8000 Series Device Stacking

The following topics describe how to work with Firepower 8000 Series device stacks in the Firepower System:

About Device Stacks

You can increase the amount of traffic inspected on a network segment by using devices in a stacked configuration. For each stacked configuration, all devices in the stack must have the same hardware. However, none, some, or all devices might have an installed malware storage pack. The devices must also be from the same device family based on the following stacked configurations:

The stacked configuration is supported for Firepower 8140, Firepower 8200 family, Firepower 8300 family devices.

For the 81xx Family:

  • two Firepower 8140s

For the 82xx Family:

  • up to four Firepower 8250s

  • a Firepower 8260 (a primary device and a secondary device)

  • a Firepower 8270 (a primary device with 40G capacity and two secondary devices)

  • a Firepower 8290 (a primary device with 40G capacity and three secondary devices)

For the 83xx Family:

  • up to four Firepower 8350s

  • up to four AMP8350s

  • a Firepower 8360 (a primary device with 40G capacity and a secondary device)

  • an AMP8360 (a primary device with 40G capacity and a secondary device)

  • a Firepower 8370 (a primary device with 40G capacity and two secondary devices)

  • an AMP8370 (a primary device with 40G capacity and two secondary devices)

  • a Firepower 8390 (a primary device with 40G capacity and three secondary devices)

  • an AMP8390 (a primary device with 40G capacity and three secondary devices)

For more information about stacked configurations, see the Cisco Firepower 8000 Series Getting Started Guide. For more information about the malware storage pack, see the Firepower System Malware Storage Pack Guide. Firepower System Malware Storage Pack Guide.


Caution

Do not attempt to install a hard drive that was not supplied by Cisco in your device. Installing an unsupported hard drive may damage the device. Malware storage pack kits are available for purchase only from Cisco, and are for use only with 8000 Series devices. Contact Support if you require assistance with the malware storage pack. See the Firepower System Malware Storage Pack Guide for more information.

When you establish a stacked configuration, you combine the resources of each stacked device into a single, shared configuration.

You designate one device as the primary device, where you configure the interfaces for the entire stack. You designate the other devices as secondary. Secondary devices must not be currently sensing any traffic and must not have link on any interface.

Connect the primary device to the network segment you want to analyze in the same way you would configure a single device. Connect the secondary devices to the primary device using the stacked device cabling instructions found in the Cisco Firepower 8000 Series Getting Started Guide.

All devices in the stacked configuration must have the same hardware, run the same software version, and have the same licenses. If the devices are targeted by NAT policies, both the primary and secondary device must have the same NAT policy. You must deploy updates to the entire stack from the Firepower Management Center. If an update fails on one or more devices in the stack, the stack enters a mixed-version state. You cannot deploy policies to or update a stack in a mixed-version state. To correct this state, you can break the stack or remove individual devices with different versions, update the individual devices, then reestablish the stacked configuration. After you stack the devices, you can change the licenses only for the entire stack at once.

After you establish the stacked configuration, the devices act like a single, shared configuration. If the primary device fails, no traffic is passed to the secondary devices. Health alerts are generated indicating that the stacking heartbeat has failed on the secondary devices.

If the secondary device in a stack fails, inline sets with configurable bypass enabled go into bypass mode on the primary device. For all other configurations, the system continues to load balance traffic to the failed secondary device. In either case, a health alert is generated to indicate loss of link.

You can use a device stack as you would a single device in your deployment, with a few exceptions. If you have 7000 or 8000 Series devices in a high-availability pair, you cannot stack a device high-availability pair or a device in a high-availability pair. You also cannot configure NAT on a device stack.


Note

If you use eStreamer to stream event data from stacked devices to an external client application, collect the data from each device and ensure that you configure each device identically. The eStreamer settings are not automatically synchronized between stacked devices.

In a multidomain deployment, you can only stack devices that belong to the same domain.

Device Stack Configuration

You can increase the amount of traffic inspected on a network segment by stacking two Firepower 8140 devices, up to four Firepower 8250s, a Firepower 8260, a Firepower 8270, a Firepower 8290, up to four Firepower 8350s, a Firepower 8360, a Firepower 8370, or a Firepower 8390 and using their combined resources in a single, shared, configuration. If you have 7000 or 8000 Series devices in a high-availability pair, you cannot stack a device high-availability pair or a device in a high-availability pair. However, you can configure two device stacks into a high-availability pair.

After you establish a device stack, the system treats the devices as a single device on the Device Management page. Device stacks display the stack icon () in the appliance list.

Removing registration of a device stack from a Firepower Management Center also removes registration from both devices. You delete stacked devices from the Firepower Management Center as you would a single managed device; you can then register the stack on another Firepower Management Center. You only need to register one of the stacked devices on the new Firepower Management Center for the entire stack to appear.

After you establish the device stack, you cannot change which devices are primary or secondary unless you break and reestablish the stack. However, you can:

  • add secondary devices to an existing stack of two or three Firepower 8250s, a Firepower 8260, or a Firepower 8270 up to the limit of four Firepower 8250s in a stack

  • add secondary devices to an existing stack of two or three Firepower 8350s, a Firepower 8360, or a Firepower 8370 up to the limit of four Firepower 8350s in a stack

For additional devices, the primary device in the stack must have the necessary stacking NetMods for additional cabled devices. For example, if you have a Firepower 8260 where the primary only has a single stacking NetMod, you cannot add another secondary device to this stack. You add secondary devices to an existing stack in the same manner that you initially establish a stacked device configuration.

Establishing Device Stacks

Smart License

Classic License

Supported Devices

Supported Domains

Access

N/A

Any

Firepower 8140, 8200 family, 8300 family

Any

Admin/Network Admin

All devices in a stack must be of the same hardware model (for example, a Firepower 8140 with another 8140). You can stack a total of four devices (one primary device and up to three secondary devices) in the 8200 family and in the 8300 family.

In a multidomain deployment, all devices in the stack must belong to the same domain.

Before you begin

Procedure

Step 1

Choose Devices > Device Management.

Step 2

From the Add drop-down menu, choose Add Stack.

Step 3

From the Primary drop-down list, choose the device that you cabled for primary operation.

Note

 

If you choose a device that is not cabled as the primary device, you cannot perform the next series of steps.

Step 4

Enter a Name.

Step 5

Click Add to choose the devices you want to include in the stack.

Step 6

From the Slot on Primary Device drop-down list, choose the stacking network module that connects the primary device to the secondary device.

Step 7

From the Secondary Device drop-down list, choose the device you cabled for secondary operation.

Step 8

From the Slot on Secondary Device drop-down list, choose the stacking network module that connects the secondary device to the primary device.

Step 9

Click Add.

Step 10

Repeat steps 5 through 9 if you are adding secondary devices to an existing stack of Firepower 8250s, a Firepower 8260, a Firepower 8270, an existing stack of Firepower 8350s, a Firepower 8360, or a Firepower 8370.

Step 11

Click Stack to establish the device stack or to add secondary devices. Note that this process takes a few minutes as the process synchronizes system data.

Editing Device Stacks

Smart License

Classic License

Supported Devices

Supported Domains

Access

N/A

Any

Firepower 8140, Firepower 8200 family, Firepower 8300 family

Leaf only

Admin/Network Admin

After you establish a device stack, most changes you make to the device configuration also change the configuration of the entire stack. On the Stack page of the appliance editor, you can make changes to the stack configuration as on the Device page of a single device.

You can change the display name of the stack, enable and disable licenses, view system and health policies, and configure advanced settings.

Procedure

Step 1

Choose Devices > Device Management.

Step 2

Next to the stacked device where you want to edit the configuration, click the edit icon ().

In a multidomain deployment, if you are not in a leaf domain, the system prompts you to switch.

Step 3

Use the sections on the Stack page to make changes to the stacked configuration as you would a single device configuration.

Replacing a Device in a Stack

Smart License

Classic License

Supported Devices

Supported Domains

Access

N/A

Any

FirePOWER 8140, 8200 family, 8300 family

Any

Admin/Network Admin

If the Firepower Management Center cannot communciate with the device, you must connect to the device and use CLI commands to separate the stack and unregister the device. For more information, see stacking disable and delete CLI commands in the relevant chapter: Classic Device CLI Configuration Commands.

To replace a device within a stack:

Procedure

Step 1

Select the stack with the device to replace and break that stack. For more information, see Separating Stacked Devices.

Step 2

Unregister the device from the Firepower Management Center. For more information, see Delete a Device from the FMC.

Step 3

Register the replacement device to the Firepower Management Center. For more information, see Add a Device to the FMC.

Step 4

Create a device stack that includes the replacement deivce. for more information, see Establishing Device Stacks.

Replacing a Device in a Stack in a High-Availability Pair

Smart License

Classic License

Supported Devices

Supported Domains

Access

N/A

Control

Firepower 8140, 8200 family, 8300 family

Any

Admin/Network Admin

After you place a stack that is a member of a high-availability pair into maintenance mode, you can replace a secondary device in the stack for another device. You can only select devices that are not currently stacked or paired. The new device must follow the same guidelines for establishing a device stack.

Procedure

Step 1

Choose Devices > Device Management.

Step 2

Next to the stack member you want to place into maintenance mode, click the toggle maintenance mode icon ().

Step 3

Click Yes to confirm maintenance mode.

Step 4

Click the replace device icon ().

Step 5

Choose the Replacement Device from the drop-down list.

Step 6

Click Replace to replace the device.

Step 7

Click the toggle maintenance mode icon () again to bring the stack immediately out of maintenance mode.

Note

 

You do not need to re-deploy the device configuration.

Configuring Individual Devices in a Stack

Smart License

Classic License

Supported Devices

Supported Domains

Access

N/A

Any

Firepower 8140, Firepower 8200 family, Firepower 8300 family

Leaf only

Admin/Network Admin

After you establish a device stack, you can still configure some attributes for an individual device within the stack. You can make changes to a device configured in a stack as you would for a single device. You can change the display name of a device, view system settings, shut down or restart a device, view health information, and edit device management settings.

Procedure

Step 1

Choose Devices > Device Management.

Step 2

Next to the stacked device where you want to edit the configuration, click the edit icon ().

In a multidomain deployment, if you are not in a leaf domain, the system prompts you to switch.

Step 3

Click the Device tab.

Step 4

From the Selected Device drop-down list, choose the device you want to modify.

Step 5

Use the sections on the Devices page to make changes to the individual stacked device as you would a single device.

Configuring Interfaces on a Stacked Device

Smart License

Classic License

Supported Devices

Supported Domains

Access

N/A

Any

Firepower 8140, Firepower 8200 family, Firepower 8300 family

Leaf only

Admin/Network Admin

With the exception of the management interface, you configure stacked device interfaces on the Interfaces page of the primary device in the stack. You can choose any device in the stack to configure the management interface.

The Interfaces page of a Firepower stacked device includes the hardware and interfaces views that you find on an individual device.

Procedure

Step 1

Choose Devices > Device Management.

Step 2

Next to the primary stacked device, click the edit icon ().

In a multidomain deployment, if you are not in a leaf domain, the system prompts you to switch.

Step 3

Click the Interfaces tab.

Step 4

From the Selected Device drop-down list, choose the device you want to modify.

Step 5

Configure interfaces as you would on an individual device; see Configuring Sensing Interfaces.

Separating Stacked Devices

Smart License

Classic License

Supported Devices

Supported Domains

Access

N/A

Any

FirePOWER 8140, 8200 family, 8300 family

Any

Admin/Network Admin

If you no longer need to use a stacked configuration for your devices, you can break the stack and separate the devices.


Note

If a stacked device fails, or if communication fails between member devices of a stack, you cannot separate the stacked devices using the Firepower Management Center web interface. In this case, use the auxiliary CLI command configure stacking disable to remove the stack configuration from each device individually.

Procedure

Step 1

Choose Devices > Device Management.

Step 2

Next to the device stack you want to break, click the break stack icon ().

Tip

 

To remove a secondary device from a stack of three or more Firepower 8250 devices without breaking the stack, click the remove from stack icon (). Removing the secondary device causes a brief disruption of traffic inspection, traffic flow, or link state as the system reconfigures the stack for operation without the extra device.

Step 3

Click Yes to separate the device stack.

Replacing a Device in a Stack

Smart License

Classic License

Supported Devices

Supported Domains

Access

N/A

Any

FirePOWER 8140, 8200 family, 8300 family

Any

Admin/Network Admin

If the Firepower Management Center cannot communciate with the device, you must connect to the device and use CLI commands to separate the stack and unregister the device. For more information, see stacking disable and delete CLI commands in the relevant chapter: Classic Device CLI Configuration Commands.

To replace a device within a stack:

Procedure

Step 1

Select the stack with the device to replace and break that stack. For more information, see Separating Stacked Devices.

Step 2

Unregister the device from the Firepower Management Center. For more information, see Delete a Device from the FMC.

Step 3

Register the replacement device to the Firepower Management Center. For more information, see Add a Device to the FMC.

Step 4

Create a device stack that includes the replacement deivce. for more information, see Establishing Device Stacks.