A lot of the traffic is hardware accelerated, so I’m not overly skeptical here. Whether you get more or less than 70% will depends on what sort of traffic you’re pumping through the cluster. When adding new members to an ASA cluster, throughput scales linearly, netting you about a 70% throughput improvement per node added to the cluster.cluster functionality is at the CLI as well, but Cisco didn’t demo it. When running the Packet Capture Wizard in ASDM, you can capture for a single node or the whole cluster.The cluster is fully managable via ASDM 7.0 or the CLI if you prefer.I have upgraded many ASA firewall HA pairs and never had an issue with traffic interruptions, so I presume this will actually work as advertised. Your traffic isn’t supposed know the difference. Hitless upgrading is supported, meaning you can upgrade one cluster member, put him back into the cluster, then upgrade another cluster member, until all the nodes are upgraded.The general idea is that you manage the cluster as an entity (including policy), and not individual firewalls. There’s a clustering dashboard, which gives you a unified console, but can still drill into any single node if you want.I haven’t priced it, but my expectation is that the clustering license will be reassuringly expensive (as Greg Ferro puts it). There is a cluster license, of course.Plumb then to whatever you want LACP is your friend if you’re doing a layer 2 load-balancing method across the cluster. Obviously, you don’t have to plumb the firewalls to Cisco switches. In other words, MLAG topologies are supported. For full path redundancy, you can cluster up to 8 firewalls to a VPC Nexus pair, or Cat6K VSS pair.Like traditional active/standby ASA firewall HA pairs, ASA clusters offer redundancy. So you can scale throughput way up there, up to 100Gbps.I gave it a view, and took a lot of notes. This morning, I got some Cisco inbox spam that linked to a presentation entitled “Enterprise-Class Security at Data Center Speeds – Clustering With Cisco ASA.” It’s an archived presentation from October 2012, and registration (using your CCO account if you like) is required. We talked for 2+ hours I think, so it will probably be released in parts. That show is in the queue with several others, so I can’t promise when exactly it’s going to be published, but keep your eye out for the show with Brent Salisbury and Bob McCouch. We got talking about ASA 9.0 clustering on a podcast recording we did over the weekend, and we hit a few points based on the official Cisco configuration guide. One of the new features Cisco is touting is firewall clustering. Cisco has released OS version 9.0.1 for the popular and ubiquitous ASA firewall.
0 kommentar(er)
