Cisco ASA: How to Configure Clustering

adminkasep

Overview

  • Clustering lets you group multiple ASA together as a single devices.
  • Cluster provides all the convenience of single devices (management. integration into a network) while achieving the increased throughput and rendundancy of multiple devices.
  • When we combile multiple devices we can measure increasing throughput and performance.
    • 70% combine throughput.
    • 60% combine connections
    • 50% connection per second
  • One of member become master and the others is slave.
  • Master elections:
    • based on priorty 1-100, lowest is preferred.
    • if priority is default the first devices start is become a master.

Requirement Cluster

  1. Isolated, high speed back-plane for intra cluster communications known as (cluster control link)
  2. Management access to each ASA for configuration and monitoring.

Clustering mode

  1. Individual Mode
    1. each devices have unique ip address
  2. Spanned Mode
    1. only master have ip address

Spanned mode is more recommended for productions.

Clustering Role

  1. Owner: the owner session of the client and forward to destinations.
  2. Director: get replicate session from owner, if owner down director will copy the session the new owner session.
  3. Forwarder: forward the session to the owner and not forwarding to the client.

Topology On cluster

  1. Usually 1 dedicated switch connected to each ASA as a bridge for cluster control link high speed.
  2. each member ASA will form port aggregation to switches.

Topology

Description Topology

  1. Cluster control link is on eth4 for each cisco ASA
  2. Cisco ASAx1 and ASAx2 port eth0, eth3 will become etherchannel 2.
  3. Cisco ASAx1 and ASAx2 port eth1, eth2 will become etherchannel 1.
  4. cluster name “mycluster cisco”

Testing Scenarios

• Configure Spanned mode clustering with ASAx1 being Master and ASAx2 being Slave.

• Cluster control link IP address would be 192.168.20.100 and 192.168.20.101 for ASAx1 and ASAx2 respectively.

• Bundle eth1 and eth2 interfaces of ASAx1 and ASAx2 using Port-Channel 1.

• Bundle eth0 and eth3 interfaces of ASAx1 and ASAx2 using Port-Channel 2

Configurations

Switch Inside Zone

  1. configure etherchannel for each interface facing cisco ASA
vlan 20
interface Ethernet0/1
 switchport access vlan 20
 switchport mode access
 channel-group 1 mode active
!
interface Ethernet0/3
 switchport access vlan 20
 switchport mode access
 channel-group 1 mode active
!
interface Ethernet1/1
 switchport access vlan 20
 switchport mode access
 channel-group 1 mode active
!
interface Ethernet0/1
 switchport access vlan 20
 switchport mode access
 channel-group 1 mode active
!
interface Port-channel1
 switchport access vlan 20
 switchport mode access
!

Switch Outside Zone

interface Ethernet0/1
 switchport mode access
 channel-group 2 mode active
!
interface Ethernet0/2
 switchport mode access
 channel-group 2 mode active
!
interface Ethernet0/3
 switchport mode access
 channel-group 2 mode active
!
interface Ethernet1/0
 switchport mode access
 channel-group 2 mode active
!
interface Port-channel2
 switchport mode access
!

Cisco ASA Master

  1. configure each ASA same mode in this scenario is single context
conf t
mode single
# verify 
show mode
# after that the devices will reboot

2. no shutdown all of interface on cisco asa

int eth0
no sh
int eth1
no sh
int eth2
no sh
int eth3
no sh
int eth4
no sh

3. configure ether channel for each interface

interface Ethernet0
 channel-group 2 mode active
!
interface Ethernet1
 channel-group 1 mode active
!
interface Ethernet2
 channel-group 1 mode active
!
interface Ethernet3
 channel-group 2 mode active
!

4. Cluster configuration

# define mode clustering interface
conf t
 cluster interface-mode spanned
cluster group myclustercisco
  local-unit ASAx1
  cluster-interface Ethernet4 ip 172.16.0.1 255.255.255.0
  priority 1 # set priority to low to become master
  console-replicate
  enable

5. set ip address for each etherchannel inside and outsidezone

interface Port-channel1
 port-channel span-cluster
 nameif INSIDE
 security-level 100
 ip address 192.168.10.1 255.255.255.0 
interface Port-channel2
 port-channel span-cluster
 nameif OUTSIDE
 security-level 0
 ip address 200.0.0.1 255.255.255.0

Cisco ASA Slave

  1. set mode same as master
conf t
mode single

2. configure clustering

conf t
cluster interface-mode spanned
cluster group myclustercisco
 local-unit ASAx2
 cluster-interface Ethernet4 ip 172.16.0.2 255.255.255.0
 priority 2
 console-replicate
 enable

Verification

  1. check on each switch or ASA the etherchannel interface is up.
show etherchannel summary

2. check etherchannel on ASA

show port-channel 2

3. check cluster status

show cluster info

4. you can also check the hostname for Slave is same with master, but the hostname cluster is different

show cluster info

Conclusions

  1. with clustering we can use multiple ASA to get better performance and high availability.
  2. clustering will make our management ASA is easy to monitor and configure.
  3. the port channel for slave not needed to configure, it will replicate from master ASA

If you found this useful, subscribe to newsletter

Related Posts