Manualsbrain.com
  1. 매뉴얼
  2. 브랜드
  3. Cisco
  4. Cisco ASA 5515-X Adaptive Security Appliance
  5. 데이터 시트

Cisco Cisco ASA 5515-X Adaptive Security Appliance 데이터 시트

다운로드
페이지 4
 
 
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. 
Page 1 of 4 
White Paper 
Strengthen Network Defenses through ASA 
Firewall Clustering 
What You Will Learn 
The Cisco
®
 ASA 5585-X Adaptive Security Appliance supports clustering of multiple identical firewall nodes into 
one logical firewall. This capability: 
● 
Achieves a higher throughput, connection rate, and number of concurrent connections 
● 
Provides a predictive scalable solution 
● 
Allows customers to buy according to their current needs and add more nodes as their traffic increases 
 
The higher performance is especially relevant in data centers, where a large amount of traffic is processed in 
one place. 
The Benefits of Clustering 
Clustering of firewall nodes extends redundancy beyond the traditional active/standby redundancy provided on a 
device basis. Redundancy is now provided on a per-flow basis with up to 16 nodes in a single cluster. This shift 
greatly increases the availability of firewall protection and improves the stability of the network in general. 
There is only one configuration for all the nodes in a cluster. Any change to the configuration is made only on the 
master node and is then propagated to all the slave nodes. This is one reason that all nodes in the cluster have to 
be identical. When the master node fails, a different node assumes the role of master with no manual intervention. 
The node that receives the first packet in a flow is called the owner of the flow. Then another node is picked to be 
the director of the flow, based on a hash of the IP addresses and port numbers of the source and destination. All 
state information for the flow is then passed on to the director using a dedicated cluster control link (CCL). Thus, 
at all times, the state information of every flow is available at two nodes. The CCL is used solely for the nodes to 
share information among them about the different flows in the cluster and for data flows in cases of asymmetric 
traffic flows. The cluster control links are put in their own VLAN separate from the data links. 
If the cluster control link of one node goes down, it is removed from the cluster and no traffic is sent to that node 
moving forward. So Cisco recommends providing redundancy for the cluster control links by putting them in an 
EtherChannel to guard against interface failures. 
If the owner node fails for whatever reason, the packets for the flow are sent to a different node in the cluster. 
This node, if not the director of the flow, is able to find the director of the flow by using the same hash of the IP 
addresses and port numbers of the source and destination. The node then queries the director for state information 
of the flow. Then this node becomes the owner of that particular traffic flow. The director of flow is updated with the 
new owner information. 
For asymmetric flows, where the returning packet is sent to a node different from the owner, the node that receives 
the packet is called the forwarder. The forwarder contacts the director of the flow to find its owner. Once the owner 
is known, the flow is forwarded to the owner over the cluster control link for the duration of the flow. In a network