Cisco ASA Clustering: Changing the Shape of Network Security
Clustering? ASA Clustering? Cisco has released OS version 9.0.1 for the popular and ubiquitous ASA firewall. One of the new features Cisco is touting is firewall clustering/ASA Clustering. And this feature radically differs from traditional active/active firewall designs.
Why cluster ASA firewalls?
a. Clustering lets you group multiple ASAs together as a single logical device.
b. A cluster provides all the convenience of a single device (management, integration into a network) while achieving the increased throughput and redundancy of multiple devices.
With today’s data center architectures using multi-chassis EtherChannel technologies, the traditional high-availability firewall designs still force all traffic through a single firewall, while the standby unit was never utilized until a failure event occurred.
Clustering also allows equal cost multi-path routing/switching between a router/switch pair and a cluster of firewalls, while maintaining stateful synchronization between the firewalls within the cluster. This also allows firewall stacks to scale up (as high as eight firewalls in a cluster) to aggregate the bandwidth as needs increase, without having to forklift the existing firewalls.
![]()
The following parts highlight the differences between ASA operational modes and firewall stack designs.
ASA Operational Modes
Layer 2 Mode
Spanned EtherChannel interface mode is the Cisco-recommended method for configuring ASA Cluster interfaces to adjacent switches in the aggregation layer. This method uses LACP to provide a layer 2 ECMP solution. It is by far the easiest method of configuration.
![]()
Layer 3 Mode
Individual interface mode requires each ASAs interface to have a unique layer 3 IP address assigned to it. On the adjacent switches/routers, PBR or a dynamic routing protocol is required to provide the ECMP solution in this mode. I don’t recommend this mode for two reasons:
![]()
Firewall Stack Design
Single Data Center
In most data center architectures, the Cisco ASA appliances are deployed in a Firewall Services Layer (FSL) attached to the Aggregation layer switches (or virtual device context). Clustering enables this traditional model to be more efficient by allowing two to eight ASAs to perform firewall inspection within a single data center. All links between the Aggregation Layer and ASA Cluster are configured in a massive Virtual Port Channel (vPC).
![]()
Active/Active Data Centers
In active/active architectures, ASA clustering allows network architects to stretch a firewall cluster between two data centers as long as the latency between the DCs is low enough to support it. All ASAs at each data center will be configured in a vPC, local to that DC. With ASA clustering configured between two data centers, the architecture will support seamless vMotion of virtual machines between data centers, while not requiring duplicated configuration work on a dedicated firewall stack per data center. This reduces the likelihood of errors caused by manual replication of the configuration.
![]()
Wrapping things up
With ASA clustering, Cisco has recognized the technical challenges associated with active/active data center designs and resolved them. This feature was originally developed for the ASA 5585-X model only, but Cisco recently announced in version 9.1.4 that clustering is now supported on 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X models. However, the non-5585-X models are limited to two units per cluster; in an active/active dual data center model it would leave each DC with a single firewall. At the moment, the limitation on the smaller models typically forces its use to single data center clusters only, but I’m keeping my fingers crossed that Cisco will increase this limit in the future. With that said, Layer 2 mode should be your interface mode type and if you’re looking to build an active/active dual data center, the Cisco ASA 5585-Xs should be your model of choice.
Reference Fromhttp://blog.thinkahead.com/cisco-asa-clustering-changing-shape-network-security
More Related Cisco ASA Topics
NGFW-Cisco ASA with FirePOWER Services
How to Start a Cisco ASA 5506-X?
What are the Considerations While Buying a Cisco Next-Generation Firewall?
ASA 5506-X/SecurityPlus, 5506W-X & 5506H-X, Cisco ASA with FirePOWER Services, What’s New Here?
Clustering? ASA Clustering? Cisco has released OS version 9.0.1 for the popular and ubiquitous ASA firewall. One of the new features Cisco is touting is firewall clustering/ASA Clustering. And this feature radically differs from traditional active/active firewall designs.
Why cluster ASA firewalls?
a. Clustering lets you group multiple ASAs together as a single logical device.
b. A cluster provides all the convenience of a single device (management, integration into a network) while achieving the increased throughput and redundancy of multiple devices.
With today’s data center architectures using multi-chassis EtherChannel technologies, the traditional high-availability firewall designs still force all traffic through a single firewall, while the standby unit was never utilized until a failure event occurred.
Clustering also allows equal cost multi-path routing/switching between a router/switch pair and a cluster of firewalls, while maintaining stateful synchronization between the firewalls within the cluster. This also allows firewall stacks to scale up (as high as eight firewalls in a cluster) to aggregate the bandwidth as needs increase, without having to forklift the existing firewalls.
The following parts highlight the differences between ASA operational modes and firewall stack designs.
ASA Operational Modes
Layer 2 Mode
Spanned EtherChannel interface mode is the Cisco-recommended method for configuring ASA Cluster interfaces to adjacent switches in the aggregation layer. This method uses LACP to provide a layer 2 ECMP solution. It is by far the easiest method of configuration.
Layer 3 Mode
Individual interface mode requires each ASAs interface to have a unique layer 3 IP address assigned to it. On the adjacent switches/routers, PBR or a dynamic routing protocol is required to provide the ECMP solution in this mode. I don’t recommend this mode for two reasons:
- The ECMP solution in layer 3 mode is typically slower at responding to network convergence during a failure.
- Avoid it if the ASA cluster is going to support multiple contexts. With those contexts operating in transparent and routed mode, the interface type has to run in Spanned EtherChannel mode.
Firewall Stack Design
Single Data Center
In most data center architectures, the Cisco ASA appliances are deployed in a Firewall Services Layer (FSL) attached to the Aggregation layer switches (or virtual device context). Clustering enables this traditional model to be more efficient by allowing two to eight ASAs to perform firewall inspection within a single data center. All links between the Aggregation Layer and ASA Cluster are configured in a massive Virtual Port Channel (vPC).
Active/Active Data Centers
In active/active architectures, ASA clustering allows network architects to stretch a firewall cluster between two data centers as long as the latency between the DCs is low enough to support it. All ASAs at each data center will be configured in a vPC, local to that DC. With ASA clustering configured between two data centers, the architecture will support seamless vMotion of virtual machines between data centers, while not requiring duplicated configuration work on a dedicated firewall stack per data center. This reduces the likelihood of errors caused by manual replication of the configuration.
Wrapping things up
With ASA clustering, Cisco has recognized the technical challenges associated with active/active data center designs and resolved them. This feature was originally developed for the ASA 5585-X model only, but Cisco recently announced in version 9.1.4 that clustering is now supported on 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X models. However, the non-5585-X models are limited to two units per cluster; in an active/active dual data center model it would leave each DC with a single firewall. At the moment, the limitation on the smaller models typically forces its use to single data center clusters only, but I’m keeping my fingers crossed that Cisco will increase this limit in the future. With that said, Layer 2 mode should be your interface mode type and if you’re looking to build an active/active dual data center, the Cisco ASA 5585-Xs should be your model of choice.
Reference Fromhttp://blog.thinkahead.com/cisco-asa-clustering-changing-shape-network-security
More Related Cisco ASA Topics
NGFW-Cisco ASA with FirePOWER Services
How to Start a Cisco ASA 5506-X?
What are the Considerations While Buying a Cisco Next-Generation Firewall?
ASA 5506-X/SecurityPlus, 5506W-X & 5506H-X, Cisco ASA with FirePOWER Services, What’s New Here?