cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1130
Views
0
Helpful
5
Replies

ASA clustering

Andrej Zverev
Level 1
Level 1

Hello!

Can anyone explain is this list of switches are complete? For example 4500x or Nexus 3064 can do same(VSS/vPC), I think, but they are not listed.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/general/asa-general-cli/ha-cluster.html

See: Table 7-2 External Hardware and Software Support for ASA Clustering

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

The ones listed are the ones Cisco has tested and verified compatible. Other models may work fine but haven't necessarily been tested.

The Etherchannel / LACP mechanisms are pretty sensitive though for interoperability with an ASA cluster so proceed carefully when going outside the recommended switch types. I'd say especially so when working with a VSS- or VPC-enable downstream set of of switches.

You can always open a proactive TAC case to ask them to validate your configuration and check their internal knowledge base for possible concerns.

View solution in original post

5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

The ones listed are the ones Cisco has tested and verified compatible. Other models may work fine but haven't necessarily been tested.

The Etherchannel / LACP mechanisms are pretty sensitive though for interoperability with an ASA cluster so proceed carefully when going outside the recommended switch types. I'd say especially so when working with a VSS- or VPC-enable downstream set of of switches.

You can always open a proactive TAC case to ask them to validate your configuration and check their internal knowledge base for possible concerns.

Thank you! Will try asks details from TAC

Ok, I'm sharing some information after talking with cisco's guys.

 

You can use any switch, but switches from list are confirmed what they are doing proper traffic distribution, like if you have pair of ASA in cluster in this case a good switch can do almost 50/50 traffic distribution and bad switch can do 70/30 and in this case some of your ASA's can be overloaded.

That's all :-)

Hi Marvin , 

 

Can in configure cluster on ASA , if i have two 4948 on separate ASA ? 

4948 will in inside interfaces.

Topology is  in picture .

 

Is there any link where i can see difference between ASA cluster , and ASA Active/Active mode .

Regarding data flow , capacity etc 

 

I asume that Active/Active is capable only with two ASA , and ASA Cluster is capable up to 8 ASA .

 

KR

You could use separate 4948 switches in the one side if you setup the cluster in individual interface mode. However the Cisco recommendation is to use spanned Etherchannel which is only possible when the switches are in a stack, VSS or VPC configuration - all things the 4948 cannot do.

Active/Active term is generally used to refer to an HA mode that is only available in multiple context ASA configurations. The overall pair is active/active but a given context is always active/standby.

You might find the Cisco live presentation BRKSEC-3032 useful. Also listen to the TAC Security podcasts on ASA clustering.

Review Cisco Networking for a $25 gift card