Wednesday 31 August 2016

ASA Clustering Architecture

 ASA Clustering Architecture
One cluster member is elected Master and the other devices are Slaves. The first unit to join the cluster or based on a priority value will become the Master unit. The Master device handles all configuration, management and owns the VIP for the cluster. A new master is elected only if the current Master is down.
The devices use a Cluster Control Link (CCL) for intra-communication (cluster backplane). Each device must have at least one hardware interface dedicated to this and the recommended design is to have an Etherchannel. The CCL is used for the Master election, configuration replication, health monitoring and state replication. Each cluster link needs its own IP address on the same subnet.
Their are two (2) supported data interface modes.
                                           Spanned Etherchannel – Layer 2
  • ·         Group one or more interfaces per unit into an EtherChannel that spans all units in the cluster.
  • ·         The EtherChannel aggregates the traffic across all the available active interfaces in the channel.
  • ·         This is the recommended design
  • ·         All units use the same VIP and MAC
  •          Supports MCEC (VSS, vPC etc.)

  Individual Mode – Layer 3

  • ·         Each device has a seperate IP address on each data interface
  • ·         Uses dynamic routing to load-balance traffic (Think ECMP)
  • ·         Etherchannels are local to each member
  • ·         Interface IPs are assigned from pools configured on the Master unit

In individual mode, each device maintains its own routing adjacency. The disadvantage of this is slower convergence and higher processor utilization due to each unit maintaining it’s own routing table. In spanned Etherchannel mode, the Master ASA runs dynamic routing. Routing and ARP tables are synchronized to the slave devices.
How the ASA manages connections
When a connection is forwarded to a member of the cluster via load balancing, that unit owns both directions of the connection. If any of that connections packets arrive at a different unit, they are forwarded to the owner device over the cluster control link. Because of this it is recommended to have symmetric load-balancing. Symmetric load-balancing is required for both directions of a flow to arrive at the same unit, and for flows to be distributed evenly between ASAs.
For each connection there is also a device that acts as the director. The director handles look-up requests from forwarders and also maintains the connection state to serve as a backup if the owner fails. When the owner receives a new connection, it chooses a director based on a hash algorithm and sends a message to the director to register the new connection.