Configuring Multi-Instances

After you have MI (Multi-Instances) enabled in the RI (Root Instance), then we can configure and launch the multiple instances. Each instance is an independent virtual firewall with its own routing table, policy configuration, licenses and security services. Licenses of Multi-instances are inherited from the Root Instance. Say you are using Deep Packet Inspection (DPI) and the root instance had acquired a DPI license before adding the Multi-Instance, then the Multi-Instance does not need further operations, it already has this license. When adding the Multi-Instance first, the root instance acquires the DPI license, and then the Multi-Instance must be manually synchronized with the DPI license to the Root Instance by clicking Sync on the License screen. Each instance can be configured with the required number of cores based on the use case. Currently, we support up to eight Data Path (DP) cores maximum for each virtual firewall and two (Control Path) CP cores per virtual firewall. Each instance virtual firewall is accessed through its DHCP-enabled X1 WAN interface. The instance user interface is accessed by way of X0 as well, when an instance’s X0 mapping is setup with an accessible static IP, gateway, subnet, is accessible to the RI front panel port, and VLAN mapping is properly set.

Each instance virtual firewall can be accessed through its DHCP-enabled X1 WAN interface or Static X1 WAN interface.

The following figure shows the multi-instance screen with five instances added.

The Root Instance (RI) serves as the console through which all the instances are deployed. RI allows the user to add instances, start the service, stop the service and delete the instance. Each instance added through the Add Instance dialog is stored in the RI. This allows the user to add as many instances as possible, however, there is a limit on the number of instances that are launched because of CPU core and license availability.

Adding an Instance

In order to add an instance, click Multi-Instance | Instances, and then click +Add. A dialog box pops-up.

There is a limit on the number of instances that can be launched because of CPU core availability and total Instance Licenses available in the system.

Before completing this step, upload the Instance Firmware from the Multi-Instance > Firmware page. A typical Multi-Instance setup work flow is:

Enable Multi-Instances

1. Reserve Logical Blades.
2. Reserve port(s) and reboot chassis.
3. Register the box, if not registered, to obtain instance instances.
4. Verify that instance licenses are available on the Multi-Instance > Instance Licenses page.
5. Upload the Instance Firmware from the Multi-Instance > Firmware page.
6. Add instance, or start/stop/reboot/edit/deactivate/delete instances(s).

Add Instance Dialog Box

In the +Add dialog, all the fields must be populated:

• Organization Name — identifies operating enterprise, a name that is a string.
• Instance Name — field requires a name that is a string. The Instance Name length can be equal to or greater than eight characters and less than or equal to 63 characters.
• ACI Version — a drop-down menu and you must pick one of the ACI versions that need to be running on the instance. In order to upload an ACI, follow the instructions mentioned under Uploading Instance Firmware.
• Management Cores — only two Control Plane cores can be dedicated to a particular instance. Select the number from the right drop-down menu.
• Data Processing Cores — allows the user to select the number of DP Cores. Limit this allocation to eight for this release. Ideal maximum would be four.
• High Availability Instance — Sets up redundant instance: Primary (active) and Secondary (standby).

When completed, click Next, the dialog moves to the interface mapping stage:

Setup interfaces for the instance by mapping each X0, X1, X2...X7 to a physical interface from the drop-down menu. The drop-down menu shows only those front panel ports that were reserved for instances. For each interface, provide a unique VLAN. In setting VLAN IDs:

• VLAN should be in the range of 65 .. 4094
• For a given instance, the VLAN configured on X0 .. X7 should be unique, two or more instances of Xn cannot have the same VLAN.

Each instance can be configured with a default X0 IP address and default X1 IP (static/DHCP).

After configuration is complete, click Next.

In order to launch the instance, click Start on the Actions drop-down menu. The instance can be stopped using Stop and restarted using Reboot.

Editing an Instance

To change the configuration of an instance

1. Click the Action icon at the far right of the instance row on the Instances page.
2. When the menu appears, choose Stop.
3. Wait until the status of the instance changes to "Stopped." This could take up to five minutes.
4. Click Action again and then click Edit.

Stop and Edit buttons under Action on Instance Display

Uploading Instance Firmware

The firmware for launching the instances has to be pre-loaded using the RI. On the DEVICE | Multi-Instance > Firmware page upload the ACI file as shown.

Uploading Instance Firmware

After the file is uploaded, the firmware appears as a choice in the Add/Edit Instance dialog.

The instance firmware is not the same as the root firewall firmware. This instance firmware is exclusive to instances only.

After the upload is successful, the installation takes about two ~ five minutes. You should wait until the Status column appears Inactive in the Instance firmware page.

The steps for upgrading firmware for an instance are:

To Upgrade Instance Firmware

1. Upload the firmware as described previously.
2. Stop the instance.
3. Use the edit process to select new firmware.
4. Restart the instant.