cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


892
Views
10
Helpful
14
Replies
Beginner

ASA 9.0 Clustering

Can we use a 3750 stack as the switch layer vs needing Nexus or something that supports VSS?            

14 REPLIES 14
Advisor

Re:ASA 9.0 Clustering

You sure can


Sent from Cisco Technical Support Android App

Hall of Fame Guru

ASA 9.0 Clustering

Anything that can terminate a portchannel will work - single switch, couple of switches in a logical stack, switches in a VSS or Nexus's with VPC.

Beginner

Re: ASA 9.0 Clustering

Thanks for answers.

Does anyone have sample configs from their switch side on how the cluster control link is configured?  I'm confused in the Cisco example where they take two interfaces from each firewall (i'm guessing this is for redundancy to plug one interface to each switch) and it becomes its own etherchannel, and on another appliance the same deal.  Shouldn't all 4 of these interfaces be under one portchannel on the switch end?  Or its simply one port channel per appliance but each is on the same vlan?  Can anyone provide sample switch configs with this clustering setup?

Thanks!

Hall of Fame Guru

Re: ASA 9.0 Clustering

The cluster control link (CCL) is (at least) one interface from each appliance. If you determine you need it to be a port-channel due to cluster sizing, it's a non-spanned Po interface and would go into unique Po interfaces on the swtches.

The production interfaces are on portchannels that span the appliances. On the ASA side when you setup to Po interface, the relevant subcommand is "port-channel span-cluster". On the switch(es) they are regular portchannel interfaces, distinct from the CCL and unique per ASA cluster spanned portchannel.

Beginner

Re: ASA 9.0 Clustering

Thanks. So if I took two interfaces from each appliance (lets say I have two appliances) that becomes a unique PO on the switch side so in essence I am creating two unique POs for the two appliances in the cluster?  IE

ASA1  Eth0 and Eth1   both for CCL >   Gi1/0/1, Gi2/0/1 Po1 Switch stack

ASA2  Eth0 and Eth1   both for CCL >   Gi1/0/2, Gi2/0/2 Po2 same Switch stack

As a separate question, the CCL and interfaces being used for Inside and Outside ideally need to be equal in speed/bandwidth so lets say I have a 5585X-S10 which support 2x 10GE slots and a bunch of 1x 1GE.  I'm screwed as far as 10GE connectivity unless I take one of the two and turn that into my inside and outside together (creating subinterfaces) and then use the other 10GE interface for CCL?

Cisco Employee

ASA 9.0 Clustering

Danny,

You are right about having similar bandwidth interfaces for CCL and data. Let us assume a worst case scenario where we have a poorly configured LB algorithm on switch. In such a case, there might be a need to send more data over the CCL link between ASAs. Hence we recommend customers to have an equal bandwidth sharing between CCL and data-interfaces.

Cisco Employee

Re: ASA 9.0 Clustering

Collin, Marvin,

ASA clustering *might* not work with stack switches. Please refer to the bug.

CSCtw63096 - ENH: ASA Etherchannel does not work with switch stacks

Also refer to the documentation guide

"The ASA does not support connecting an EtherChannel to a switch stack. If the ASA EtherChannel is connected cross stack, and if the Master switch is powered down, then the EtherChannel connected to the remaining switch will not come up."

Enthusiast

Re: ASA 9.0 Clustering

subriyer wrote:

CSCtw63096 - ENH: ASA Etherchannel does not work with switch stacks

Has anyone tested this in 9.x?

There is a similar one, CSCtw63011, that says it's now fixed.

Highlighted
Cisco Employee

Re: ASA 9.0 Clustering

CSCtw63011, does not offer software fix. The bug is set to resolved state by adding documentation guidelines.

CISCO will not prefer to declare supportability until we have resolved the issue and qualified the solution.

Enthusiast

Re: ASA 9.0 Clustering

OK, thanks for the clarification.

Re: ASA 9.0 Clustering

subriyer wrote:

Danny,

You are right about having similar bandwidth interfaces for CCL and data. Let us assume a worst case scenario where we have a poorly configured LB algorithm on switch. In such a case, there might be a need to send more data over the CCL link between ASAs. Hence we recommend customers to have an equal bandwidth sharing between CCL and data-interfaces.

So having a NX vPC environment looking at clustering with the SSP10 on 10GE, there is no good design for it if you don't have the SSP40 with 4 x 10GE ports? Any good designs with using the gig ports for CCL with the SSP10 (without additional network modules it seems) ?

You say "where we have poorly configured load balancing". What if this is not the case?

Thanks!

Cisco Employee

Re: ASA 9.0 Clustering

Aleksander,

On the lower end models like 5585-10 the guideline of having equal bandwidth ports for data and CCL can be relaxed to some extent, since maximum throughput << available bandwidth. Eg. ASA5585-SSP10, there are 2 10GE ports and 8 GE ports. If the customer uses both the 10GE ports as data interfaces, the 8GE interfaces can be bundled together into an ether-channel and used as the CCL. The throughput of SSP10 is much less than the available bandwidth.

Re: ASA 9.0 Clustering

subriyer,

Thanks for that insight. Since the max throughput for the SSP10 is set to 4Gb/s it kind of sounds logical, yes. Would it make sense to only bundle 4 between each cluster member to each Nexus for CCL since it would hit the cap there on throughput or would the CCL need to be double? Just trying to figure out how many ports on the NX it would eat up if not 8 on each.

Thanks again :-)

Regards

Cisco Employee

Re: ASA 9.0 Clustering

Aleksander,

4Gig could be well on the lower side. You could tie 6x1G i.e. 3x1G to SW-1 and 3x1G to SW-2 on N7k vPC.

Apart from data-path traffic between the cluster nodes, CCL also carries control traffic (health-check, interface health-check, config replication etc.).

Thanks

Iyer

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here