Cisco Cisco ASA 5515-X Adaptive Security Appliance Scheda Tecnica
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 1 of 4
White Paper
Strengthen Network Defenses through ASA
Firewall Clustering
Firewall Clustering
What You Will Learn
The Cisco
®
ASA 5585-X Adaptive Security Appliance supports clustering of multiple identical firewall nodes into
one logical firewall. This capability:
●
Achieves a higher throughput, connection rate, and number of concurrent connections
●
Provides a predictive scalable solution
●
Allows customers to buy according to their current needs and add more nodes as their traffic increases
The higher performance is especially relevant in data centers, where a large amount of traffic is processed in
one place.
The Benefits of Clustering
Clustering of firewall nodes extends redundancy beyond the traditional active/standby redundancy provided on a
device basis. Redundancy is now provided on a per-flow basis with up to 16 nodes in a single cluster. This shift
greatly increases the availability of firewall protection and improves the stability of the network in general.
There is only one configuration for all the nodes in a cluster. Any change to the configuration is made only on the
master node and is then propagated to all the slave nodes. This is one reason that all nodes in the cluster have to
be identical. When the master node fails, a different node assumes the role of master with no manual intervention.
The node that receives the first packet in a flow is called the owner of the flow. Then another node is picked to be
the director of the flow, based on a hash of the IP addresses and port numbers of the source and destination. All
state information for the flow is then passed on to the director using a dedicated cluster control link (CCL). Thus,
at all times, the state information of every flow is available at two nodes. The CCL is used solely for the nodes to
share information among them about the different flows in the cluster and for data flows in cases of asymmetric
traffic flows. The cluster control links are put in their own VLAN separate from the data links.
If the cluster control link of one node goes down, it is removed from the cluster and no traffic is sent to that node
moving forward. So Cisco recommends providing redundancy for the cluster control links by putting them in an
EtherChannel to guard against interface failures.
If the owner node fails for whatever reason, the packets for the flow are sent to a different node in the cluster.
This node, if not the director of the flow, is able to find the director of the flow by using the same hash of the IP
addresses and port numbers of the source and destination. The node then queries the director for state information
of the flow. Then this node becomes the owner of that particular traffic flow. The director of flow is updated with the
new owner information.
For asymmetric flows, where the returning packet is sent to a node different from the owner, the node that receives
the packet is called the forwarder. The forwarder contacts the director of the flow to find its owner. Once the owner
is known, the flow is forwarded to the owner over the cluster control link for the duration of the flow. In a network