Welcome to the world of ASA firewalls and cluster configuration! In this article, we will guide you through the process of setting up a two-node ASA cluster using the traditional ASA image. So, let’s dive in and explore the steps involved in this configuration.
Contents
Preparation
Before we jump into the configuration process, let’s make sure we have everything we need. In our topology, we will be using a pair of ASA 5500-X series firewalls connected to a pair of Nexus switches. Each ASA will have its own cluster control links, and on the Nexus side, these links will be vPC links. The data links will span the entire cluster, utilizing spanned-etherchannel on the ASA side and vPC on the Nexus side.
Nexus Configuration
To start with, let’s configure the Nexus switches. We’ll create VLAN 100 for the Cluster control link and assign four interfaces per ASA to the CCL, connecting them to port channels 101 and 102 on the Nexus switches. Remember to set the MTU higher on the CCL interfaces to accommodate extra overhead. For proper functioning across the pair, configure the port channels with a vPC identifier.
ASA Configuration
Now, let’s move on to the ASA configuration. There are a few settings we need to get right before adding the ASA to the cluster. First, enable jumbo frames to support the larger packet size on the Cluster Control Link. Next, change the interface mode from individual interface mode to spanned-etherchannel mode. Ensure there are no incompatibilities by using the ‘check details’ command.
After configuring these settings, reload the ASA for the changes to take effect. Once the ASA reboots, configure the data interfaces by adding them to port-channel 10 and assigning a VSS ID to each interface. Remember to use the same port-channel number on both ASA firewalls. Additionally, use the ‘span-cluster’ keyword to identify these interfaces as spanned-etherchannel mode and enable ‘VSS load balance’ for CLACP on the interfaces.
Cluster Configuration
Now comes the exciting part – configuring the cluster! Start by creating a pool of IP addresses for management, including one IP address for each ASA and an additional IP for managing the cluster as a whole. Assign the cluster IP directly to the management interface, along with the previously created pool.
Next, add all the CCL interfaces to a port-channel. Then, give the cluster a name and assign a local name to each member. Configure the cluster interface to use the CCL interface and set an IP address. Set the priority to influence the election of the primary unit, and consider using a key for added security. Finally, enable clustering on this unit, and remove any incompatible configurations if prompted.
The cluster will then begin the election process, and the primary ASA will be elected. Set the MTU and repeat the configuration on the second ASA. Once clustering is enabled, the configuration is replicated from the primary ASA, and the second ASA becomes a secondary.
Verifying the Configuration
To ensure everything is set up correctly, verify the configuration. Use the ‘show cluster interface-mode’ command to confirm that spanned-etherchannel mode is enabled. Use ‘show cluster info’ to see the cluster members and check the primary unit. ‘Show cluster info health’ will display the overall cluster health and interface state for each member.
FAQs
Q: Can I remove a member from the cluster?
Yes, you can remove a member from the cluster by entering the cluster configuration mode and typing ‘no enable’. The member will transition to the DISABLED state, and another member will be elected as the primary.
Q: Can I add a member back to the cluster?
Certainly! To add a member back to the cluster, use the ‘cluster exec’ command to run a remote command on the unit.
Conclusion
Congratulations! You have successfully configured an ASA firewall cluster using vPC. Now you are ready to enjoy the benefits of high availability and enhanced security. If you have any questions or need further assistance, feel free to leave a comment below or subscribe to our newsletter on Techal for more informative articles and videos. Thanks for joining us!
