05-30-2013 02:54 PM - edited 03-11-2019 06:51 PM
Can we use a 3750 stack as the switch layer vs needing Nexus or something that supports VSS?
05-30-2013 06:30 PM
You sure can
Sent from Cisco Technical Support Android App
05-30-2013 07:10 PM
Anything that can terminate a portchannel will work - single switch, couple of switches in a logical stack, switches in a VSS or Nexus's with VPC.
05-31-2013 03:29 PM
Thanks for answers.
Does anyone have sample configs from their switch side on how the cluster control link is configured? I'm confused in the Cisco example where they take two interfaces from each firewall (i'm guessing this is for redundancy to plug one interface to each switch) and it becomes its own etherchannel, and on another appliance the same deal. Shouldn't all 4 of these interfaces be under one portchannel on the switch end? Or its simply one port channel per appliance but each is on the same vlan? Can anyone provide sample switch configs with this clustering setup?
Thanks!
05-31-2013 04:43 PM
The cluster control link (CCL) is (at least) one interface from each appliance. If you determine you need it to be a port-channel due to cluster sizing, it's a non-spanned Po interface and would go into unique Po interfaces on the swtches.
The production interfaces are on portchannels that span the appliances. On the ASA side when you setup to Po interface, the relevant subcommand is "port-channel span-cluster". On the switch(es) they are regular portchannel interfaces, distinct from the CCL and unique per ASA cluster spanned portchannel.
06-05-2013 03:01 PM
Thanks. So if I took two interfaces from each appliance (lets say I have two appliances) that becomes a unique PO on the switch side so in essence I am creating two unique POs for the two appliances in the cluster? IE
ASA1 Eth0 and Eth1 both for CCL > Gi1/0/1, Gi2/0/1 Po1 Switch stack
ASA2 Eth0 and Eth1 both for CCL > Gi1/0/2, Gi2/0/2 Po2 same Switch stack
As a separate question, the CCL and interfaces being used for Inside and Outside ideally need to be equal in speed/bandwidth so lets say I have a 5585X-S10 which support 2x 10GE slots and a bunch of 1x 1GE. I'm screwed as far as 10GE connectivity unless I take one of the two and turn that into my inside and outside together (creating subinterfaces) and then use the other 10GE interface for CCL?
07-27-2013 09:23 AM
Danny,
You are right about having similar bandwidth interfaces for CCL and data. Let us assume a worst case scenario where we have a poorly configured LB algorithm on switch. In such a case, there might be a need to send more data over the CCL link between ASAs. Hence we recommend customers to have an equal bandwidth sharing between CCL and data-interfaces.
07-30-2013 09:49 PM
Collin, Marvin,
ASA clustering *might* not work with stack switches. Please refer to the bug.
CSCtw63096 - ENH: ASA Etherchannel does not work with switch stacks
Also refer to the documentation guide
"The ASA does not support connecting an EtherChannel to a switch stack. If the ASA EtherChannel is connected cross stack, and if the Master switch is powered down, then the EtherChannel connected to the remaining switch will not come up."
07-31-2013 01:06 AM
subriyer wrote:
CSCtw63096 - ENH: ASA Etherchannel does not work with switch stacks
Has anyone tested this in 9.x?
There is a similar one, CSCtw63011, that says it's now fixed.
07-31-2013 01:35 AM
CSCtw63011, does not offer software fix. The bug is set to resolved state by adding documentation guidelines.
CISCO will not prefer to declare supportability until we have resolved the issue and qualified the solution.
07-31-2013 01:46 AM
OK, thanks for the clarification.
07-31-2013 05:01 AM
subriyer wrote:
Danny,
You are right about having similar bandwidth interfaces for CCL and data. Let us assume a worst case scenario where we have a poorly configured LB algorithm on switch. In such a case, there might be a need to send more data over the CCL link between ASAs. Hence we recommend customers to have an equal bandwidth sharing between CCL and data-interfaces.
So having a NX vPC environment looking at clustering with the SSP10 on 10GE, there is no good design for it if you don't have the SSP40 with 4 x 10GE ports? Any good designs with using the gig ports for CCL with the SSP10 (without additional network modules it seems) ?
You say "where we have poorly configured load balancing". What if this is not the case?
Thanks!
07-31-2013 05:22 AM
Aleksander,
On the lower end models like 5585-10 the guideline of having equal bandwidth ports for data and CCL can be relaxed to some extent, since maximum throughput << available bandwidth. Eg. ASA5585-SSP10, there are 2 10GE ports and 8 GE ports. If the customer uses both the 10GE ports as data interfaces, the 8GE interfaces can be bundled together into an ether-channel and used as the CCL. The throughput of SSP10 is much less than the available bandwidth.
07-31-2013 05:58 AM
subriyer,
Thanks for that insight. Since the max throughput for the SSP10 is set to 4Gb/s it kind of sounds logical, yes. Would it make sense to only bundle 4 between each cluster member to each Nexus for CCL since it would hit the cap there on throughput or would the CCL need to be double? Just trying to figure out how many ports on the NX it would eat up if not 8 on each.
Thanks again :-)
Regards
07-31-2013 08:52 AM
Aleksander,
4Gig could be well on the lower side. You could tie 6x1G i.e. 3x1G to SW-1 and 3x1G to SW-2 on N7k vPC.
Apart from data-path traffic between the cluster nodes, CCL also carries control traffic (health-check, interface health-check, config replication etc.).
Thanks
Iyer
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide