cables appropriately as they are physically cabled.
Step 6. After completing the above steps, the following page should appear. Click the Stack button.
If there is any mismatch in the Access Control Policies on the devices in stack, the following error message is displayed:
If all of the prerequisites are met, and the above steps are followed, a progress bar is displayed.
Once the process is complete, the stack is established. After the stack is established sucessfully, the Stack Status message confirms the status.
Verification
1. Navigate to Devices > Device Management. The list of managed devices appears.
2. Verify the newly formed stack. Click on the Stack tab. The Stack page shows various information about the stack.
3. In the Stack page, you can view the licenses of the Stack.
Note: The licenses for a stack is enabled under the Stack tab. However, in order to enable licenses on any individual devices, use the Devices page.
Optionally, if you want to make changes on any individual stack members, select the device from the top right of the page, using the Select Device drop down menu.