Professional Documents
Culture Documents
ASA Cluster On Nexus v1.6.2
ASA Cluster On Nexus v1.6.2
ASA Cluster On Nexus v1.6.2
This Quick Start Guide (QSG) is a Cookbook style guide to Deploying Data Center
technologies with end-to-end configurations for several commonly deployed architectures.
Cisco recommended
Commonly deployed & Typical firewall attachment model
ASA configured for port channels connected via vPC or vPC+
External and Internal traffic traverse same port channel to firewall
Insertion point at the Aggregation layer (Nexus 7000)
10GE interfaces
Same
Same firewall
firewall
Illustrated
Illustrated
Alternative View
Static Routing
Dynamic Routing
No dynamic routing
supported over vPC or vPC+
Tenant Containers
Private
Public
Shared Services DMZ
N-Tier Application Segmentation
Rigorous Separation
High Security Use Cases
DoD / Federal Government
Dedicated VRF per Tier
Tenants mapped to unique firewall context
CL Slave
CL Slave
CL Slave
Po100
Po100
Po100
Po100
Po100
Po100
Po100
Po100
ASA Cluster
(n-node)
vPC
vPC 100
100
vPC Domain
(vPC or vPC+ supported)
Peer-Link
vPC
vPC 10
10
vPC
vPC 20
20
vPC
vPC 30
30
vPC
vPC 40
40
Po50
Po50
Po50
Po50
Po50
Po50
Po50
Po50
CL Master
CL Slave
CL Slave
CL Slave
10
Overview
The CCL provides control plane information between the different cluster members. Also the flows are
redirected within the CCL. To configure the CCL, one configures local port channels with the same
channel identifier on each firewall and connect them to separate vPCs on the corresponding
Nexus7000s. All CCL links are part of same access VLAN.
The most important difference in implementing the cluster data plane is the configuration of a
"spanned port channel (cLACP)" on the firewall. This is necessary because only one PortChannel/vPC pair is used in the data plane. To provide channel consistency and seamless operation
between both sides, it is necessary to configure a logical port-channel construct across all the
members of the ASA cluster members. Data Link is a trunk port for all the inside and outside VLANs.
ASA uses a logical link aggregation construct called the Cluster Link Aggregation Control Protocol
(cLACP). It is designed to extend standard LACP to multiple devices so that it can support spancluster. EtherChannels need to be span across the cluster. cLACP allows link aggregation between
one switch, or pair of switches, to multiple (more than two) ASAs in a cluster.
Each ASA uses only two interfaces in a local port channel; meaning its not spanned or shared across
the cluster. The local port-channel (vPC on the Nexus side) gives us local redundancy should we lose
a single cluster control link.
LACP
LACP (Link Aggregation Control Protocol) :: This is the protocol that the ASA runs to negotiate the
ether channel to the adjacent switch. For clustering, the ASAs all share one instance of LACP, such
that the adjacent switch considers the cluster of ASAs as one logical device.
Master
The ASA Cluster elects a master unit that designates which unit responds to the cluster management
address and which unit is used for configuration replication. All configuration is performed on the
master unit. Hard set the master via the priority command.
Slave
All other members in the cluster are slave units. Hard set the slaves accordingly via the priority
command.
11
Overview
Owner Role
Director Role
Forwarder Role
12
Overview
Cluster Connection
(Owner Flow)
The actual connection flow that is passing the traffic. We can't know for sure which unit in the cluster
will "own" the flow since whichever ASA receives the first packet in the flow will become the owner.
Only TCP and UDP flows send logical flow updates to the stub flow (and possibly the director stub
flow).
Cluster Connection
(Forwarding Stub Flow)
If a unit receives a packet for a flow that it does not own, it will contact the director of that flow to learn
which unit owns the flow. Once it knows this, it will create and maintain a forwarder flow, which it will
then be used to forward any packets it receives on that connection directly to the owner, bypassing the
director. Forwarder flows do not receive Link Updates (LUs) (since they're just forwarding the packets
and don't care about state). Short lived flows such as DNS and ICMP will not have forwarder flows; the
unit receiving the packets for those conns will simply forward them to the director, which will forward
them to the owner, and the director will not reply back to the forwarder unit asking it to create a
forwarder flow.
Cluster Connection
(Backup Stub Flow)
Based on the flow's characteristics, all units can derive the Director unit for the flow. The director unit
typically maintains the stub (or backup) flow, which can become the full flow in the case the flow's
owner unit fails, and also be used to redirect units towards the flow's owner unit if they receive packets
for the flow. Backup flows receive conn updates to keep them up-to-date in case the owner fails and
the stub flow needs to become the full flow.
Cluster Connection
(Stub or Backup Director
Flow)
If the director chosen for the flow is also the owner (meaning the director received the first packet in
the flow) then it can't be its own backup. Therefore a 'director backup' flow will be created, and a
second hash table will be used to track this. Obviously this director backup flow will receive LUs, since
it needs to be ready to take over if the director/owner fails.
13
Overview
Cluster Group
Names the cluster and enters cluster configuration mode. The name must be an ASCII string from 1 to 38
characters. You can only configure one cluster group per unit. All members of the cluster must use the
same name.
Local Unit
Names this member of the cluster with a unique ASCII string from 1 to 38 characters. Each unit must have
a unique name. A unit with a duplicated name will be not be allowed in the cluster.
Cluster Interface
Specifies the cluster control link interface, preferably an Ether Channel. Specify an IP address; This
interface cannot have a nameif configured. For each unit, specify a different IP address on the same
network.
Console Replicate
Enables console replication from slave units to the master unit. This feature is disabled by default. The ASA
prints out some messages directly to the console for certain critical events. If you enable console
replication, slave units send the console messages to the master unit so you only need to monitor one
console port for the cluster.
Health Check
ASA unit health monitoring and interface health monitoring. When you are adding new units to the cluster,
and making topology changes on the ASA or the switch, you should disable this feature temporarily until the
cluster is complete. You can re-enable this feature after cluster and topology changes are complete.
When using spanned Ether Channels, the ASA uses cLACP to negotiate the Ether Channel with the
neighbor switch. ASAs in a cluster collaborate in cLACP negotiation so that they appear as a single (virtual)
device to the switch. By default, the ASA uses priority 1, which is the highest priority.
Authentication Key
Sets an authentication key for control traffic on the cluster control link. The shared secret is an ASCII string
from 1 to 63 characters. The shared secret is used to generate the key. This command does not affect
datapath traffic, including connection state update and forwarded packets, which are always sent in the
clear.
Cluster Priority
Sets the priority of this unit for master unit elections, between 1 and 100, where 1 is the highest priority.
14
ASA Characteristics
2-wide ASA cluster
routed mode w/ static routing
multi-context
cluster spanned etherchannel mode
Nexus Characteristics
2-wide 7k Aggregation
FabricPath vPC+
Static Routing & VRFs
Each ASA has two 10GE interfaces connected to each respective Nexus 7K representing the data plane for the
cluster. This is a spanned port-channel (recommended) across the ASA cluster in a single vPC. This is called the
Cluster Data Link.
Each ASA has two 10GE interfaces in a local port channel (not spanned or shared across the cluster) called the Cluster
Control Link (CCL). The CCL is the same on each ASA and will connect to the Nexus 7k via a unique vPC; since these
are individual port channels and specific to each ASA.
2013 Cisco and/or its affiliates. All rights reserved.
15
ASA Characteristics
2-wide ASA cluster
routed mode w/ static routing
multi-context
cluster spanned etherchannel mode
lacp
lacp
vpc
vpc
feature
feature
feature
feature
lacp
lacp
vpc
vpc
vlan
vlan 10-20,
10-20, 2000
2000 2999
2999
vlan
vlan 10-20,
10-20, 2000
2000 2999
2999
spanning-tree
spanning-tree pathcost
pathcost method
method long
long
spanning-tree
port
type
spanning-tree port type edge
edge bpduguard
bpduguard
default
default
spanning-tree
spanning-tree port
port type
type edge
edge bpdufilter
bpdufilter
default
default
no
no spanning-tree
spanning-tree loopguard
loopguard default
default
spanning-tree
spanning-tree pathcost
pathcost method
method long
long
spanning-tree
port
type
spanning-tree port type edge
edge bpduguard
bpduguard
default
default
spanning-tree
spanning-tree port
port type
type edge
edge bpdufilter
bpdufilter
default
default
no
no spanning-tree
spanning-tree loopguard
loopguard default
default
spanning-tree
spanning-tree vlan
vlan 10-20,2000-2999
10-20,2000-2999
priority
0
priority 0
spanning-tree
spanning-tree pseudo-information
pseudo-information
vlan
vlan 10-20,2000-2999
10-20,2000-2999 root
root priority
priority 4096
4096
vlan
10-15,2000-2499
designated
vlan 10-15,2000-2499 designated priority
priority
8192
8192
vlan
vlan 16-20,2500-2999
16-20,2500-2999 designated
designated priority
priority
16384
16384
spanning-tree
spanning-tree vlan
vlan 10-20,
10-20, 2000-2999
2000-2999
priority
0
priority 0
spanning-tree
spanning-tree pseudo-information
pseudo-information
vlan
vlan 10-20,2000-2999
10-20,2000-2999 root
root priority
priority 4096
4096
vlan
10-15,2000-2499
designated
vlan 10-15,2000-2499 designated priority
priority
16384
16384
vlan
vlan 16-20,2500-2999
16-20,2500-2999 designated
designated priority
priority
8192
8192
vpc
vpc domain
domain 1
1
role
role priority
priority 1
1
system-priority
system-priority 4096
4096
peer-keepalive
peer-keepalive destination
destination [.]
[.] source
source [.]
[.]
vrf
vrf
management
management
peer-switch
peer-switch
peer-gateway
peer-gateway
auto-recovery
auto-recovery
auto-recovery
auto-recovery reload-delay
reload-delay
delay
delay restore
restore 30
30
ip
ip arp
arp synchronize
synchronize
vpc
vpc domain
domain 1
1
role
role priority
priority 2
2
system-priority
system-priority 4096
4096
peer-keepalive
peer-keepalive destination
destination [.]
[.] source
source [.]
[.]
vrf
vrf
management
management
peer-switch
peer-switch
peer-gateway
peer-gateway
auto-recovery
auto-recovery
auto-recovery
auto-recovery reload-delay
reload-delay
delay
delay restore
restore 30
30
ip
ip arp
arp synchronize
synchronize
interface
interface port-channel
port-channel 2
2
switchport
switchport
switchport
switchport mode
mode trunk
trunk
switchport
switchport trunk
trunk allowed
allowed vlan
vlan 10-20,200010-20,20002999
2999
spanning-tree
port type
network
spanning-tree
type
network
2013 Cisco and/or itsport
affiliates.
All rights
reserved.
vpc
peer-link
vpc peer-link
interface
interface port-channel
port-channel 2
2
switchport
switchport
switchport
switchport mode
mode trunk
trunk
switchport
switchport trunk
trunk allowed
allowed vlan
vlan 10-20,200010-20,20002999
2999
spanning-tree
spanning-tree port
port type
type network
network
vpc
peer-link
vpc peer-link
16
ASA Characteristics
2-wide ASA cluster
routed mode w/ static routing
multi-context
cluster spanned etherchannel mode
feature
feature lacp
lacp
feature
feature vpc
vpc
install
install feature-set
feature-set fabricpath
fabricpath
feature-set
feature-set fabricpath
fabricpath
vlan
vlan 10-20,
10-20, 2000
2000 2999
2999
mode
fabricpath
mode fabricpath
vlan
vlan 10-20,
10-20, 2000
2000 2999
2999
mode
fabricpath
mode fabricpath
fabricpath
fabricpath switch-id
switch-id 10
10
fabricpath
fabricpath switch-id
switch-id 11
11
fabricpath
fabricpath domain
domain default
default
root-priority
root-priority 255
255
fabricpath
fabricpath domain
domain default
default
root-priority
root-priority 254
254
spanning-tree
spanning-tree pseudo-information
pseudo-information
vlan
vlan 10-20,2000-2999
10-20,2000-2999 root
root priority
priority 0
0
spanning-tree
spanning-tree pseudo-information
pseudo-information
vlan
vlan 10-20,2000-2999
10-20,2000-2999 root
root priority
priority 0
0
vpc
vpc domain
domain 1
1
role
role priority
priority 1
1
system-priority
system-priority 4096
4096
peer-keepalive
peer-keepalive destination
destination [.]
[.] source
source [.]
[.]
vrf
vrf
management
management
peer-gateway
peer-gateway
auto-recovery
auto-recovery
auto-recovery
auto-recovery reload-delay
reload-delay
delay
delay restore
restore 30
30
ip
ip arp
arp synchronize
synchronize
fabricpath
fabricpath switch-id
switch-id 1000
1000
vpc
vpc domain
domain 1
1
role
role priority
priority 2
2
system-priority
system-priority 4096
4096
peer-keepalive
peer-keepalive destination
destination [.]
[.] source
source [.]
[.]
vrf
vrf
management
management
peer-gateway
peer-gateway
auto-recovery
auto-recovery
auto-recovery
auto-recovery reload-delay
reload-delay
delay
delay restore
restore 30
30
ip
ip arp
arp synchronize
synchronize
fabricpath
fabricpath switch-id
switch-id 1000
1000
interface
interface port-channel
port-channel 2
2
switchport
switchport mode
mode fabricpath
fabricpath
vpc
vpc peer-link
peer-link
interface
interface port-channel
port-channel 2
2
switchport
switchport mode
mode fabricpath
fabricpath
vpc
vpc peer-link
peer-link
interface
interface e3/1
e3/1 ,, e4/1
e4/1
channel-group
channel-group 2
2 force
force mode
mode active
active
interface
interface e3/1
e3/1 ,, e4/1
e4/1
channel-group
channel-group 2
2 force
force mode
mode active
active
17
ASA Characteristics
2-wide ASA cluster
routed mode w/ static routing
multi-context
cluster spanned etherchannel mode
mode
mode multiple
multiple
no
no firewall
firewall transparent
transparent
no
no firewall
firewall transparent
transparent
-----------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------
show
show activation-key
activation-key
show
show activation-key
activation-key
Serial
Serial Number:
Number: JMX1232L11M
JMX1232L11M
...
...
Security
Security Contexts
Contexts :: 10
10 perpetual
perpetual
Cluster
:
Disabled
perpetual
Cluster : Disabled perpetual
Serial
Serial Number:
Number: JMX1232L11M
JMX1232L11M
...
...
Security
Security Contexts
Contexts :: 10
10 perpetual
perpetual
Cluster
:
Disabled
perpetual
Cluster : Disabled perpetual
activation-key
activation-key ab42d738
ab42d738 a03b23fc
a03b23fc
1bd3c87e
1bd3c87e d4d4c6d4
d4d4c6d4 4e99ecbb
4e99ecbb
activation-key
activation-key ab42d738
ab42d738 a03b23fc
a03b23fc
1bd3c87e
1bd3c87e d4d4c6d4
d4d4c6d4 4e99ecbb
4e99ecbb
show
show activation-key
activation-key
show
show activation-key
activation-key
Serial
Serial Number:
Number: JMX1232L11M
JMX1232L11M
...
...
Security
Security Contexts
Contexts :: 10
10 perpetual
perpetual
Cluster
Cluster :: Enabled
Enabled perpetual
perpetual
Serial
Serial Number:
Number: JMX1232L11M
JMX1232L11M
...
...
Security
Security Contexts
Contexts :: 10
10 perpetual
perpetual
Cluster
Cluster :: Enabled
Enabled perpetual
perpetual
port-channel
port-channel load-balance
load-balance src-dst
src-dst ipipl4port
l4port
Verify the firewall status as routed. If not routed,
execute the no firewall transparent command.
ciscoasa (config)# show firewall
Firewall mode: Router
Enabling multi-context mode will force a reload;
perform this on all the ASAs.
port-channel
port-channel load-balance
load-balance src-dst
src-dst ipipl4port
l4port
The clustering feature requires a specific license
and code version 9.0.1 or greater. If you dont have
the proper license installed, refer to the Managing
Feature Licenses for Cisco ASA version 9.0 guide.
http://www.cisco.com/en/US/docs/security/asa/asa9
0/license/license_management/license.html
18
ASA Characteristics
2-wide ASA cluster
routed mode w/ static routing
multi-context
cluster spanned etherchannel mode
master
master
[system
[system context]
context]
cluster
cluster interface-mode
interface-mode spanned
spanned
interface
interface Port-channel
Port-channel 40
40
description
description Clustering
Clustering Interface
Interface
port-channel
port-channel load-balance
load-balance src-dst
src-dst ip-l4port
ip-l4port
interface
interface Port-channel
Port-channel 40
40
description
description Clustering
Clustering Interface
Interface
port-channel
port-channel load-balance
load-balance src-dst
src-dst ip-l4port
ip-l4port
interface
interface TenGigabitEthernet
TenGigabitEthernet 0/8,
0/8, 0/9
0/9
channel-group
40
mode
active
channel-group 40 mode active
no
no nameif
nameif
no
no security-level
security-level
interface
interface TenGigabitEthernet
TenGigabitEthernet 0/8,
0/8, 0/9
0/9
channel-group
40
mode
active
channel-group 40 mode active
no
no nameif
nameif
no
no security-level
security-level
vPC
vPC 41
41
vPC
vPC 42
42
cluster
cluster group
group ASA-CLUSTER
ASA-CLUSTER
key
Cisc0!
key Cisc0!
local-unit
local-unit ASA-1
ASA-1
cluster-interface
cluster-interface Port-channel40
Port-channel40 ip
ip
192.168.1.1
192.168.1.1
255.255.255.0
255.255.255.0
priority
priority 1
1
console-replicate
console-replicate
health-check
health-check holdtime
holdtime 3
3
clacp
clacp system-mac
system-mac auto
auto system-priority
system-priority
Step 1 :: configure cluster interface type
1
1
Step 2 :: configure CCL local port channels
enable
interface
enable port-channel
interface
port-channel 41
41
Step 3 :: enable clustering
switchport
switchport
switchport
switchport access
access vlan
vlan 10
10
spanning-tree
port
spanning-tree port type
type edge
edge
no
interface
interface
no lacp
lacp graceful-convergence
graceful-convergence
interface e1/1
e1/1
interface e1/1
e1/1
vpc
channel-group
41
force
mode
channel-group
vpc 41
41
channel-group 41 force mode
channel-group 41
41 force
force
active
active
active
active
interface
port-channel
42
interface port-channel 42
switchport
interface
interface
switchport
interface e1/2
e1/2
interface e1/2
e1/2
switchport
channel-group
42
force
mode
channel-group
switchport access
access vlan
vlan 10
10
channel-group
42
force
mode
channel-group 42
42 force
force
spanning-tree
port
type
edge
active
active
spanning-tree port type edge
active
active
no
no lacp
lacp graceful-convergence
graceful-convergence
vpc
vlan
vlan
vpc 42
42
vlan 10
10
vlan 10
10
mode
fabricpath
mode
mode fabricpath
mode fabricpath
fabricpath
name
name
name CLUSTER-CLL
CLUSTER-CLL
name CLUSTER-CLL
CLUSTER-CLL
2013 Cisco and/or its affiliates. All rights reserved.
cluster
cluster group
group ASA-CLUSTER
ASA-CLUSTER
key
Cisc0!
key Cisc0!
local-unit
local-unit ASA-2
ASA-2
cluster-interface
cluster-interface Port-channel40
Port-channel40 ip
ip
192.168.1.2
192.168.1.2
255.255.255.0
255.255.255.0
priority
priority 2
2
enable
enable
interface
interface port-channel
port-channel 41
41
switchport
switchport
switchport
switchport access
access vlan
vlan 10
10
spanning-tree
port
spanning-tree port type
type edge
edge
no
no lacp
lacp graceful-convergence
graceful-convergence
vpc
mode
vpc 41
41
mode
mode
mode
interface
interface port-channel
port-channel 42
42
switchport
switchport
switchport
switchport access
access vlan
vlan 10
10
spanning-tree
spanning-tree port
port type
type edge
edge
no
no lacp
lacp graceful-convergence
graceful-convergence
vpc
vpc 42
42
19
NOTES
Recommend you use a Ten Gigabit Ethernet interface for the cluster control link.
The recommended method is to use a spanned Ether Channel. When configured, if it detects any
incompatibilities, it will clear them from the configuration and force a reload. This needs to be executed on each
unit.
Each ASA communicates with each other across this common Vlan to form the cluster, update state information
and pass data (when necessary).
The port channel configurations for 41, 42 on aggregation switch N7k-1 map to port-channel 40 on each ASA. The
aggregation switch N7k-2 is configured the same with the only difference is that it physically connects to a
different port (0/8) on each ASA. It is recommended to configure spanning-tree port type edge for the portchannels.
cluster
cluster group
group ASA-CLUSTER
ASA-CLUSTER
key
Cisc0!
key Cisc0!
local-unit
Port channel 40 is configured on each ASA and maps to 41, 42 on each N7k. The CCL interface configuration is
local-unit ASA-1
ASA-1
cluster-interface
not replicated from the master unit to slave units; however, you must use the same configuration on each unit.
cluster-interface Port-channel40
Port-channel40 ip
ip
192.168.1.1
Ports te0/8 and te0/9 will be used for the CCL port-channel on each unit.
192.168.1.1
255.255.255.0
255.255.255.0
priority
The ASA is actively negotiating LACP on the channel. This is another best practice; make sure all interfaces
priority 1
1
console-replicate
participating in channeling are actively using LACP. Also note there is no nameif or security-level configuration on
console-replicate
health-check
holdtime
3
the physical interfaces or the logical interface since this is being used for clustering control plane only.
health-check holdtime 3
clacp
clacp system-mac
system-mac auto
auto system-priority
system-priority
1
All members of the cluster must share the same cluster group name and key if configured. The local-unit name,
1
enable
cluster-interface IP address and priority value needs to be unique for each unit in the cluster. The cluster master
interface
port-channel
41
enable port-channel 41
interface
unit is determined by the priority setting, between 1 and 100, where 1 is the highest priority.
switchport
switchport
switchport
access
vlan
10
Console-replicate is an optional command that allows slave units to replicate console messages
switchport access vlan 10
Enable command at the end of cluster configuration will start the cluster mode.
spanning-tree
to the master. Since we spend most of our time on the master for configuration and
spanning-tree port
port type
type edge
edge
no
interface
troubleshooting purposes.
no lacp
lacp graceful-convergence
graceful-convergence
interface e1/1
e1/1
vpc
channel-group
vpc 41
41
channel-group 41
41 force
force mode
mode
active
active
interface
interface port-channel
port-channel 42
42
switchport
interface
Step 1 :: configure cluster interface type
switchport
interface e1/2
e1/2
switchport
access
vlan
10
channel-group
switchport access vlan 10
channel-group 42
42 force
force mode
mode
Step 2 :: configure CCL local port channels
spanning-tree
active
spanning-tree port
port type
type edge
edge
active
Step 3 :: enable clustering
no
no lacp
lacp graceful-convergence
graceful-convergence
vpc
vlan
vpc 42
42
vlan 10
10
mode
mode fabricpath
fabricpath
name
name CLUSTER-CLL
CLUSTER-CLL
2013 Cisco and/or its affiliates. All rights reserved.
20
ASA Characteristics
2-wide ASA cluster
routed mode w/ static routing
multi-context
cluster spanned etherchannel mode
[system
[system context]
context]
mtu
mtu cluster
cluster 9216
9216
mtu
mtu cluster
cluster 9216
9216
jumbo-frame
jumbo-frame reservation
reservation
jumbo-frame
jumbo-frame reservation
reservation
vlan
vlan 10
10
mode
mode fabricpath
fabricpath
name
name CLUSTER-CLL
CLUSTER-CLL
vlan
vlan 10
10
mode
mode fabricpath
fabricpath
name
name CLUSTER-CLL
CLUSTER-CLL
interface
interface port-channel
port-channel 41
41
switchport
switchport
switchport
switchport access
access vlan
vlan 10
10
spanning-tree
port
spanning-tree port type
type edge
edge
mtu
mtu 9216
9216
no
no lacp
lacp graceful-convergence
graceful-convergence
vpc
vpc 41
41
interface
interface port-channel
port-channel 41
41
switchport
switchport
switchport
switchport access
access vlan
vlan 10
10
spanning-tree
port
spanning-tree port type
type edge
edge
mtu
mtu 9216
9216
no
no lacp
lacp graceful-convergence
graceful-convergence
vpc
vpc 41
41
interface
interface port-channel
port-channel 42
42
switchport
switchport
switchport
switchport access
access vlan
vlan 10
10
spanning-tree
spanning-tree port
port type
type edge
edge
mtu
mtu 9216
9216
no
no lacp
lacp graceful-convergence
graceful-convergence
vpc
vpc 42
42
interface
interface port-channel
port-channel 42
42
switchport
switchport
switchport
switchport access
access vlan
vlan 10
10
spanning-tree
spanning-tree port
port type
type edge
edge
mtu
mtu 9216
9216
no
no lacp
lacp graceful-convergence
graceful-convergence
vpc
vpc 42
42
interface
interface e1/1
e1/1
channel-group
channel-group 41
41 force
force mode
mode active
active
mtu
9216
mtu 9216
interface
interface e1/2
e1/2
channel-group
channel-group 42
42 force
force mode
mode active
active
mtu
9216
mtu 9216
interface
interface e1/1
e1/1
channel-group
channel-group 41
41 force
force mode
mode active
active
mtu
9216
mtu 9216
interface
interface e1/2
e1/2
channel-group
channel-group 42
42 force
force mode
mode active
active
mtu
9216
mtu 9216
21
ASA Characteristics
2-wide ASA cluster
routed mode w/ static routing
multi-context
cluster spanned etherchannel mode
master
master
admin-context
admin-context admin
admin
context
context admin
admin
allocate-interface
allocate-interface Management0/0
Management0/0
config-url
config-url disk0:/admin.cfg
disk0:/admin.cfg
----------------------------------------------------------------------------------------------------------------------------[admin
[admin context]
context]
ip
ip local
local pool
pool mgmt
mgmt 10.0.0.201-10.0.0.207
10.0.0.201-10.0.0.207 mask
mask
255.255.255.0
255.255.255.0
interface
interface Management0/0
Management0/0
management-only
management-only
nameif
nameif mgmt
mgmt
security-level
security-level 100
100
ip
ip address
address 10.0.0.200
10.0.0.200 255.255.255.0
255.255.255.0 clusterclusterpool
mgmt
pool mgmt
route
route mgmt
mgmt 0.0.0.0
0.0.0.0 0.0.0.0
0.0.0.0 10.0.0.1
10.0.0.1 1
1
-----------------------------------------------------------------------------------------------------------------------------
[system
[system context]
context]
prompt
prompt hostname
hostname context
context cluster-unit
cluster-unit
In the system context allocate the management interface(0/0) to the admin context.
The management interface is configured with a primary IP address, along with a pool of addresses.
The primary management IP address always belongs to the current master unit, while the pool addresses
are used to connect to each unit individually. Each unit, including the master gets a pool address assigned.
You can connect to the master through either address, but if a failover should occur, the primary address
will move to the new master. In the admin context configure the management IP addresses.
22
ASA Characteristics
2-wide ASA cluster
routed mode w/ static routing
multi-context
cluster spanned etherchannel mode
master
master
vPC
vPC 26
26
interface
interface TenGigabitEthernet
TenGigabitEthernet 0/7
0/7
description
description Data
Data Link
Link to
to N7k-1
N7k-1
channel-group
channel-group 26
26 mode
mode active
active vss-id
vss-id 2
2
feature
feature
feature
feature
lacp
lacp
vpc
vpc
interface
interface port-channel
port-channel 26
26
switchport
switchport
switchport
switchport mode
mode trunk
trunk
switchport
switchport trunk
trunk allowed
allowed vlan
vlan 51,
51, 201120112012
2012
spanning-tree
spanning-tree port
port type
type edge
edge trunk
trunk
no
no lacp
lacp graceful-convergence
graceful-convergence
vpc
vpc 26
26
interface
interface e1/4,
e1/4, e1/5
e1/5
lacp
rate
lacp rate fast
fast
channel-group
channel-group 26
26 force
force mode
mode active
active
feature
feature
feature
feature
It is recommended to configure the following for
the best link aggregation and convergence ::
lacp rate fast
no lacp graceful-convergence
spanning-tree port type edge trunk
lacp
lacp
vpc
vpc
interface
interface port-channel
port-channel 26
26
switchport
switchport
switchport
switchport mode
mode trunk
trunk
switchport
switchport trunk
trunk allowed
allowed vlan
vlan 51,
51,
2012
2012
spanning-tree
spanning-tree port
port type
type edge
edge
no
no lacp
lacp graceful-convergence
graceful-convergence
vpc
vpc 26
26
20112011trunk
trunk
interface
interface e1/4,
e1/4, e1/5
e1/5
lacp
rate
lacp rate fast
fast
channel-group
channel-group 26
26 force
force mode
mode active
active
23
Now we have the network infrastructure built; lets configure a simple but yet flexible tenant
container. Route summarization and static redistribution is used to advertise tenancy subnets
into the Core or WAN Edge layer using OSPF. This will allow flexibility when adding additional
server VLANs in any tenant without making any changes to static routes and routing at the
aggregation layer. Since gateways for all VLANs within the VRF are at the aggregation layer,
all interfaces are directly connected. No routing protocol is required to distribute routes
within a given VRF.
Security Container
ASA Context Characteristics
Single Tiered Private Zone
1 outside VLAN
1 inside VLAN
Nexus Characteristics
1 VRF [internal private zone]
3 VLANs
3 HSRP Groups
[Outside, Inside, Server]
24
master
master
Logical Firewall
Security Model
[system
[system context]
context]
[Tenant_Zone_1 context]
interface
interface Port-channel26
Port-channel26
description
description Data
Data Spanned
Spanned Port-channel
Port-channel
port-channel
load-balance
port-channel load-balance src-dst
src-dst ipipl4port
l4port
port-channel
port-channel span-cluster
span-cluster vss-loadvss-loadbalance
balance
Hostname Tenant_Zone_1
interface
interface TenGigabitEthernet
TenGigabitEthernet 0/6
0/6
channel-group
channel-group 26
26 mode
mode active
active vss-id
vss-id 1
1
interface
interface TenGigabitEthernet
TenGigabitEthernet 0/7
0/7
channel-group
channel-group 26
26 mode
mode active
active vss-id
vss-id 2
2
interface
interface Port-channel26.51
Port-channel26.51
vlan
vlan 51
51
interface
interface Port-channel26.2011
Port-channel26.2011
vlan
vlan 2011
2011
interface
interface Port-channel26.2012
Port-channel26.2012
vlan
vlan 2012
2012
context
context Tenant_Zone_1
Tenant_Zone_1
description
description Tenant
Tenant Zone
Zone 1
1 FW
FW Context
Context
allocate-interface
allocate-interface Port-channel26.51
Port-channel26.51
allocate-interface
allocate-interface Port-channel26.2011
Port-channel26.2011
allocate-interface
allocate-interface Port-channel26.2012
Port-channel26.2012
config-url
config-url disk0:/Tenant_Zone_1.cfg
disk0:/Tenant_Zone_1.cfg
2013 Cisco and/or its affiliates. All rights reserved.
interface Port-channel26.51
description Mgmt Vlan
management-only
nameif mgmt
security-level 0
ip address 200.1.51.2 255.255.255.0
interface Port-channel26.2011
description Tenant Zone 1 OUTSIDE Vlan
nameif outside
security-level 10
ip address 200.1.1.11 255.255.255.0
interface Port-channel26.2012
description Tenant Zone 1 INSIDE Vlan
nameif inside
security-level 100
ip address 200.1.2.11 255.255.255.0
route outside 0.0.0.0 0.0.0.0 200.1.1.253
1
route inside
200.1.3.0
255.255.255.0
access-list
inside-in
extended
permit ip any any
200.1.2.253
1
access-list
outside-in
extended permit ip any
any
access-group outside-in in interface outside
access-group inside-in in interface inside
25
[N7k-1]
[N7k-1]
[N7k-2]
ip
ip route
route 200.1.3.0/24
200.1.3.0/24 200.1.1.11
200.1.1.11
interface
interface Vlan2011
Vlan2011
description
description Tenant
Tenant Zone
Zone 1
1 OUTSIDE
OUTSIDE Vlan
Vlan
mtu
9216
mtu 9216
no
no ip
ip redirects
redirects
ip
address
ip address 200.1.1.251/24
200.1.1.251/24
hsrp
hsrp 1
1
ip
ip 200.1.1.253
200.1.1.253
interface Vlan2011
description Tenant Zone 1 OUTSIDE Vlan
mtu 9216
no ip redirects
ip address 200.1.1.252/24
hsrp 1
ip 200.1.1.253
ip
ip 24
prefix-list static2ospfPfx seq 10 permit
ip prefix-list
prefix-list static2ospfPfx
static2ospfPfx seq
seq 10
10 permit
permit 200.0.0.0/10
200.0.0.0/10 le
le
24
200.0.0.0/10 le 24
route-map
route-map direct2ospf
direct2ospf permit
permit 10
10
match
ip
address
prefix-list
route-map direct2ospf permit 10
match ip address prefix-list static2ospfPfx
static2ospfPfx
match ip address prefix-list static2ospfPfx
router
router ospf
ospf 1
1
router-id
router ospf 1
router-id [x.x.x.x]
[x.x.x.x]
redistribute
static
route-map
direct2ospf
router-id [x.x.x.x]
redistribute static route-map direct2ospf
redistribute static route-map direct2ospf
26
The AGG pair uses a default route in the VRF to route through the ASA
cluster for outbound traffic.
The SVIs are configured to use HSRP. VLANs 2011 and 2012
represent the outside and inside interfaces of the ASA units for context
Tenant_Zone_1. VLAN 2013 is used as a server VLAN. The inside
VLANs are contained in a VRF to isolate the traffic and routing.
[N7k-1]
[N7k-1]
[N7k-2]
vrf
vrf context
context Tenant_Zone_1
Tenant_Zone_1
ip
ip route
route 0.0.0.0/0
0.0.0.0/0 200.1.2.11
200.1.2.11
interface
interface Vlan2012
Vlan2012
description
description Tenant
Tenant Zone
Zone 1
1 INSIDE
INSIDE Vlan
Vlan
mtu
mtu 9216
9216
vrf
vrf member
member Tenant_Zone_1
Tenant_Zone_1
no
ip
no ip redirects
redirects
ip
ip address
address 200.1.2.251/24
200.1.2.251/24
hsrp
hsrp 1
1
ip
ip 200.1.2.253
200.1.2.253
interface Vlan2012
description Tenant Zone 1 INSIDE
Vlan
mtu 9216
vrf member Tenant_Zone_1
no ip redirects
ip address 200.1.2.252/24
hsrp 1
ip 200.1.2.253
interface
interface Vlan2013
Vlan2013
description
description Tenant
Tenant Zone
Zone 1
1 SERVER
SERVER Vlan
Vlan
mtu
9216
mtu 9216
vrf
vrf member
member Tenant_Zone_1
Tenant_Zone_1
no
ip
no ip redirects
redirects
ip
ip address
address 200.1.3.251/24
200.1.3.251/24
hsrp
hsrp 1
1
ip
ip 200.1.3.253
200.1.3.253
interface Vlan2013
description Tenant Zone 1 SERVER
Vlan
mtu 9216
vrf member Tenant_Zone_1
no ip redirects
ip address 200.1.3.252/24
hsrp 1
ip 200.1.3.253
27
[Tenant_Zone_1
[Tenant_Zone_1 context]
context]
route
route outside
outside 0.0.0.0
0.0.0.0 0.0.0.0
0.0.0.0 200.1.1.253
200.1.1.253 1
1
route
route inside
inside 200.1.3.0
200.1.3.0 255.255.0.0
255.255.0.0
200.1.2.253
200.1.2.253 1
1
route
route inside
inside 200.1.111.0
200.1.111.0
255.255.255.0
255.255.255.0 200.1.2.253
200.1.2.253 1
1
[Load
[Load Balancer
Balancer virtual
virtual
context]
context]
interface
interface [floating]
[floating]
ip
ip address
address 200.1.2.50
200.1.2.50 /24
/24
ip
ip route
route 0.0.0.0/0
0.0.0.0/0
200.1.2.11
200.1.2.11
Ip
Ip route
route 200.1.3.0/24
200.1.3.0/24
200.1.2.253
200.1.2.253
[N7k-1]
[N7k-1]
[N7k-2]
On the load balancer add the default route towards the firewalls inside
interface and add a more specific route to the servers, towards the
Nexus aggregation HSRP address.
28
29
30
31
32
33
Great External
Resources
34
35
36