Hi Marvin,

Excellent, Our current link latency 1-way is 6ms and IOS version can/will be upgraded!

Cisco Live! presentation - would/could you provide a link -PLEASE.

Inside and outside connectivity is good too; simple 3750-x stacks

1 question:

If our internet links are 500Mbps each, x2 = 1Gbps, does this mean the CCL should be at least 1Gbps or better?

Our internal (inside) links are 1 Gbps links but due to the Internet bottle neck are automatically slowed to 500Mbps too.

Thank you

Frank

The presentation is here. There are also a number of slides on different inter-DC clustering scenarios and differences between 9.1 and 9.2 in that regard.

You may need to setup a (free) Cisco Live 365 userid (separate from cisco.com ID) to be able to access and download the slides.

While I suppose the CCL could technically be 500 Mbps, the practical amount would be 1 Gbps as it needs to be a dedicated link (not shared with any other service).

Thanks Marvin,

Based on the Cisco TAC Podcast, I was afraid I would need a 10Gbps CCL link but appears now I am good with a 1 Gbps link (for now) until my throughput requirements increase. Excellent.

Thank you again for the quick responses, appreciate your support!

Frank

You're welcome, thanks for the rating.

I would not generally contradict anything the guys on the TAC Security Podcast say - that's an excellent resource. I've learned a lot listening to them.

I believe, however, in this case they were assuming that any 5585-X cluster would be using the the bandwidth of one (or more) 10 Gbps interface for their production traffic. In that case, you definitely would not want the CCL to be 1 Gbps.

Hi Marvin,

I have a query related to CCL Link.

Is the CCL links are encrypted by default? if Yes, is it SSL?

Or do we need to enable any command to do the encryption?

thanks

Jacob

Jacob,

I do not believe ASA Cluster Control Links have any encryption - either by default or as an option.

Update - correct answer provided by Aditya.

Marvin,

Thanks for your update. I am a bit confused, below is a quote from a Cisco LLD document provided to my customer by Cisco Advanced Services.

"New cluster members must use the same SSL encryption setting (the ssl encryption command) as the master unit for initial cluster control link communication before configuration replication."

But I didn't see any config related to encryption in the config provided in NIP Document, that's why I asked is it enabled by default or not.

This quote from Cisco Live Doc attached also mentioned (Page 37 Preparation Check List) something related to encryption, but still not clear.

"All cluster members must have matching 3DES and 10GE I/O licenses"

Appreciate if you could help.

thanks

Jacob

Hi Jacob,

Yes CCL uses SSL encryption for communication to the slave members and if the licenses and SSL encryption is not same it would fail to form a cluster.

Check this link for more info:

http://www.cisco.com/en/US/products/ps12726/products_tech_note09186a0080c03900.shtml

Regards,

Aditya

Please rate helpful posts and mark correct answers.

adganjoo  ,

I stand corrected. Thanks for the update. 

Edited my earlier reply.