Requirements and Prerequisites for Threat Defense Virtual Clustering
Model Requirements
-
FTDv5, FTDv10, FTDv20, FTDv30, FTDv50, FTDv100
NoteFTDv5 and FTDv10 do not support Amazon Web Services (AWS) Gateway Load Balancer (GWLB) and Azure GWLB.
-
The following public cloud services:
-
Amazon Web Services (AWS)
-
Microsoft Azure
-
Google Cloud Platform (GCP)
-
-
Maximum 16 nodes
See also the general requirements for the Threat Defense Virtual in the Cisco Secure Firewall Threat Defense Virtual Getting Started Guide.
User Roles
-
Admin
-
Access Admin
-
Network Admin
Hardware and Software Requirements
All units in a cluster:
-
Must be in the same performance tier. We recommend using the same number of CPUs and memory for all nodes, or else performance will be limited on all nodes to match the least capable node.
-
The Management Center access must be from the Management interface; data interface management is not supported.
-
Must run the identical software except at the time of an image upgrade. Hitless upgrade is supported.
-
All units in a cluster must be deployed in the same availability zone.
-
Cluster control link interfaces of all units must be in the same subnet.
MTU
Make sure the ports connected to the cluster control link have the correct (higher) MTU configured. If there is an MTU mismatch, the cluster formation will fail. The cluster control link MTU should be 154 bytes higher than the data interfaces. Because the cluster control link traffic includes data packet forwarding, the cluster control link needs to accommodate the entire size of a data packet plus cluster traffic overhead (100 bytes) plus VXLAN overhead (54 bytes).
For AWS with GWLB, the data interface uses Geneve encapsulation. In this case, the entire Ethernet datagram is being encapsulated, so the new packet is larger and requires a larger MTU. You should set the source interface MTU to be the network MTU + 306 bytes. So for the standard 1500 MTU network path, the source interface MTU should be 1806, and the cluster control link MTU should be +154, 1960.
For Azure with GWLB, the data interface uses VXLAN encapsulation. In this case, the entire Ethernet datagram is being encapsulated, so the new packet is larger and requires a larger MTU. You should set the cluster control link MTU to be the source interface MTU + 80 bytes.
The following table shows the default values for the cluster control link MTU and the data interface MTU.
Note | We do not recommend setting the cluster control link MTU between 2561 and 8362; due to block pool handling, this MTU size is not optimal for system operation. |
Public Cloud |
Cluster Control Link MTU |
Data Interface MTU |
---|---|---|
AWS with GWLB |
1980 |
1826 |
AWS |
1654 |
1500 |
Azure with GWLB |
1454 |
1374 |
Azure |
1454 |
1300 |
GCP |
1554 |
1400 |