There are 2 methods in ASA clustering, one is Individual Interface Mode and the Other one is Spanned Mode. This post is about most widely used Spanned Mode.
CCL is the Cluster Control Link which governs the configuration sharing within ASAs.
SW1's VLAN 1 interface IP is 192.168.10.1 and SW2's VLAN 1 interface IP is 203.115.50.1. INSIDE and OUTSIDE interfaces per ASA is as shown in the diagram and port channels are to be configured.
Within the cluster, 1 ASA must act as the Master and all others are Slaves. Here I am configuring ASA1 as the master,
cluster interface-mode spanned
cluster group PERIMETER
local-unit ASA1
cluster-interface e0 ip 10.10.10.1 255.255.255.0
priority 5
enable
On ASA2;
cluster interface-mode spanned
cluster group PERIMETER
local-unit ASA2
cluster-interface e0 ip 10.10.10.2 255.255.255.0
priority 10
enable
show cluster info and show cluster history are verification commands.
Cluster configuration part is done, but in order to flow traffic with load balancing, port-channels must needed to be configured.
These switch port channels are the real load balancers here. Let's do this with LACP configuration.
On SW1;
interface range e0/0-1
channel-group 1 mode active
On SW2;
interface range e0/0-1
channel-group 2 mode active
On ASA1; (configuration is now done on Master box only, Slaves will replicate)
interface e1
channel-group 1 mode active
no shut
interface e2
channel-group 2 mode active
no shut
int po1
port-channel span-cluster
mac-address aaaa.bbbb.1111
nameif INSIDE
security-level 100
ip address 192.168.10.1 255.255.255.0
int po2
port-channel span-cluster
mac-address aaaa.bbbb.2222
nameif OUTSIDE
security-level 0
ip address 203.115.50.1 255.255.255.0
Additional Note:-
If one session entered from ASA1 and returned from ASA2, ASA2 will forward the returning traffic to ASA1 via CCL. So unlike in other redundant methods like Active/Standby or Active/Active in ASA, CCL link is used for data traffic forwarding as well.
No comments:
Post a Comment