Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

ASA CCL cluster link requirment

Hi guys,

We have 2 geographic dispersed sites with 500Mbps throughput Internet access on both. We currently have 1 ASA 5585-x firewall at each site. We would like to enable clustering between the firewalls.

Is the Cluster Control Link (CCL) requirement 10Gbps and 10ms latency or less (20ms round trip)

OR

is this a highly recommended suggestion.

And if this is a recommendation and we only have 500Mbps internet throughput, could we get away with CCL being something less than 10Gbps?

Suggestions please!!

Thank you

Frank

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

The 10 ms latency is a hard

The 10 ms latency is a hard requirement and requires 9.1(4). The bandwidth is not mandatory but it must match the maximum forwarding capacity of each member. 

Please refer to Cisco Live! presentation BRKSEC-3032, slide 26.

I would assume you have dome sort of interconnect between your outside switches as well as the cluster members all have outside interfaces addressed from a single pool.

10 REPLIES
Hall of Fame Super Silver

The 10 ms latency is a hard

The 10 ms latency is a hard requirement and requires 9.1(4). The bandwidth is not mandatory but it must match the maximum forwarding capacity of each member. 

Please refer to Cisco Live! presentation BRKSEC-3032, slide 26.

I would assume you have dome sort of interconnect between your outside switches as well as the cluster members all have outside interfaces addressed from a single pool.

Bronze

Hi Marvin,Excellent, Our

Hi Marvin,

Excellent, Our current link latency 1-way is 6ms and IOS version can/will be upgraded!

Cisco Live! presentation - would/could you provide a link -PLEASE.

Inside and outside connectivity is good too; simple 3750-x stacks

 

1 question:

If our internet links are 500Mbps each, x2 = 1Gbps, does this mean the CCL should be at least 1Gbps or better?

Our internal (inside) links are 1 Gbps links but due to the Internet bottle neck are automatically slowed to 500Mbps too.

Thank you

Frank

Hall of Fame Super Silver

The presentation is here.

The presentation is here. There are also a number of slides on different inter-DC clustering scenarios and differences between 9.1 and 9.2 in that regard.

You may need to setup a (free) Cisco Live 365 userid (separate from cisco.com ID) to be able to access and download the slides.

While I suppose the CCL could technically be 500 Mbps, the practical amount would be 1 Gbps as it needs to be a dedicated link (not shared with any other service).

Bronze

Thanks Marvin,Based on the

Thanks Marvin,

Based on the Cisco TAC Podcast, I was afraid I would need a 10Gbps CCL link but appears now I am good with a 1 Gbps link (for now) until my throughput requirements increase. Excellent.

Thank you again for the quick responses, appreciate your support!

Frank

Hall of Fame Super Silver

You're welcome, thanks for

You're welcome, thanks for the rating.

I would not generally contradict anything the guys on the TAC Security Podcast say - that's an excellent resource. I've learned a lot listening to them.

I believe, however, in this case they were assuming that any 5585-X cluster would be using the the bandwidth of one (or more) 10 Gbps interface for their production traffic. In that case, you definitely would not want the CCL to be 1 Gbps.

New Member

Hi Marvin,

Hi Marvin,

I have a query related to CCL Link.

Is the CCL links are encrypted by default? if Yes, is it SSL?

Or do we need to enable any command to do the encryption?

thanks

Jacob

Hall of Fame Super Silver

Jacob,

Jacob,

I do not believe ASA Cluster Control Links have any encryption - either by default or as an option.

Update - correct answer provided by Aditya.

New Member

Marvin,

Marvin,

Thanks for your update. I am a bit confused, below is a quote from a Cisco LLD document provided to my customer by Cisco Advanced Services.

"New cluster members must use the same SSL encryption setting (the ssl encryption command) as the master unit for initial cluster control link communication before configuration replication."

But I didn't see any config related to encryption in the config provided in NIP Document, that's why I asked is it enabled by default or not.

This quote from Cisco Live Doc attached also mentioned (Page 37 Preparation Check List) something related to encryption, but still not clear.

"All cluster members must have matching 3DES and 10GE I/O licenses"

Appreciate if you could help.

thanks

Jacob

Cisco Employee

Hi Jacob,

Hi Jacob,

Yes CCL uses SSL encryption for communication to the slave members and if the licenses and SSL encryption is not same it would fail to form a cluster.

Check this link for more info:

http://www.cisco.com/en/US/products/ps12726/products_tech_note09186a0080c03900.shtml

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Hall of Fame Super Silver

@Aditya Ganjoo  ,

adganjoo  ,

I stand corrected. Thanks for the update. 

Edited my earlier reply.

977
Views
5
Helpful
10
Replies
CreatePlease login to create content