Cisco ASA Series Cli Configuration Manual page 271

Chapter 1 Configuring a Cluster of ASAs
•
•
Cluster Control Link Traffic Overview
Cluster control link traffic includes both control and data traffic.
Control traffic includes:
•
•
•
Data traffic includes:
•
•
Cluster Control Link Network
Each cluster control link has an IP address on the same subnet. This subnet should be isolated from all
other traffic, and should include only the ASA cluster control link interfaces.
For a 2-member cluster, do not directly-connect the cluster control link from one ASA to the other ASA.
If you directly connect the interfaces, then when one unit fails, the cluster control link fails, and thus the
remaining healthy unit fails. If you connect the cluster control link through a switch, then the cluster
control link remains up for the healthy unit.
Sizing the Cluster Control Link
You should assign an equal amount of bandwidth to the cluster control link as you assign for through
traffic. For example, if you have the ASA 5585-X with SSP-60, which can pass 14 Gbps per unit
maximum in a cluster, then you should also assign interfaces to the cluster control link that can pass
approximately 14 Gbps. In this case, you could use 2 Ten Gigabit Ethernet interfaces in an EtherChannel
for the cluster control link, and use the rest of the interfaces as desired for data links.
Cluster control link traffic is comprised mainly of state update and forwarded packets. The amount of
traffic at any given time on the cluster control link varies. For example state updates could consume up
to 10% of the through traffic amount if through traffic consists exclusively of short-lived TCP
connections. The amount of forwarded traffic depends on the load-balancing efficacy or whether there
is a lot of traffic for centralized features. For example:
•
•
•
A higher-bandwidth cluster control link helps the cluster to converge faster when there are membership
changes and prevents throughput bottlenecks.
Cluster Control Link Latency and Reliability, page 1-8
Cluster Control Link Failure, page 1-8
Master election. (See the "Cluster Members" section on page
Configuration replication. (See the
Health monitoring. (See the
State replication. (See the
Connection ownership queries and data packet forwarding. (See the
Connections Across the Cluster" section on page
NAT results in poor load balancing of connections, and the need to rebalance all returning traffic to
the correct units.
AAA for network access is a centralized feature, so all traffic is forwarded to the master unit.
When membership changes, the cluster needs to rebalance a large number of connections, thus
temporarily using a large amount of cluster control link bandwidth.
"Configuration Replication" section on page
"Unit Health Monitoring" section on page
"Data Path Connection State Replication" section on page
1-17.)
Cisco ASA Series CLI Configuration Guide
Information About ASA Clustering
1-2.)
1-10.)
1-9.)
1-9.)
"Rebalancing New TCP
1-7