Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
789
Views
0
Helpful
5
Replies

ASA Clustering - Module Interfaces

MARTIN HUERTER
Level 1
Level 1

‎08-18-2015 08:53 AM - edited ‎03-11-2019 11:27 PM

I am in the process of replacing our old ASA firewall platforms with ASA5585X chassis'. We have two chassis' we want to configure into a cluster, each chassis has a ASA 5585-X SSP-20 module and a ASA 5585-X SFR SSP-20 module in them (identical pairs). I have attached a diagram indicating how I would like to connect the ASA chassis on our network. The cluster of two ASA chassis' would be between a pair of Catalyst 6506 VSS switches and a pair of Catalyst 4500X VSS switches. The ASA 5585-X SSP-20 modules and the ASA 5585-X SFR SSP-20 modules have two 10 Gigabit Ethernet ports each. My question is, can I use the two 10G ports on the ASA 5585-X SFR SSP-20 as my outside interfaces and the two 10G ports on the ASA 5585-X SSP-20 module as my inside interfaces? Or vice versa? And can I port-channel all the inside interfaces into one LAG group, and port-channel all the outside interfaces into one LAG group as well? My other question is, can I use a 1 Gigabit Ethernet interface for my cluster control link, or does it need more bandwidth than a 1 GigE interface?

 

Thanks!!

 

 

 

 

 

Labels:
Preview file
931 KB
0 Helpful
5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-18-2015 05:09 PM

See Cisco Live presentations BRKSEC-3021 and -3032.

Spanned Etherchannel of all interfaces in a given security zone/ level is the recommended practice.

For the CCL, "Bandwidth should match maximum forwarding capacity of each member". So using a 1 Gbps interface when cluster members have 20 Gbps each (even if their forwarding capacity is somewhat  less than that logical interface sped) is NOT recommended.

Note the 4500-X is VSS mode is not a validated switch for connected to an ASA cluster. It may work but has not been validated and regression tested by Cisco. (This is mentioned in the BRKSEC-3032 presentation.)

0 Helpful

Ndubisi Ekoh
Cisco Employee
Cisco Employee

‎09-18-2015 09:31 AM

Were you able to setup the ASA CCL using 4500-X in VSS mode?

Can you share the configs that worked for you?

 

Thanks,

0 Helpful

MARTIN HUERTER
Level 1
Level 1
In response to Ndubisi Ekoh

‎09-18-2015 11:09 AM

Ndubisi Ekoh,

 

I have to completed this deployment yet, but once I have I can send you configuration examples.

 

Thanks!

0 Helpful

Ndubisi Ekoh
Cisco Employee
Cisco Employee
In response to MARTIN HUERTER

‎09-18-2015 11:16 AM

Okay, i was curious to know if you were able to configure CCL via the 4500-X VSS?, if so what code you used on the ASA?

i was able to assist my customer in setting this up on another project using vPC on N5k but on this other new project they want to use 4500-X in VSS mode.

 

0 Helpful

MARTIN HUERTER
Level 1
Level 1
In response to Ndubisi Ekoh

‎09-30-2015 12:32 PM

I did not find an answer and I have abandoned the idea of deploying them in a cluster.

 

Sorry I wasn't much help.

 

Martn

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card