Dynamic Routing - Cisco ASA Series Cli Configuration Manual
Software version 9.0 for the services module
Hide thumbs
Also See for ASA Series:
- Configuration manual (429 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 1
Configuring a Cluster of ASAs
•
•
•
•
Dynamic Routing
•
•
Dynamic Routing in Spanned EtherChannel Mode
In Spanned EtherChannel mode, the routing process only runs on the master unit, and routes are learned
through the master unit and replicated to slaves. If a routing packet arrives at a slave, it is redirected to
the master unit.
Figure 1-1
Only master unit uses OSPF
with neighboring routers.
Slave units are invisible.
QoS—The QoS policy is synced across the cluster as part of configuration replication. However, the
policy is enforced on each unit independently. For example, if you configure policing on output, then
the conform rate and conform burst values are enforced on traffic exiting a particular ASA. In a
cluster with 8 units and with traffic evenly distributed, the conform rate actually becomes 8 times
the rate for the cluster.
Threat detection—Threat detection works on each unit independently; for example, the top statistics
is unit-specific. Port scanning detection, for example, does not work because scanning traffic will
be load-balanced between all units, and one unit will not see all traffic.
Resource management—Resource management in multiple context mode is enforced separately on
each unit based on local usage.
IPS module—There is no configuration sync or state sharing between IPS modules. Some IPS
signatures require IPS to keep the state across multiple connections. For example, the port scanning
signature is used when the IPS module detects that someone is opening many connections to one
server but with different ports. In clustering, those connections will be balanced between multiple
ASA devices, each of which has its own IPS module. Because these IPS modules do not share state
information, the cluster may not be able to detect port scanning as a result.
Dynamic Routing in Spanned EtherChannel Mode, page 1-19
Dynamic Routing in Individual Interface Mode, page 1-20
Dynamic Routing in Spanned EtherChannel Mode
Information About ASA Clustering
EtherChannel
Load Balancing
Router B
Cisco ASA Series CLI Configuration Guide
Cluster members
1-19
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
