Anything that can terminate a portchannel will work - single switch, couple of switches in a logical stack, switches in a VSS or Nexus's with VPC.

The cluster control link (CCL) is (at least) one interface from each appliance. If you determine you need it to be a port-channel due to cluster sizing, it's a non-spanned Po interface and would go into unique Po interfaces on the swtches.

The production interfaces are on portchannels that span the appliances. On the ASA side when you setup to Po interface, the relevant subcommand is "port-channel span-cluster". On the switch(es) they are regular portchannel interfaces, distinct from the CCL and unique per ASA cluster spanned portchannel.

Thanks. So if I took two interfaces from each appliance (lets say I have two appliances) that becomes a unique PO on the switch side so in essence I am creating two unique POs for the two appliances in the cluster?  IE

ASA1  Eth0 and Eth1   both for CCL >   Gi1/0/1, Gi2/0/1 Po1 Switch stack

ASA2  Eth0 and Eth1   both for CCL >   Gi1/0/2, Gi2/0/2 Po2 same Switch stack

As a separate question, the CCL and interfaces being used for Inside and Outside ideally need to be equal in speed/bandwidth so lets say I have a 5585X-S10 which support 2x 10GE slots and a bunch of 1x 1GE.  I'm screwed as far as 10GE connectivity unless I take one of the two and turn that into my inside and outside together (creating subinterfaces) and then use the other 10GE interface for CCL?

Danny,

You are right about having similar bandwidth interfaces for CCL and data. Let us assume a worst case scenario where we have a poorly configured LB algorithm on switch. In such a case, there might be a need to send more data over the CCL link between ASAs. Hence we recommend customers to have an equal bandwidth sharing between CCL and data-interfaces.

Collin, Marvin,

ASA clustering *might* not work with stack switches. Please refer to the bug.

CSCtw63096 - ENH: ASA Etherchannel does not work with switch stacks

Also refer to the documentation guide

"The ASA does not support connecting an EtherChannel to a switch stack. If the ASA EtherChannel is connected cross stack, and if the Master switch is powered down, then the EtherChannel connected to the remaining switch will not come up."

subriyer wrote:
CSCtw63096 - ENH: ASA Etherchannel does not work with switch stacks

Has anyone tested this in 9.x?

There is a similar one, CSCtw63011, that says it's now fixed.

CSCtw63011, does not offer software fix. The bug is set to resolved state by adding documentation guidelines.

CISCO will not prefer to declare supportability until we have resolved the issue and qualified the solution.

OK, thanks for the clarification.

subriyer wrote:
Danny,
You are right about having similar bandwidth interfaces for CCL and data. Let us assume a worst case scenario where we have a poorly configured LB algorithm on switch. In such a case, there might be a need to send more data over the CCL link between ASAs. Hence we recommend customers to have an equal bandwidth sharing between CCL and data-interfaces.

So having a NX vPC environment looking at clustering with the SSP10 on 10GE, there is no good design for it if you don't have the SSP40 with 4 x 10GE ports? Any good designs with using the gig ports for CCL with the SSP10 (without additional network modules it seems) ?

You say "where we have poorly configured load balancing". What if this is not the case?

Thanks!

Aleksander,

On the lower end models like 5585-10 the guideline of having equal bandwidth ports for data and CCL can be relaxed to some extent, since maximum throughput << available bandwidth. Eg. ASA5585-SSP10, there are 2 10GE ports and 8 GE ports. If the customer uses both the 10GE ports as data interfaces, the 8GE interfaces can be bundled together into an ether-channel and used as the CCL. The throughput of SSP10 is much less than the available bandwidth.

subriyer,

Thanks for that insight. Since the max throughput for the SSP10 is set to 4Gb/s it kind of sounds logical, yes. Would it make sense to only bundle 4 between each cluster member to each Nexus for CCL since it would hit the cap there on throughput or would the CCL need to be double? Just trying to figure out how many ports on the NX it would eat up if not 8 on each.

Thanks again :-)

Regards

Aleksander,

4Gig could be well on the lower side. You could tie 6x1G i.e. 3x1G to SW-1 and 3x1G to SW-2 on N7k vPC.

Apart from data-path traffic between the cluster nodes, CCL also carries control traffic (health-check, interface health-check, config replication etc.).

Thanks

Iyer