topic Re: ASA 5545X in Network Security

ASA 5545X

TW80CJ5 — Wed, 19 Feb 2020 18:47:53 GMT

We are thinking about clustering the ASA 5545X with another exact build of the 5545X. We currently have the Cisco Catalyst 9300 Switch in our topo and would want to use that for the port-channeling / load balancing. We have some 2960's available too. Will these switches support the ASA cluster?

Re: ASA 5545X

Sheraz.Salim — Wed, 19 Feb 2020 18:58:37 GMT

I am using 2x5525 cluster with 3850 as port-channel and its working fine. so to answer your question yes you can create a cluster.

yes 9300 and 2960 can do cluster. switches only need to be a port-channel rest all the magic on cluster is happening on firewalls.

Re: ASA 5545X

TW80CJ5 — Wed, 19 Feb 2020 19:33:24 GMT

Sheraz,

Thanks for the fast reply. This is the link that I am using that is making me second guess using our existing 9300 and or 2960's.

https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html#id_65978

Look at the "ASA Services Module, IOS, and Switch Compatibility" Section...

Re: ASA 5545X

Sheraz.Salim — Wed, 19 Feb 2020 20:13:08 GMT

Cisco 9300 is a good choice instead of 2960. here is the link you need to look. in the document cisco specifically mentioned n Catalyst 3750-X Cisco IOS software versions earlier than 15.1(1)S2, the cluster unit did not support connecting an EtherChannel to a switch stack.

9300 is good chose. do you need to know the process how to create a cluster?

Re: ASA 5545X

TW80CJ5 — Wed, 19 Feb 2020 21:14:15 GMT

I am always open to a config!!!

Thanks again for the help and clarification!!!

Re: ASA 5545X

Sheraz.Salim — Wed, 19 Feb 2020 22:27:20 GMT

STEP1 CREATE ETHERCHANNEL ON SWITCH FIRST

SWITCH_CONFIG
interface range gig1/0/1-2,gig1/0/4-4
switchport mode trunk
swtichport trunk all vlan add 10-12
channel-group 1 mode active
no shut
!
interface port-channel1
switchport mode trunk
swtichport trunk all vlan add 10-12
!

STEP2
ASA1
mode multi
!
interface gig1/3
no shut
!
cluster interface-mode spanned force
!
cluster group CLUSTER-ASA
local-unit ASA1
cluster-interface gig1/3 ip 192.168.100.1 255.255.255.0
priority 1
!
mtu cluster 9000
!

STEP3
ASA2
mode multi
!
interface gig1/3
no shut
!
cluster interface-mode spanned force
!
cluster group CLUSTER-ASA
local-unit ASA2
cluster-interface gig1/3 ip 192.168.100.2 255.255.255.0
priority 2
!
mtu cluster 9000
!

STEP4
ASA1
cluster group CLUSTER-ASA
enable!

STEP5
ASA2
cluster group CLUSTER-ASA
enable as-slave

Give it some time asa will form the cluster.

once the cluster is up and running. "show cluster info"

STEP6
!
interface man1/1
no shut
!
interface gig1/1
no shut
channel-group 1 mode active
!
interface gig1/2
no shut
channel-group 1 mode active
!
interface port-channel1
port-channel span-cluster
!
interface port-channel1.10
vlan 10
!
interface port-channel1.11
vlan 11
!
interface port-channel1.12
vlan 12
!
admin-context admin
!
context admin
!
allocate-interface man1/1
allocate-interface port-channel1.10
allocate-interface port-channel1.11
allocate-interface port-channel1.12
config-url disk0:admin.cfg
!
context admin
!
ip local-pool asa-pool 192.168.20.70-192.168.20.71
!
interface man0/0
management-only
nameif mgmt
security-level 100
ip address 192.168.20.69 255.255.255.0 cluster-pool asa-pool

and so on......