Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA clustering

Hello!

Can anyone explain is this list of switches are complete? For example 4500x or Nexus 3064 can do same(VSS/vPC), I think, but they are not listed.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/general/asa-general-cli/ha-cluster.html

See: Table 7-2 External Hardware and Software Support for ASA Clustering

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

The ones listed are the ones

The ones listed are the ones Cisco has tested and verified compatible. Other models may work fine but haven't necessarily been tested.

The Etherchannel / LACP mechanisms are pretty sensitive though for interoperability with an ASA cluster so proceed carefully when going outside the recommended switch types. I'd say especially so when working with a VSS- or VPC-enable downstream set of of switches.

You can always open a proactive TAC case to ask them to validate your configuration and check their internal knowledge base for possible concerns.

5 REPLIES
Hall of Fame Super Silver

The ones listed are the ones

The ones listed are the ones Cisco has tested and verified compatible. Other models may work fine but haven't necessarily been tested.

The Etherchannel / LACP mechanisms are pretty sensitive though for interoperability with an ASA cluster so proceed carefully when going outside the recommended switch types. I'd say especially so when working with a VSS- or VPC-enable downstream set of of switches.

You can always open a proactive TAC case to ask them to validate your configuration and check their internal knowledge base for possible concerns.

New Member

Thank you! Will try asks

Thank you! Will try asks details from TAC

New Member

Ok, I'm sharing some

Ok, I'm sharing some information after talking with cisco's guys.

 

You can use any switch, but switches from list are confirmed what they are doing proper traffic distribution, like if you have pair of ASA in cluster in this case a good switch can do almost 50/50 traffic distribution and bad switch can do 70/30 and in this case some of your ASA's can be overloaded.

That's all :-)

New Member

Hi MArvin ,  Can in configure

Hi Marvin , 

 

Can in configure cluster on ASA , if i have two 4948 on separate ASA ? 

4948 will in inside interfaces.

Topology is  in picture .

 

Is there any link where i can see difference between ASA cluster , and ASA Active/Active mode .

Regarding data flow , capacity etc 

 

I asume that Active/Active is capable only with two ASA , and ASA Cluster is capable up to 8 ASA .

 

KR

Hall of Fame Super Silver

You could use separate 4948

You could use separate 4948 switches in the one side if you setup the cluster in individual interface mode. However the Cisco recommendation is to use spanned Etherchannel which is only possible when the switches are in a stack, VSS or VPC configuration - all things the 4948 cannot do.

Active/Active term is generally used to refer to an HA mode that is only available in multiple context ASA configurations. The overall pair is active/active but a given context is always active/standby.

You might find the Cisco live presentation BRKSEC-3032 useful. Also listen to the TAC Security podcasts on ASA clustering.

285
Views
0
Helpful
5
Replies