# Clustering ## Overview ASA clustering allows multiple ASA units to operate as a single logical firewall, providing both increased throughput and high availability. In spanned EtherChannel mode, port-channels span across all cluster members, with upstream and downstream switches seeing a single logical link. **Key concepts:** - All units share a single configuration managed by the **control unit** (master) - Data interfaces use **spanned EtherChannels** — port-channels that span across all cluster members - A dedicated **Cluster Control Link (CCL)** handles inter-unit communication, health monitoring, and state sync - The control unit is elected based on **priority** (lower value = higher priority) - Only the control unit needs full interface configuration (nameif, IP) — data units sync automatically - `console-replicate` mirrors console messages from data units to the control unit ## Video Walkthrough *Video coming soon.* ## Prerequisites - All ASA units must have identical hardware, modules, and software version. - All units must be in the same firewall mode (routed or transparent) — or if using multiple context mode with mixed modes, Spanned EtherChannel must be used - All units must be in the same context mode (single or multiple). - In multiple context mode, all configuration is done from the **system execution space**. - A dedicated physical interface for the Cluster Control Link (CCL). - Upstream and downstream switches must support multi-chassis EtherChannel (e.g., Cisco vPC, VSS, or StackWise). - `cluster interface-mode spanned` must be set before any interface configuration. ## Configuration Steps (CLI) ### ASA1 (Control Unit) #### 1. Set Cluster Interface Mode This defines how data interfaces operate across the cluster. **If the ASA already has interface configuration, this command triggers a reboot to factory-default**. On a factory-default device, it applies immediately without a reboot: ```text ASA1(config)# cluster interface-mode spanned ``` #### 2. Configure Member Interfaces for Port-Channel 1 (Outside) ```text ASA1(config)# interface Ethernet0 ASA1(config-if)# channel-group 1 mode active ASA1(config-if)# no shutdown ASA1(config)# interface Ethernet1 ASA1(config-if)# channel-group 1 mode active ASA1(config-if)# no shutdown ``` #### 3. Configure Member Interfaces for Port-Channel 2 (Inside) ```text ASA1(config)# interface Ethernet2 ASA1(config-if)# channel-group 2 mode active ASA1(config-if)# no shutdown ASA1(config)# interface Ethernet3 ASA1(config-if)# channel-group 2 mode active ASA1(config-if)# no shutdown ``` #### 4. Configure the Cluster Control Link (CCL) Physical Interface ```text ASA1(config)# interface Ethernet7 ASA1(config-if)# no shutdown ``` The CCL interface does not get a nameif or security-level — it is dedicated to cluster communication only. #### 5. Configure Spanned Data Port-Channels ```text ASA1(config)# interface Port-channel1 ASA1(config-if)# port-channel span-cluster ASA1(config-if)# nameif outside ASA1(config-if)# security-level 0 ASA1(config-if)# ip address 192.168.50.200 255.255.255.0 ASA1(config-if)# no shutdown ASA1(config)# interface Port-channel2 ASA1(config-if)# port-channel span-cluster ASA1(config-if)# nameif inside ASA1(config-if)# security-level 100 ASA1(config-if)# ip address 192.168.60.200 255.255.255.0 ASA1(config-if)# no shutdown ``` The `port-channel span-cluster` command makes the EtherChannel span across all cluster members. The IP address configured here is shared across the cluster — it always belongs to the control unit. #### 6. Configure Cluster Bootstrap and Enable ```text ASA1(config)# cluster group ASA-Clusters ASA1(cfg-cluster)# local-unit ASA1-Unit ASA1(cfg-cluster)# cluster-interface Ethernet7 ip 10.10.10.1 255.255.255.252 ASA1(cfg-cluster)# console-replicate ASA1(cfg-cluster)# priority 1 ASA1(cfg-cluster)# enable ``` - `local-unit` — unique name identifying this member - `cluster-interface` — assigns the CCL interface and its unique IP per member - `console-replicate` — mirrors console messages from data units to the control unit for centralized monitoring - `priority 1` — lower value means higher priority for control unit election --- ### ASA2 (Data Unit) ASA2 needs the same interface and port-channel membership configuration, but does **not** need nameif or IP addresses on the data port-channels — these sync from the control unit automatically. #### 1. Set Cluster Interface Mode ```text ASA2(config)# cluster interface-mode spanned ``` This triggers a reboot on ASA2 as well. #### 2. Configure Member Interfaces for Port-Channel 1 (Outside) ```text ASA2(config)# interface Ethernet0 ASA2(config-if)# channel-group 1 mode active ASA2(config-if)# no shutdown ASA2(config)# interface Ethernet1 ASA2(config-if)# channel-group 1 mode active ASA2(config-if)# no shutdown ``` #### 3. Configure Member Interfaces for Port-Channel 2 (Inside) ```text ASA2(config)# interface Ethernet2 ASA2(config-if)# channel-group 2 mode active ASA2(config-if)# no shutdown ASA2(config)# interface Ethernet3 ASA2(config-if)# channel-group 2 mode active ASA2(config-if)# no shutdown ``` #### 4. Configure the CCL Physical Interface ```text ASA2(config)# interface Ethernet7 ASA2(config-if)# no shutdown ``` #### 5. Configure Spanned Port-Channels (No Nameif/IP Needed) ```text ASA2(config)# interface Port-channel1 ASA2(config-if)# port-channel span-cluster ASA2(config)# interface Port-channel2 ASA2(config-if)# port-channel span-cluster ``` No nameif, security-level, or IP address is needed — ASA2 will sync the full configuration from the control unit once it joins the cluster. #### 6. Configure Cluster Bootstrap and Enable ```text ASA2(config)# cluster group ASA-Clusters ASA2(cfg-cluster)# local-unit ASA2-Unit ASA2(cfg-cluster)# cluster-interface Ethernet7 ip 10.10.10.2 255.255.255.252 ASA2(cfg-cluster)# console-replicate ASA2(cfg-cluster)# priority 10 ASA2(cfg-cluster)# enable ``` Once enabled, ASA2 contacts the control unit over the CCL, syncs the full configuration, and joins as a data unit. --- ### Verify Cluster Status ```text ASA1# show cluster info ASA1# show cluster interface-mode ASA1# show port-channel summary ASA1# show cluster resource usage ``` Expected output should show: - ASA1 as **control** unit (priority 1) - ASA2 as **data** unit (priority 10) - Both members in "MASTER" and "SLAVE" state respectively - Spanned port-channels with members from both units ## Configuration Steps (ASDM) *Screenshots and ASDM walkthrough coming soon.*