88045-Consulturia Y capacitacion en Redes - ASA Cluster on Nexus v1.6.2

8/9/2019 88045-Consulturia Y capacitacion en Redes - ASA Cluster on Nexus v1.6.2

1/36

2013 Cisco and/or its affiliates. All rights reserved. 1

Quick Start Guide

ASA Cluster on Nexus

Architecture & Solutions GroupUS Public Sector Advanced ServicesMar Stinnette! CC"# $ata Center %3&1'1

$ate 2( August 2013)ersion 1.*.2


2/36


+his ,resentation -ill ,rovide end to end configurations a,,ed directl to co onlde,lo ed data center architecture to,ologies. "n this coo boo st le uic start guideconfigurations are bro en do-n in an ani ated ste, b ste, ,rocess to a co ,lete end toend good clean configuration based on Cisco best ,ractices and strong reco endations.#ach S4 -ill contain set the stage content! technolog co ,onent definitions!reco ended best ,ractices! and ore i ,ortantl different scenario data centerto,ologies a,,ed directl to co ,lete end to end configurations. +his S4 is geared fornet-or engineers! net-or o,erators! and data center architects to allo- the to uic land effectivel de,lo these technologies in their data center infrastructure based on,roven co onl de,lo ed designs.

+his uic Start 4uide 5 S46 is a Coo boo st le guide to $e,lo ing $ata Center

technologies -ith end to end configurations for several co onl de,lo ed architectures.


3/36


ASA Cluster ConfigurationCo onl $e,lo ed 7ire-all $esigns 88 Standalone -ith 7ailover

9Cisco recommended9 Commonly deployed & Typical firewall attachment model

9 ASA configured for port channels connected via vPC or vPC+9 External and Internal traffic traverse same port channel to firewall9 Insertion point at the Aggregation layer !exus "###$9 %# E interfaces

9 Altered ASA design topology9 ASA configured for port channels connected via vPC or vPC+9 Physical interface isolation for external and internal traffic

9 External traffic traverse dedicated port channel to firewall9 Internal traffic traverse dedicated port channel to firewall

9 Insertion point at the Aggregation layer !exus "###$9 %# E interfaces

9 Altered ASA design topology9 ASA '(C 'irtual (evice Context$ sandwich9 ASA physically inline9 ASA configured for port channels connected via vPC or vPC+9 Physical interface isolation for external and internal traffic

9 External traffic traverse dedicated port channel to firewall9 Internal traffic traverse dedicated port channel to firewall

9 Insertion point at the Aggregation layer !exus "###$9 External firewall port channel connected to Aggregation '(C$9 Internal firewall port channel connected to Su)*Aggregation '(C$

9 ses more %# E interfaces, less effective firewall )andwidth usage


4/36

2013 Cisco and/or its affiliates. All rights reserved. :

9 Cisco recommended -- ASA Cluster design9 Scaling ASA appliances into one logical firewall within the (C architecture9 Typical firewall cluster attachment model9 ASA configured for port channels connected via vPC or vPC+9 External and Internal traffic traverse same cluster data port channel to firewall9 Insertion point at the Aggregation layer !exus "###$9 %# E interfaces9 Cluster two or more up to .$ ASA firewalls9

reatly increase the throughput of traffic up to %## )ps$9 True active*active model, in multi*context mode every mem)er interface for allcontexts are capa)le of forwarding every traffic flow

Same firewallIllustrated

Alternative 'iew

Cluster up to . ASA firewallsASA //.#ASA //./*0

ASA Cluster ConfigurationCo onl $e,lo ed 7ire-all $esigns 88 Cluster Mode


5/36

2013 Cisco and/or its affiliates. All rights reserved. '

ASA Cluster Configuration7ire-all ;ogical $e,lo ent Modes


6/36

2013 Cisco and/or its affiliates. All rights reserved. *

Static 1outing

(ynamic 1outing

!o dynamic routingsupported over vPC or vPC+

ASA Cluster Configuration7ire-all


7/36 2013 Cisco and/or its affiliates. All rights reserved. =

Simple Tenant ContainerSingle Tier model23 Context '12 '4A! mapping

5igh Security se Cases!*Tier Application SegmentationSingle 23 Context instance6ultiple '12s to '4A! mappings

Enterprise*Class (ata CenterService Provider 7 Cloud8one 9asedShared 6ulti*Tenant ContextSingle 23 Context and '12 instance6ultiple '4A!s per 8one

ASA Cluster Configuration7ire-all ;ogical Securit Models 88 Multi +enanc "nfrastructure


8/36 2013 Cisco and/or its affiliates. All rights reserved. (

Tenant ContainersPrivatePu)licShared Services (68!*Tier Application Segmentation

1igorous Separation5igh Security se Cases(o( 7 2ederal overnment(edicated '12 per TierTenants mapped to uni:ue firewall context

Service Provider 7 CloudEnterprise*Class (ata Center8one Containers

;rgani


9/36 2013 Cisco and/or its affiliates. All rights reserved. &

+he ada,tation of an enter,rise -ide securit fra e-or is a crucial ,art of the overall enter,rise net-or architecture.

>ithin the data center ne- a,,lication rollouts! virtuali?ation! the ada,tation of various cloud services and an increasingltrans,arent ,eri eter are creating radical shifts in the data center securit re uire ents. +he need for stac able scalablehigh ca,acit fire-alls at the data center ,eri eter is beco ing essential. Ada,tive Securit A,,liance 5ASA6 clusteringfeature on the ASA fa il of fire-alls satisfies such a re uire ent. +he clustering feature allo-s for an efficient -a to scaleu, the through,ut of a grou, of ASAs! b having the all -or in concert to ,ass connections as one logical ASA device.

Using u, to ( ASA a,,liances! the clustering feature allo-s the scaling of u, to 1004b,s of aggregate through,ut -ithin thedata center ,eri eter.

ASA Clustering provides the following benefits:9 +he abilit to aggregate traffic to achieve higher through,ut9 Scaling the nu ber of ASA a,,liances into one logical fire-all -ithin the $ata Center architecture9 +rue Active / Active odel -hen in ulti conte@t ode ever e ber for all conte@ts of the cluster are ca,able of

for-arding ever traffic flo-9 Can force state full flo-s to ta e ore s etrical ,ath -hich i ,roves ,redictabilit and session consistenc9 Can o,erate in either ;a er 2 and ;a er 3 odes

9 Su,,orts single and ulti,le conte@ts 5fire-all virtuali?ation69 (In Theory) Clustering can be i ,le ented across different data centers over dar fibre as the eans oftrans,ort. +his use case should be validated and su,,orted in future releases

9 Cluster -ide statistics are ,rovided to trac resource usage9 A single configuration is aintained across all units in the cluster using auto atic configuration s nc

ASA Cluster Configurationenefits Bvervie-


10/36


11/36 2013 Cisco and/or its affiliates. All rights reserved. 11

Feature verview

Cluster Control !ink "CC!# +he CC; ,rovides control ,lane infor ation bet-een the different cluster e bers. Also the flo-s areredirected -ithin the CC;. +o configure the CC;! one configures local ,ort channels -ith the sa echannel identifier on each fire-all and connect the to se,arate vPCs on the corres,ondingDe@us=000s. All CC; lin s are ,art of sa e access );AD.

Cluster $ata !ink +he ost i ,ortant difference in i ,le enting the cluster data ,lane is the configuration of aEs,anned ,ort channel 5c;ACP6E on the fire-all. +his is necessar because onl one PortChannel/vPC ,air is used in the data ,lane. +o ,rovide channel consistenc and sea less o,erationbet-een both sides! it is necessar to configure a logical ,ort channel construct across all thee bers of the ASA cluster e bers. $ata ;in is a trun ,ort for all the inside and outside );ADs.

Spanned port channel"c!AC%#

ASA uses a logical lin aggregation construct called the Cluster ;in Aggregation Control Protocol5c;ACP6. "t is designed to e@tend standard ;ACP to ulti,le devices so that it can su,,ort s,ancluster. #therChannels need to be s,an across the cluster. c;ACP allo-s lin aggregation bet-eenone s-itch! or ,air of s-itches! to ulti,le 5 ore than t-o6 ASAs in a cluster.

!ocal port channel"!AC%#

#ach ASA uses onl t-o interfaces in a local ,ort channel eaning its not s,anned or shared acrossthe cluster. +he local ,ort channel 5vPC on the De@us side6 gives us local redundanc should -e losea single cluster control lin .

!AC% ;ACP 5;in Aggregation Control Protocol6 88 +his is the ,rotocol that the ASA runs to negotiate theether channel to the adFacent s-itch. 7or clustering! the ASAs all share one instance of ;ACP! suchthat the adFacent s-itch considers the cluster of ASAs as one logical device.

aster +he ASA Cluster elects a aster unit that designates -hich unit res,onds to the cluster anage entaddress and -hich unit is used for configuration re,lication. All configuration is ,erfor ed on theaster unit. Gard set the aster via the ,riorit co and.

Slave All other e bers in the cluster are slave units. Gard set the slaves accordingl via the ,rioritco and.

ASA Cluster Configuration Additional 7eatures! +er inolog ! Co ,onents


12/36


13/36 2013 Cisco and/or its affiliates. All rights reserved. 13

Feature verview

Cluster Connection" wner Flow#

+he actual connection flo- that is ,assing the traffic. >e canJt no- for sure -hich unit in the cluster-ill Eo-nE the flo- since -hichever ASA receives the first ,ac et in the flo- -ill beco e the o-ner.Bnl +CP and U$P flo-s send logical flo- u,dates to the stub flo- 5and ,ossibl the director stubflo-6.

Cluster Connection"Forwarding Stub Flow#

"f a unit receives a ,ac et for a flo- that it does not o-n! it -ill contact the director of that flo- to learn-hich unit o-ns the flo-. Bnce it no-s this! it -ill create and aintain a for-arder flo-! -hich it -illthen be used to for-ard an ,ac ets it receives on that connection directl to the o-ner! b ,assing thedirector. 7or-arder flo-s do not receive ;in U,dates 5;Us6 5since the Jre Fust for-arding the ,ac etsand donJt care about state6. Short lived flo-s such as $DS and "CMP -ill not have for-arder flo-s the

unit receiving the ,ac ets for those conns -ill si ,l for-ard the to the director! -hich -ill for-ardthe to the o-ner! and the director -ill not re,l bac to the for-arder unit as ing it to create afor-arder flo-.

Cluster Connection")ackup Stub Flow#

ased on the flo-Js characteristics! all units can derive the $irector unit for the flo-. +he director unitt ,icall aintains the stub 5or bac u,6 flo-! -hich can beco e the full flo- in the case the flo-Jso-ner unit fails! and also be used to redirect units to-ards the flo-Js o-ner unit if the receive ,ac etsfor the flo-. ac u, flo-s receive conn u,dates to ee, the u, to date in case the o-ner fails andthe stub flo- needs to beco e the full flo-.

Cluster Connection"Stub or )ackup $irectorFlow#

"f the director chosen for the flo- is also the o-ner 5 eaning the director received the first ,ac et inthe flo-6 then it canJt be its o-n bac u,. +herefore a Jdirector bac u,J flo- -ill be created! and asecond hash table -ill be used to trac this. Bbviousl this director bac u, flo- -ill receive ;Us! sinceit needs to be read to ta e over if the director/o-ner fails.



14/36

2013 Cisco and/or its affiliates. All rights reserved. 1:

Feature verview

Cluster Group Da es the cluster and enters cluster configuration ode. +he na e ust be an ASC"" string fro 1 to 3(characters. Hou can onl configure one cluster grou, ,er unit. All e bers of the cluster ust use thesa e na e.

!ocal *nit Da es this e ber of the cluster -ith a uni ue ASC"" string fro 1 to 3( characters. #ach unit ust havea uni ue na e. A unit -ith a du,licated na e -ill be not be allo-ed in the cluster.

Cluster +nterface S,ecifies the cluster control lin interface! ,referabl an #ther Channel. S,ecif an "P address +hisinterface cannot have a na,eif configured. 7or each unit! s,ecif a different "P address on the sa enet-or .

Console 'eplicate #nables console re,lication fro slave units to the aster unit. +his feature is disabled b default. +he ASA,rints out so e essages directl to the console for certain critical events. "f ou enable consolere,lication! slave units send the console essages to the aster unit so ou onl need to onitor oneconsole ,ort for the cluster.

-ealth Check ASA unit health onitoring and interface health onitoring. >hen ou are adding ne- units to the cluster!and a ing to,olog changes on the ASA or the s-itch! ou should disable this feature te ,oraril until thecluster is co ,lete. Hou can re enable this feature after cluster and to,olog changes are co ,lete.

c!AC% S.ste, ac >hen using s,anned #ther Channels! the ASA uses c;ACP to negotiate the #ther Channel -ith the

neighbor s-itch. ASAs in a cluster collaborate in c;ACP negotiation so that the a,,ear as a single 5virtual6device to the s-itch. default! the ASA uses ,riorit 1! -hich is the highest ,riorit .

Authentication /e. Sets an authentication e for control traffic on the cluster control lin . +he shared secret is an ASC"" stringfro 1 to *3 characters. +he shared secret is used to generate the e . +his co and does not affectdata,ath traffic! including connection state u,date and for-arded ,ac ets! -hich are al-a s sent in theclear.

Cluster %riorit. Sets the ,riorit of this unit for aster unit elections! bet-een 1 and 100! -here 1 is the highest ,riorit .



15/36

2013 Cisco and/or its affiliates. All rights reserved. 1'

ASA Characteristics@*wide ASA clusterrouted mode w7 static routingmulti*context

cluster spanned etherchannel mode

Nexus Characteristics@*wide "? Aggregation2a)ricPath vPC+Static 1outing & '12s

Physical View Connectivity Map

Each ASA has two %# E interfaces connected to each respective !exus " representing the data plane for thecluster> This is a spanned port*channel recommended$ across the ASA cluster in a single vPC> This is called theCluster (ata 4in?>

Each ASA has two %# E interfaces in a local port channel not spanned or shared across the cluster$ called the ClusterControl 4in? CC4$> The CC4 is the same on each ASA and will connect to the !exus "? via a uni:ue vPC, since theseare individual port channels and specific to each ASA>

ASA Cluster Configurationuic Start 4uide Assu ,tions


16/36

2013 Cisco and/or its affiliates. All rights reserved. 1*

feature lacpfeature vpc

vlan 10-20, 2000 2999

spanning-tree pathcost method longspanning-tree port type edge bpduguarddefaultspanning-tree port type edge bpdu lterdefaultno spanning-tree loopguard default

spanning-tree vlan 10-20,2000-2999priority 0spanning-tree pseudo-information vlan 10-20,2000-2999 root priority 4096 vlan 10-1 ,2000-2499 designated priority!192 vlan 16-20,2 00-2999 designated priority16"!4

vpc domain 1 role priority 1

system-priority 4096 peer-#eepalive destination $%&'source $%&'vrf

management peer-switch peer-gate(ay auto-recovery auto-recovery reload-delay delay restore "0 ip arp synchroni)e

interface port-channel 2 s(itchport

s(itchport mode trun# s(itchport trun# allo(ed vlan 10-20,2000-

2999 spanning-tree port type net(or#

vpc peer-link


vlan 10-20, 2000 2999

spanning-tree pathcost method longspanning-tree port type edge bpduguarddefaultspanning-tree port type edge bpdu lterdefaultno spanning-tree loopguard default

spanning-tree vlan 10-20, 2000-2999priority 0spanning-tree pseudo-information vlan 10-20,2000-2999 root priority 4096 vlan 10-1 ,2000-2499 designated priority16"!4 vlan 16-20,2 00-2999 designated priority!192



management peer-switch peer-gate(ay auto-recovery auto-recovery reload-delay delay restore "0 ip arp synchroni)e

interface port-channel 2 s(itchport

s(itchport mode trun# s(itchport trun# allo(ed vlan 10-20,2000-

2999 spanning-tree port type net(or#

vpc peer-link

ASA Characteristics@*wide ASA clusterrouted mode w7 static routingmulti*contextcluster spanned etherchannel mode

See DS -- vPC for more details

ASA Cluster ConfigurationPre, for ASA Attach ent 88 vPC 5B,tion6

ASA Ch i i


17/36

2013 Cisco and/or its affiliates. All rights reserved. 1=

feature lacpfeature vpcinstall feature-set fabricpathfeature-set fabricpath

vlan 10-20, 2000 2999 mode fabricpath

fabricpath switch-id 10

fabricpath domain default root-priority 255

spanning-tree pseudo-information vlan 10-20,2000-2999 root priority 0



management peer-gate(ay auto-recovery auto-recovery reload-delay delay restore "0

ip arp synchroni)e fabricpath switch-id 1000

interface port-channel 2 switchport mode fabricpath vpc peer-link interface e"*1 , e4*1

channel-group 2 force mode active

feature lacpfeature vpcinstall feature-set fabricpathfeature-set fabricpath

vlan 10-20, 2000 2999 mode fabricpath

fabricpath switch-id 11

fabricpath domain default root-priority 254

spanning-tree pseudo-information vlan 10-20,2000-2999 root priority 0



management peer-gate(ay auto-recovery auto-recovery reload-delay delay restore "0

ip arp synchroni)efabricpath switch-id 1000

interface port-channel 2 switchport mode fabricpath vpc peer-link interface e"*1 , e4*1

channel-group 2 force mode activeSee DS -- 2a)ricPath for more details

ASA Cluster ConfigurationPre, for ASA Attach ent 88 7abricPath vPCK 5B,tion6


ASA Ch t i ti


18/36

2013 Cisco and/or its affiliates. All rights reserved. 1(

mode multiple

no rewall transparent

------------------------------------------------------

show activation-key

+erial umber ./ 12"2 11/&&&+ecurity onte3ts 10 perpetualluster Disabled perpetual%

activation-key ab42d "! a0"b2"fc1bd"c! e d4d4c6d4 4e99ecbb

show activation-key

+erial umber ./ 12"2 11/&&&+ecurity onte3ts 10 perpetualluster nabled perpetual%

port-channel load-balance src-dst ip-l4port

mode multiple

no rewall transparent

------------------------------------------------------

show activation-key

+erial umber ./ 12"2 11/&&&+ecurity onte3ts 10 perpetualluster Disabled perpetual%

activation-key ab42d "! a0"b2"fc1bd"c! e d4d4c6d4 4e99ecbb

show activation-key

+erial umber ./ 12"2 11/&&&+ecurity onte3ts 10 perpetualluster nabled perpetual%

port-channel load-balance src-dst ip-l4port

Step 0 :: enable ulti conte@t odeStep 1 :: validate fire-all status is routedStep 2 :: install L validate Cluster licenseStep 3 :: configure #C;

Perfor the configuration ste,s onthe console ,ort of each ASA.

)erif the fire-all status as routed. "f not routed!e@ecute the no fire-all trans,arent co and.ciscoasa 5config6% sho- fire-all7ire-all ode8


19/36

2013 Cisco and/or its affiliates. All rights reserved. 1&

!system conte"t#

cluster interface-mode spanned

interface 5ort-channel 40 description lustering nterface port-channel load-balance src-dst ip-l4port

interface 7en8igabit thernet 0*!, 0*9 channel-group 40 mode active no nameif no security-level

cluster group $%$-&'(%) * key &isc0+

local-unit $%$-1 cluster-interface ,ort-channel40 ip1 2.1/ .1.1 255.255.255.0 priority 1 console-replicate health-check holdtime clacp system-mac auto system-priority1 enable

!system conte"t#

cluster interface-mode spanned

interface 5ort-channel 40 description lustering nterface port-channel load-balance src-dst ip-l4port

interface 7en8igabit thernet 0*!, 0*9 channel-group 40 mode active no nameif no security-level

cluster group $%$-&'(%) * key &isc0+

local-unit $%$-2 cluster-interface ,ort-channel40 ip1 2.1/ .1.2 255.255.255.0

priority 2

enableStep 0 :: configure cluster interface t ,eStep 1 :: configure CC; local ,ort channelsStep 2 :: enable clustering


interface port-channel 41 s(itchport s(itchport access vlan 10 spanning-tree port type edge no lacp graceful-convergence

vpc 41

interface port-channel 42 s(itchport s(itchport access vlan 10 spanning-tree port type edge no lacp graceful-convergence

vpc 42

interface port-channel 41 s(itchport s(itchport access vlan 10 spanning-tree port type edge

no lacp graceful-convergencevpc 41

interface port-channel 42 s(itchport s(itchport access vlan 10 spanning-tree port type edge

no lacp graceful-convergencevpc 42

interface e1*1 channel-group 41 force modeactive interface e1*2 channel-group 42 force modeactive vlan 10 mode fabricpath

name &'(%) *-&''

interface e1*1 channel-group 41 force modeactive interface e1*2 channel-group 42 force modeactive vlan 10 mode fabricpath

name &'(%) *-&''

master

vPC B% vPC B@

ASA Cluster ConfigurationCluster Control ;in



20/36

ASA Characteristics


21/36


!system conte"t#

mtu cluster 21/

:umbo-frame reservation

!system conte"t#

mtu cluster 21/

:umbo-frame reservation

Step 0 :: enable tu cluster Qs ste conte@tRStep 1 :: enable Fu bo fra e reservation Qs ste conte@tRStep 1 :: enable Fu bo fra e on the De@us aggregation


vlan 10 mode fabricpath name ;+7


22/36


!system conte"t#

interface /anagement0*0

admin-conte3t adminconte3t admin

allocate-interface /anagement0*0con g-url dis#0 *admin&cfg

-------------------------------------------------------------- -

!admin conte"t#

ip local pool mgmt 10&0&0&201-10&0&0&20 mas#2 &2 &2 &0

interface /anagement0*0management-onlynameif mgmtsecurity-level 100ip address 10&0&0&200 2 &2 &2 &0 cluster-

pool mgmt

route mgmt 0&0&0&0 0&0&0&0 10&0&0&1 1-------------------------------------------------------------- -

!system conte"t#

prompt hostname conte3t cluster-unit

Step 0 :: allocate anage ent interface Qs ste conte@tRStep 1 :: configure cluster anage ent Qad in conte@tRStep 2 :: configure cluster host na e ,ro ,t 5o,tional6 Qs ste conte@tR


"n the s ste conte@t allocate the ,anage,ent interface"787# to the ad in conte@t.

+he anage ent interface is configured -ith a ,ri ar "P address! along -ith a ,ool of addresses.

+he ,ri ar anage ent "P address al-a s belongs to the current aster unit! -hile the ,ool addressesare used to connect to each unit individuall . #ach unit! including the aster gets a ,ool address assigned.Hou can connect to the aster through either address! but if a failover should occur! the ,ri ar address-ill ove to the ne- aster. "n the ad in conte@t configure the anage ent "P addresses.

master

$ispla. the pool +% addresses :: show ip local pool ,g,t

ASA Cluster ConfigurationCluster Control ;in Manage ent Access


ASA Characteristics


23/36


!system conte"t#

interface 5ort-channel26description =ata +panned 5ort-channelport-channel load-balance src-dst ip-

l4port port-channel span-cluster vss-load-balance

interface 7en8igabit thernet 0*6description =ata in# to #-2

channel-group 26 mode active vss-id 1

interface 7en8igabit thernet 0*description =ata in# to #-1channel-group 26 mode active vss-id 2


interface port-channel 2/

s(itchport s(itchport mode trun# s(itchport trun# allo(ed vlan 1, 2011-2012 spanning-tree port type edge trunk no lacp graceful-convergence

vpc 2/

interface e1*4, e1* lacp rate fast channel-group 2/ force mode active

Step 0 :: configure De@us aggregation ,ort channelsStep 1 :: configure s,anned data ,ort channel

master


interface port-channel 2/

s(itchport s(itchport mode trun# s(itchport trun# allo(ed vlan 1, 2011-2012 spanning-tree port type edge t runk no lacp graceful-convergence

vpc 2/

interface e1*4, e1* lacp rate fast channel-group 2/ force mode active

"t is reco ended to configure the follo-ing forthe best lin aggregation and convergence 88

lacp rate fastno lacp graceful9convergencespanning9tree port t.pe edge trunk

+he D= aggregation ,air data ,ort channel is

configured as a single vPC for all ASA units in thecluster. +he vPC is configured as a trun on theD= s and as sub interfaces on the ASA units.

+he s,anned data ,ort channel is configured in thes ste conte@t . +hese ,ort channels are sharedacross all ASA units and act as a single bundle. +heD= aggregation s-itches see this as a single ,ortchannel! each having : interfaces configured.

+he vss9id x co and is used to identif thes,ecific s-itch in the aggregation ,air it connects to

+he port9channel span9cluster vss9load9balanceenables s,anning.

+ogether these co ands for the s,anned #therChannel. A s,anned #ther Channel re uires active;ACP negotiation to be configured.

vPC @F

ASA Cluster ConfigurationCluster $ata ;in



24/36


4ogical 2irewall Security 6odel

!ow we have the networ? infrastructure )uilt, lets configure a simple )ut yet flexi)le tenantcontainer> 1oute summari This will allow flexi)ility when adding additionalserver '4A!s in any tenant without ma?ing any changes to static routes and routing at theaggregation layer> Since gateways for all '4A!s within the '12 are at the aggregation layer=all interfaces are directly connected> !o routing protocol is re:uired to distri)ute routeswithin a given '12>

ASA Context CharacteristicsSingle Tiered Private 8one% outside '4A!% inside '4A!

Nexus Characteristics% '12 Ginternal private


25/36

2013 Cisco and/or its affiliates. All rights reserved. 2'

!system conte"t#

interface 5ort-channel26description =ata +panned 5ort-channelport-channel load-balance src-dst ip-

l4port

port-channel span-cluster vss-load-balance

interface 7en8igabit thernet 0*6channel-group 26 mode active vss-id 1

interface 7en8igabit thernet 0*channel-group 26 mode active vss-id 2

interface 5ort-channel26& 1vlan 1

interface 5ort-channel26&2011vlan 2011

interface 5ort-channel26&2012vlan 2012

conte3t 7enant>?one>1description 7enant ?one 1 @A onte3tallocate-interface 5ort-channel26& 1allocate-interface 5ort-channel26&2011

allocate-interface 5ort-channel26&2012 con g-url dis#0 *7enant>?one>1&cfg

Step 0 :: create sub interfacesStep 1 :: create virtual fire-all conte@tStep 2 :: allocate sub interfaces to conte@tStep 3 :: configure conte@t interfacesStep :: configure conte@t default routeStep ; :: configure conte@t static route5s6 to servers vlans

master

4ogical 2irewallSecurity 6odel

+he data ,ort channel is configured as sub interfaces and allocated to

the ,ro,er +enant Tone conte@t as re uired.

+he conte@t has a default route to the outside interface 5D=aggregation6!

7ollo-ed b the securit infor ation -hich is configured for eachconte@t 5sub set sho-n here6.

Port channel2*.'1 is used for inband anage ent 5in this e@a ,le6

!)enant 3one 1 conte"t#

Bostname 7enant>?one>1

interface 5ort-channel26& 1description /gmt Clan

management-onlynameif mgmtsecurity-level 0ip address 200&1& 51.2 2 &2 &2 &0

interface 5ort-channel26&2011description 7enant ?one 1 D;7+ = Clannameif outsidesecurity-level 10ip address 200&1& 1.11 2 &2 &2 &0

interface 5ort-channel26&2012

description 7enant ?one 1 + = Clannameif insidesecurity-level 100ip address 200&1& 2.11 2 &2 &2 &0

route outside 0&0&0&0 0&0&0&0 200&1&1.251route inside 200&1& .0 2 &2 &2 &0200&1&2&2 " 1

-hile ore s,ecific routes are used to reach serversthrough the inside interface those routes use the GS


26/36

2013 Cisco and/or its affiliates. All rights reserved. 2*

! k-1#

ip route 200&1& &0*24 200&1&1.11

interface Clan2011description 7enant ?one 1 D;7+ = Clanmtu 9216no ip redirectsip address 200&1&1& 251 *24hsrp 1

ip 200&1&1.25

ip pre 3-list static2ospf5f3 seE 10 permit 200&0&0&0*10 le 24

route-map direct2ospf permit 10

match ip address pre 3-list static2ospf5f3router ospf 1

router-id $3&3&3&3' redistribute static route-map direct2ospf

Step 0 :: create fire-all outside vlan S)" GS


27/36

2013 Cisco and/or its affiliates. All rights reserved. 2=

! k-1#

vrf conte3t 7enant>?one>1 ip route 0&0&0&0*0 200&1&2.11

interface Clan2012description 7enant ?one 1 + = Clanmtu 9216vrf member )enant 3one 1

no ip redirectsip address 200&1&2&2 1*24hsrp 1

ip 200&1&2.25interface Clan201"description 7enant ?one 1 + 1ip route 0&0&0&0*0 200&1&2.11

interface Clan2012description 7enant ?one 1 + =

Clanmtu 9216vrf member )enant 3one 1

no ip redirectsip address 200&1&2&2 2*24hsrp 1

ip 200&1&2.25

interface Clan201"description 7enant ?one 1 +


28/36

2013 Cisco and/or its affiliates. All rights reserved. 2(

! k-1#

vrf conte3t 7enant>?one>1 ip route 0&0&0&0*0 200&1&2&11

ip route 200.1.112.0624 200.1.2.50

! k-2#

vrf conte3t 7enant>?one>1 ip route 0&0&0&0*0 200&1&2&11

ip route 200.1.112.0624200.1.2.50

4ogical 2irewallSecurity 6odel

'oad 7alancer vendor selection or con guration is outside scope of thisdocument

!)enant 3one 1 conte"t#

route outside 0&0&0&0 0&0&0&0 200&1&1&2 " 1route inside 200&1&"&0 2 &2 &0&0200&1&2&2 " 1route inside 200.1.111.0

255.255.255.0 200.1.2.25 1

Bn the fire-all conte@t! add a s,ecific route to reach the load balancerthrough the inside interface to-ards De@us aggregation GS


29/36

2013 Cisco and/or its affiliates. All rights reserved. 2&

Gere are so e hel,ful co ands e@ecuted in the s ste conte@t on the aster unit8

9 Sho-s the cluster status 88 sho- cluster info9 Sho-s cluster -ide connection distribution 88 sho- cluster info conn distribution9 Sho-s cluster -ide ,ac et distribution 88 sho- cluster info ,ac et distribution

9 Clear as, counters 88 cluster e@ec clear as, dro,9 Sho- as, counters. Gel,ful to isolate dro,s 88 cluster e@ec sho- as, dro,9 Sho-s the ,ort channel su ar on all units in the cluster 88 cluster e@ec sho- ,ort channel su ar9 Sho-s all connections across the cluster. +his co and can sho- ho- traffic for a single flo- arrives at different ASAs in

the cluster 88 cluster e@ec sho- conn9 Sho-s connection detail for a ,articular flo- across all units in the cluster. Dote! this needs to be e@ecuted in a conte@t

that is handling the flo- 88 cluster e@ec sho- conn detail address Q@.@.@.@R

9 Sho- the uni ue MAC for the entire cluster that -ill be used for the ;ACP ,artner 88 sho- lac, cluster s ste id9 Sho- the cluster s ste MAC 5auto aticall generated6 88 sho- lac, cluster s ste ac

Co ands e@ecuted in the ad in conte@t on the aster unit8

9 $is,la the ,ool "P addresses 88 sho- i, local ,ool g t

ASA Cluster ConfigurationSho- Co ands


30/36


9 Clustering is best enabled in a s,ecific! ,hased anner. +o reduce the ,otential for errors! enable the CC; first and bring

u, the cluster before adding the re aining configuration. At a ini u ! an active cluster control lin net-or is re uiredbefore ou configure the units to Foin the cluster this includes the u,strea and do-nstrea e ui, ent ,ort channels.

9 >hen configuring clustering ou need to select the cluster interface ode first! as it -ill clear the e@isting configurationand force a reboot. "t is reco ended to use s,anned #ther Channel.

9 A console connection is al-a s re uired to enable or disable clustering.

9 Cluster control lin band-idth should atch or e@ceed the highest available band-idth of data interfaces on a single

cluster unit.

9


31/36


9 "t is reco ended that s,anning tree ,ort t ,e edge or edge trun is configured on the aggregation s-itch interfaces

connecting to the cluster control and data interfaces. "f this is not enabled! initial s nchroni?ation co unication bet-een ASA units in the cluster could fail and connections ight be dro,,ed.

9 Using the sa e ,ort channel load balancing hash algorith bet-een the ASA and De@us =000 5src dst i, l:,ort6. $o notuse the vlan e -ord in the load balance algorith because it can cause unevenl distributed traffic to the ASAs in acluster.

9


32/36


33/36


9


34/36


5xternal "public# ASA Clustering -ithin )M$C Architecturehtt,8//---.cisco.co /en/US/docs/solutions/#nter,rise/$ata Center/)M$C/ASA Cluster/ASA Cluster.ht l

)M$C 5)irtual Multi Service $ata Center6 3.0.1 " ,le entation 4uidehtt,8//---.cisco.co /en/US/,artner/docs/solutions/#nter,rise/$ata Center/)M$C/3.0.1/"4/)M$C301 "41.ht l

ASA ''00 Configuration 4uideshtt,8//---.cisco.co /en/US/,artner/,roducts/,s*120/,roducts installation and configuration guides list.ht l

Configure a Cluster of ASAs 5version &.1 code6htt, 8//---.cisco.co /en/US/,artner/docs/securit /asa/asa&1/configuration/general/ha cluster.ht lDe@us =000 Configuration 4uideshtt,8//---.cisco.co /en/US/,roducts/,s&:02/,roducts installation and configuration guides list.ht l

ASA Cluster Configuration Additional


35/36


36/36

Documents

88045-Consulturia Y capacitacion en Redes - ASA Cluster on Nexus v1.6.2