ASA Cluster - Cisco Support Community

Transcrição

Cisco Support Community
Expert Series Webcast
Conheça mais sobre ASA Cluster
Henrique Reis
Cisco Advanced Services
Apr 20, 2016
Expert Series Webcast ao vivo
Henrique Reis colabora na Cisco como consultor de redes no
time de Advanced Services na prática de Segurança para a
América Latina. Anteriormente, Henrique trabalhou como
engenheiro de suporte (HTE - High Engenheiro Touch) para os
clientes do setor Financeiro como bancos (Itaú) e bolsa de
valores (BVMF) também já foi instrutor Cisco para Cisco
Academy para CCNA e CCNP. Conta com as certificacoes da
Cisco: Cisco Certified Internetwork Expert (CCIE R & S) #
22233 CCIE Segurança – Escrito, Formação SourceFire,
CCNP Routing e Switching, CCNA Routing e Switching, Cisco
Certified Associate projeto (CCDA), Cisco Certified Internetwork
Expert (CCIE Segurança) em andamento, CCAI (Cisco
Certified Academy Instructor) entre outras.
Henrique Reis
Obrigado por estar com a gente hoje!
Durante a apresentação, serão feitas algumas perguntas para o público.
Dê suas respostas, participe!
Obrigado por estar com a gente hoje!
Se você deseja uma cópia dos slides da apresentação, vá ao
link:
https://supportforums.cisco.com/pt/document/12731976
Envie a sua pergunta agora!
Use o painel de perguntas e respostas (P&R) para enviar suas perguntas, os
especialistas irão responder em tempo real.
Polling
Question 1
Qual a versão inicial para suporte ao
ASA Cluster?
a) 8.0
b) 5.0
c)
7.0
d) 9.0
Cisco Support Community Expert Series Webcast
Henrique Reis
Cisco Advanced Service
Apr 20, 2016
Agenda
• Clustering – Introdução
• Clustering - Operação
• Clustering – Modos de Operação
• Tipos de fluxos
• Exemplos de Conexões
• Clustering – ASA Funções
• Configurando Clustering via CLI
• Configurando Clustering via ASDM
• Troubleshooting/Debugging
• Q/A
Introdução
• Clustering refere-se a uma forma de conectar múltiplos Firewalls ASA para formar um único
firewall lógico, de tal modo que seja transparente para os usuários e oferece uma maior
escalabilidade.
Introdução (continuação)
• Os novos Data center requerem soluções de Firewalls, de segurança com capacidade maior
que 40Gbps de throughput.
• A solução de Clustering pode escalar até 640 Gbps de trafego agregado
• O cluster pode conter até 16 unidades de ASA
• Uma unidade é designada como master (mestre) e as demais são denominadas como slave
(escravas)
• Todas os Firewalls ASA tem um interface (conexão) dedicada entre eles conhecida como
Cluster Control Link (CCL)
• Mensagens de Keepalive/CP/DP são enviadas sobre este link
• Fator de Escala
• Quando se combina varios ASAs dentro de um cluster temos um ganho de performance
aproximado de:
•
70% do throughput combinado
•
60% do maximo de conexões
•
50% do número de conexões por segundo
• Por exemplo, o throughput do modelo ASA 5585-X com SSP-40 chega até 10 Gbps quando
rodando em stand alone. Mas com o cluster de 8 ASAs, o throughput combinado chega até
70% de 80 Gbps (8 ASAs x 10 Gbps): 56 Gbps.
• Clustering é suportado nos seguintes modelos: 5512-X, 5515-X, 5525-X, 5545-X, 5555-X,
5585-X e 5580
• A versão mínima para funcionamento do Cluster é a 9.0
• As unidades do Cluster não necessitam da mesma licença. Geralmente se compra a licença
somente para o Master e as demais unidades compartilham essa licença. Se existirem
licenças diversificadas nas unidades do Cluster elas são combinadas respeitando o limite da
plataforma ou seja a capacidade de Hardware.
• Nota: Mas cada unidade deve ter licença de Cluster individual, a mesma licença de encriptação e a
licença de 10 GE I/O
• Todas as unidades do cluster devem ter o mesmo hardware
• Um protocolo proprietário é usada para controle e balanceamento dentro do Cluster
Requisitos para funcionamento do Cluster
Para ativação de um cluster ASA, são necessários os seguintes requisitos:
• Conectividade de fibra usada para o CCL – Cluster Control Link;
• Latência do link CCL menor que 10ms (RTT);
• Links sem qualquer tipo de degradação, tais como: perda de pacotes, pacotes fora de ordem
ou atrasos devido a congestionamento;
• CCL deve ser dimensionado para levar em conta a assimetria de tráfego. A assimetria deve
ser minimizada pelos dispositivos externos ao ASA;
• Mesmo Hardware de Firewalls para os membros do Cluster;
• Aumento do MTU no link CCL de 1500 para 1600;
• Spanning-tree Portfast nas portas dos Switches para o CCL.
Operação
• Cluster ASA não faz balanceamento de carga e fluxos.
• Assume-se que os mecanismos externos estão no local para garantir que os pacotes e fluxos de
tráfego sejam balanceados para cada membro do cluster.
Operação (Continuação)
• Clustering é diferente do modelo Ativo-Ativo tradicional.
• Todas as unidades do cluster tem a mesma configuração
• Podem passar ativamente tráfego. No caso de uma falha, a conectividade é mantida através dos
clusters graças ao compartilhamento da tabela de estados das conexões para pelo menos outra
unidade backup no cluster.
• Cada fluxo tem sua replicação para uma unidade diferente dentro do cluster, para casos de
falhas.
Operação (Continuação)
ASA Clustering – Funções
• Master e Slaves
• O Master é determinado por:
• 1. Primeiro ASA adicionado no cluster
• 2. Maior prioridade configurada (entre 1 e 100). 1 é a maior.
• 3. Hostname e por ultimo S/N
• Nota: Se um ASA faz o join (entra) no cluster depois que um master já foi escolhido mesmo com
maior prioridade, não há uma nova eleição.
• Não tem preemption
• O Master administra todas as funções centralizadas e a parte de gerência.
ASA Clustering – Tipos de Interfaces
• CDL (Spanned Etherchannel)
• CCL (Local Etherchannel)
• CDL – Trafego de data plane
• CCL inclui o trafego de dados e controle
• Tráfego de Controle:
• Eleição do Master
• Replicação da Configuração
• Monitoração de status
• Tráfego de Dados:
• Replicação da tabela de status
• Encaminhamento de trafego entre as unidades
ASA Clustering – State Transition
Boot
Look for Master on
Cluster Control Link
Election
Wait 45 seconds before
assuming Master role
Master
already exists
Ready to
Slave Config pass traffic
and Bulk Sync
Master admits
1 unit at a time
On-Call
Master
ASA/master# show cluster history
==========================================================================
From State
To State
Reason
==========================================================================
15:36:33 UTC Nov 3 2014
DISABLED
DISABLED
Disabled at startup
15:37:10 UTC Nov 3 2014
DISABLED
ELECTION
Enabled from CLI
15:37:55 UTC Nov 3 2014
ELECTION
MASTER
Enabled from CLI
==========================================================================
Slave
Sync or
health failure
Health failure
Disabled
ASA/master# show cluster info
Cluster sjfw: On
Interface mode: spanned
This is "A" in state MASTER
ID
: 0
Version
: 9.2(1)
Serial No.: ART1434AERL
CCL IP
: 1.1.1.1
CCL MAC
: 5475.d029.8856
Last join : 15:37:55 UTC Nov 3 2014
Last leave: N/A
Transparent vs Routed Mode
SVI 1002
HSRP VIP
SVI 1002
HSRP VIP
outside interface
VLAN 1002
ASA
CLUSTER
mode
VLAN
Translation
inside interface
VLAN 1001
VLAN 1001
ASA
CLUSTER
mode
outside interface
VLAN 1002
IP2
L3 sub-interface
using VLAN tag-id
1002
inside interface
VLAN 1001
IP1
L3 sub-interface
using VLAN tag-id
1001
VLAN 1001
Modos de Operação - Interfaces
• As interfaces no cluster podem ser configuradas
• Layer-2 mode
• Layer-3 mode
• Layer-2 mode:
• As interfaces do ASA são agrupadas em um EtherChannel
• EtherChannel – Agregação das interfaces físicas para formar um Port-channel logico usando Link Aggregation
Control Protocol (LACP)
• Um switch pode usar EtherChannel para balancear o tráfego entre os ASAs onde todas as unidades compartilham
um endereço virtual IP e MAC, logicamente se tornando um gateway único
• Layer-3 mode:
• Cada Interface possui o seu próprio endereço IP e seu endereço MAC
• Um roteador pode usar PBR (Policy Based Routing) ou ECMP (Equal Cost MultiPath routing) para balancear o
tráfego entre os ASAs.
ASA Cluster em modo Spanned
• No cluster ASA operando em “spanned” as interfaces são agrupadas em um Etherchannel
usando o protocolo LACP.
• As mesmas interfaces operando dentro desse Etherchannel compartilham um endereço IP e
um endereço MAC virtual definido para todo o cluster, funcionando como uma única interface
lógica.
• O dispositivo de camada 3 conectado utiliza um mecanismo ECLB (Balanceamento de carga
de mesmo custo) para balancear a carga de fluxos de cada ASA.
• Cada interface também tem seu próprio endereço MAC privado, que é usado pelo LACP caso
auto negociação esteja habilitado.
• Para outras requisições como por exemplo, ARP, cada unidade do cluster usa o MAC virtual.
ASA Cluster em modo Individual
• No cluster ASA operando em modo “individual”, as interfaces de cada ASA terão seu próprio
endereço IP e endereço MAC.
• O roteador upstream usa PBR ou ECMP para balancear a carga de fluxos para unidades
individuais no cluster.
• Protocolos de roteamento dinâmico podem ser utilizados.
• No modo de interface “individual”, cada unidade do cluster calcula e excuta o protocolo de
roteamento individualmente e as rotas da tabela de roteamento são aprendidas por cada
unidade de forma independente.
ASA Cluster em modo Individual
Transparent
• Com o firewall trabalhando em modo transparente, o mesmo não participa do roteamento e atua
somente como um switch camada 2.
• Usando um bridge-group que interliga interfaces de entrada e saída.
• No modo transparente o ASA recebe o trafego com ID de uma VLAN de entrada e reescreve
esse ID com uma VLAN de saída.
• Com o ASA operando em transparente a única opção de cluster suportada ate o momento da
escrita desse documento é o Spanned.
Quais os dois modos de operação do
ASA Cluster? (escolha duas opções)
Polling
Question 2
a) Spanned
b) Active
c)
Standby
d) Individual
e) Stand-alone
Conexões - Fluxos
• O estado (IP dest, IP origem, portas, protocolo) de cada conexão é mantido pelo ‘owner’ da
conexão
• Se um pacote de uma conexão ja estabelecida chega em um membro do Cluster que não seja
o owner, ela é encaminhada pelo Cluster Control Link (CCL)
• O primeiro membro do cluster que recebe uma conexão TCP/UDP (non-inspection) é
designado como owner
• A tabela de estado é mantida (backup) num outro ASA conhecido como ‘director’
• Director (único) selecionado por um hash para cada conexão
• Qualquer membro pode consultar o Director para descobrir o owner da conexão.
Outside
Network
Inside
Network
Owner
Server
Client
Director
ASA Cluster
• Connection setup overhead when traffic is symmetric
State replication from Owner to Director, also serves as failover message to provide
redundancy should owner fail.
• Director is selected per connection using consistent hashing algorithm.
29
Outside
Network
1:
State
upda
te
Inside
Network
SYN
Owner
SYN
Server
Client
Director
ASA Cluster
State replication from Owner to Director, also serves as failover message to provide
redundancy should owner fail.
30
SYN/ACK
Outside
Network
SYN/ACK
1:
State
upda
te
Inside
Network
SYN
Owner
SYN
Server
Client
Director
ASA Cluster
State replication from Owner to Director, also serves as failover message to provide redundancy should
owner fail.
31
Owner
Outside
Network
1:
State
upda
te
Inside
Network
SYN
SYN
Server
Director
Client
Forwarder
ASA Cluster
•
Director is selected per connection using consistent hashing algorithm
•
Director also server as backup should owner fail
•
Optimization exist in implementation to eliminate step 2 and 3 when appropriate
32
Owner
Outside
Network
1:
State
upda
te
Inside
Network
SYN
SYN
Server
Director
Client
SYN/ACK
Forwarder
ASA Cluster
•
•
•
33
Owner
Outside
Network
1:
State
upda
te
Inside
Network
SYN
SYN
Server
Director
2:
Owne
r
Query
3:Ow
ner
locati
on
Client
SYN/ACK
Forwarder
ASA Cluster
•
•
•
34
Owner
2:
Owne
r
Query
3:Ow
ner
locati
on
Client
Outside
Network
Director
After step 4, All remaining packets
are forwarded directly to owner
SYN/ACK
1:
State
upda
te
Inside
Network
SYN
SYN
Server
SYN/ACK
Forwarder
ASA Cluster
•
•
•
35
Outside
Network
Inside
Network
Owner
Packet N
Packet M
Packet N+1
Node X
Packet M+1
Director
Server
Client
Node Y
ASA Cluster
36
Outside
Network
Inside
Network
Owner
Node X
Director
Server
Client
Node Y
ASA Cluster
37
Outside
Network
Inside
Network
Owner
Packet N+1
Node X
Packet M+1
Director
Server
Client
Node Y
Packet M+1
ASA Cluster
38
Outside
Network
Inside
Network
Owner
Packet N+1
1:
Owne
r
Query
Node X
Client
2:
Owne
r
Query
Director
Node Y
Server
Packet M+1
ASA Cluster
39
Node X
3: You
are
owner
now
1:
Owne
r
Query
4:
Owner
is Node
X
Packet M+1
Node Y
Server
2:
Owne
r
Query
Director
Outside
Network
Inside
Network
Client
Owner
Packet N+1
ASA Cluster
40
Packet N+1
Packet N+1
Node X
3: You
are
owner
now
1:
Owne
r
Query
4:
Owner
is Node
X
Packet M+1
Node Y
Server
2:
Owne
r
Query
Director
Outside
Network
Inside
Network
Client
Owner
ASA Cluster
41
Node X
Packet N+1
Packet N+1
Packet M+1
4:
Owner
is Node
X
Packet M+1
Node Y
Server
2:
Owne
r
Query
Director
3: You
are
owner
now
1:
Owne
r
Query
Packet M+1
Outside
Network
Inside
Network
Client
Owner
ASA Cluster
42
UDP connection build-up
ASA Cluster
inside
1. Attempt new UDP
or another pseudostateful connection
Client
outside
Flow Owner
2. Query
Director
3. Not
found
10. Deliver
response to Client
8. Return
Owner
5. Update
Director
Flow Director
Flow Forwarder
7. Query
Director
4. Become Owner,
deliver to Server
9. Redirect to
Owner, become
Forwarder
6. Respond through
another unit
Server
Dimensionamento CCL
• É recomendável que a banda do CCL seja pelo menos 50% da banda utilizada pelo tráfego de
dados.
• Ex. Se o cliente usa 20G de tráfego para dados, então o CCL deveria ter pelo menos 10GB de
banda.
• Motivo: O algoritmo de balanceamento utilizado pelo Switches pode tornar as conexões
assimétricas. Como tal, é possível que o tráfego atinja um membro diferente do owner da
conexão. Assim o CCL vai corrigir isso enviando a conexão para o owner.
• Esse encaminhamento é feito pelo CCL.
Dimensionamento funções ASA
• As funções que são suportadas no ASA são divididas em centralizadas ou distribuídas
• Todos os pacotes para funções centralizadas são processadas pelo Master
• Funções Centralizadas:
•
•
•
•
•
•
•
•
Filtering Services
Inspect (DCERPC, ESMTP, IGMP, NetBios, PPTP, Radius, RSH, SNMP, SUNRPC, TFTP, XDMCP)
IGMP
PIM
L2 Dynamic Routing
L3 Multicast Data Traffic
VPN: L3/IKEv1 and L3/IKEv2
VPN management access
• * Currently we do not support all inspection protocols
Dimensionamento funções ASA (cont.)
• Funções Distribuídas:
• DNS
• NAT
• TCP intercept, others…..
Funções não suportadas
• As seguintes funções não são suportadas quando operando em Clustering e não podem ser
configuradas:
Auto Update Server
Failover
Inspect CTIQBE
Inspect WCCP
Inspect SIP
Inspect RTSP
Inspect WAAS
Inspect MGCP
Inspect MMP
Inspect Skinny
Inspect H323, H325
Inspect RAS
Inspect GTP
UC/IME/Phone Proxy
TLS Proxy
BTF
DHCP client, server,
relay
NAC
VPN Remote Access
VPN Load Balancing
New Centralized Connection
ASA Cluster
inside
1. Attempt new
connection
Client
Forwarder
4. Update
Director
outside
2. Recognize centralized
feature, redirect to Master,
become Forwarder
Server
Flow Director
Master
3. Become Owner,
deliver to Server
SYN packet from client sent to non-master unit (redirecter)
The redirecter forwards packet to master unit (forwarding flow)
Master unit creates flow and forwards packet to server
Master unit sends state update to Director unit
On reverse path, if the packet hits a non-master unit, a query is sent to the director and a forwarding flow to
the master unit is created thereafter.
Funções Adicionais
• NAT
• NAT estático e PAT funcionam sem nenhuma mudança
• NAT estáticos são criados através de configuração e mantidos pelo Master. São criadas usando o comando static
dentro da configuração de um objeto.
• NAT dinâmico é criado e mantido pelo Master e replicado para os outros membros do cluster.
• Quando uma nova conexão é recebida por um membro do cluster que necessita de NAT essa unidade faz a
requisição para o Master.
Funções Adicionais - NAT
• Considerações Especiais sobre NAT
• Quando cluster em Indivual mode, Proxy-ARP reply nunca é enviado.
• Isso não ocorre quando cluster em Spanned pois só temos um endereço IP
• PAT interface não pode ser usado quando o cluster operando em modo Individual
Funções Adicionais – Health Check
• Cluster Health-Check possui duas partes
1. Unit health-check
• Confia em troca de mensagens keepalive entre as unidades para monitorar o status dos membros ativos no cluster
• O valor de Hold-time determina o intervalo de tempo que o membro do cluster é considerado como tendo deixado o cluster
2.
Interface health-check
• Verifica a mudança de status do link das interface para monitorar se as interface estão ativas pu não em um membro do
cluster.
Funções Adicionais – Interface Health Check
• Interface health-check verifica o status das interfaces usados para dados, exemplo, interfaces
físicas, Port-channels, ou sub-interfaces.
• Quando a interface de um membro vai para Down, ele verifica com os demais membros do
cluster se a mesma interface esta UP.
• Se ele detecta que a mesma interface esta UP, ele se remove do cluster.
• Um membro que saiu do cluster pelo health-check de interface irá tentar fazer o re-join no
cluster depois de 5 minutos.
Funções Adicionais – Interface Health Check
• Se a interface continuar em falha (Down) aquela unidade se remove novamente do cluster e
espera agora por 10 minutos antes de tentar um novo re-join no cluster.
• Depois dos 10 minutos de a interface continuar em falha o ASA espera por 20 minutos antes
de tentar um novo re-join no cluster.
• Se apos o período de 20 minutos o link continuar fora o cluster é desabilitado e somente pode
ser habilitado manualmente entrando na configuração de cluster.
Funções Adicionais (cont)
• Roteamento Dinamico
• No modo Spanned, roteamento é executado apenas no Master
• O Master faz a replicação das rotas nas demais unidades do cluster
• No modo Individual, cada membro do cluster roda o protocolo de roteamento em separado
• Sincronização de Bases
• Todas os membros do cluster executam sincronização das bases de dados quando:
•
•
owner/director é removido
Um novo membro é adicionado no cluster
• ARP, informação de roteamento, configuração, etc. são sincronizados
Funções Adicionais (cont)
• VPN
• VPN Site-to-Site (L2L) é centralizado no Master
• Se temos uma mudança de Master no cluster as sessões VPN vão precisar ser reestabelecidas
• No modo Individual o IP que as sessões vão usar para fechar VPN é o IP definido como IP do Master dentro do pool
de endereços IP que as outras unidades iram utilizar.
• ip address 10.1.1.1 255.255.255.0 cluster-pool mgmt
Polling
Question 3
Quantos membros pode ter a solução
de ASA Cluster?
a) 9
b) 8
c)
13
d) 16
Configuração - ASA Cluster em modo
Spanned Transparent
•
vPC/vPC+
Configure ASA Firewall to operate in transparent mode:
ASA-1(config)# firewall transparent
•
Check License for cluster mode:
ASA-1# sh activation-key | grep Cluster
Cluster
: Disabled perpetual
•
Generate License key for cluster mode and activate it:
ASA-1(config)# activation-key aa34d768 c03b93fa 1dd3e97c c4d4c8d4 4e28eca7
•
Check license is correctly installed:
Cluster
: Enabled
perpetual
Staging Phase – Per ASA FW
Use console
port for this
phase
Cluster Data Link
ASA Configuration
ASA
Cluste
r
• Configure cluster interface-mode with ‘spanned’ parameter:
ASA-1(config)# cluster interface-mode spanned
• Configure Cluster Control Link (CCL) as port-channel:
interface TenGigabitEthernet0/8
channel-group 40 mode active
no nameif
no security-level
!
no nameif
no security-level
!
interface Port-channel40
• description Clustering Interface
vPC/vPC+
Cluster Data Link
Use console
Configuration – Per ASA FW port for this
phase
ASA
Cluste
r
cluster group ASA-CLUSTER
key <passowrd key>
local-unit ASA-1
cluster-interface Port-channel40 ip 99.99.99.1 255.255.255.0
priority 1
console-replicate
health-check holdtime 3
clacp system-mac auto system-priority 1
enable
device
IP address for CCL
ASA-1
99.99.99.1
ASA-2
99.99.99.2
• Note:
Allocate 1 unique IP for Po40 per ASA FW
• Configure cluster group:
vPC/vPC+
Cluster Data Link
Use console
phase
ASA
Cluste
r
•
channel-group 32 mode active vss-id 1
no nameif
Configure
Cluster Data Link as port-channel:
no security-level
!
no nameif
no security-level
!
port-channel load-balance vlan-src-dst-ip-port
port-channel span-cluster vss-load-balance
no nameif
no security-level
!
Port
connected
to 7K1
Port
connected
to 7K2 Cluster Link Aggregation Control
Protocol (cLACP) is designed to
extend standard LACP to multiple
devices so that it can support spancluster Etherchannels/port-channels
in ASA clustering deployment
vPC/vPC+
Cluster Data Link
Use console
port for this
Configuration – Centrally Managed
phase
Starting from this point, all ASA are now port of the cluster
and configuration is centrally managed
ASA
Cluste
r
•
Configure inside and outside interfaces (port-channel
sub-interfaces) with same bridge-group
interface Port-channel32.1001
mac-address 0001.0001.0001
vlan 1001
nameif inside
bridge-group 1
security-level 100
!
mac-address 0002.0002.0002
vlan 1002
nameif outside
bridge-group 1
security-level 0
!
interface BVI1
ip address 10.101.10.200 255.255.255.0
•
Configure BVI interface for the above bridge-group:
Best practice: In cluster mode, it is
strongly recommended to configure
a virtual MAC on the span-cluster
port-channel (or sub-interface) to
make the port-channel MAC stable
in cluster
vPC/vPC+
Cluster Data Link
ASA
Cluste
r
•
Configure ip local pool for management ports:
ASA-1(config)# ip local pool mgmt 172.26.246.253-172.26.246.254
•
Configure management0/0 port:
interface Management0/0
Virtual IP Address
management-only
for the ASA cluster
nameif management
security-level 0
ip address 172.26.246.252 255.255.255.0 cluster-pool mgmt
•
•
Define IP default GW for Management0/0 port:
ASA-1(config)# route management 0.0.0.0 0.0.0.0 172.26.246.1 1
Allow SSH access for specific subnet of network:
ssh <allowed subnet> management
ssh timeout 5
Each ASA in the
cluster will be
allocated with 1
address in the IP
pool ‘mgmt’
vPC/vPC+
Cluster Data Link
Management0/0 and SSH Access
Use console
port for this
phase
ASA
Cluste
r
Filtering Rule – Enable all Traffic
• Apply the following filtering rules to enable all traffic on outside and inside
interfaces:
access-list inbound extended permit ip any any
access-list outbound extended permit ip any any
access-group outbound in interface inside
access-group inbound in interface outside
• Note: these filtering rules only apply for the purpose of this presentation. In
production environment, configure filtering rules as needed.
Spanned Routed
•
vPC/vPC+
Configure ASA Firewall to operate in routed mode:
ASA-1(config)# no firewall transparent
•
Check License for cluster mode:
Cluster
: Disabled perpetual
•
ASA-1(config)# activation-key aa34d768 c03b93fa 1dd3e97c c4d4c8d4 4e28eca7
•
Check license is correctly installed:
Cluster
: Enabled
perpetual
Staging Phase – Per ASA FW
Use console
port for this
phase
Cluster Data Link
ASA Configuration
ASA
Cluste
r
•
Configure cluster interface-mode with ‘spanned’ parameter:
ASA-1(config)# cluster interface-mode spanned
•
Configure Cluster Control Link (CCL) as port-channel:
no nameif
no security-level
!
no nameif
• no
Generate
License key for cluster mode and activate it:
security-level
!
description Clustering Interface
vPC/vPC+
Cluster Data Link
Use console
phase
ASA
Cluste
r
Configure cluster group:
key <passowrd key>
local-unit ASA-1
priority 1
console-replicate
• enable
Note:
device
IP address for CCL
ASA-1
99.99.99.1
ASA-2
99.99.99.2
‘Enable’ command at the end of cluster configuration will effectively start the cluster mode.
Use enable / no enable to start / stop cluster mode
•
vPC/vPC+
Cluster Data Link
Use console
phase
ASA
Cluste
r
vPC/vPC+
Starting from this point, all ASA are now port of the cluster and configuration is centrally managed.
•
Configure Cluster Data Link as port-channel:
no nameif
no security-level
!
no nameif
no security-level
!
no nameif
no security-level
no ip address
!
•
Port
connected
to 7K1
Port
connected
to 7K2 Cluster Link Aggregation Control
Protocol (cLACP) is designed to
extend standard LACP to multiple
devices so that it can support spancluster Etherchannels/port-channels
in ASA clustering deployment
Note: As configuration is centrally manage, the above commands will apply to all ASA in the cluster. That is why it is
primordial to use the same port number for cluster data links.
Use console
Configuration – Centrally Managed
port for this
phase
Cluster Data Link
ASA
Cluste
r
•
Configure inside and outside interfaces (port-channel sub-interfaces) with associated IP addresses:
mac-address 0001.0001.0001
vlan 1001
nameif inside
security-level 100
ip address 25.1.1.254 255.255.255.0
!
mac-address 0002.0002.0002
vlan 1002
nameif outside
security-level 0
• ip
Configure
default10.101.10.10
static route pointing to
HSRP VIP on Nexus 7000:
address
255.255.255.0
!
•
Best practice: In cluster mode, it is
strongly recommended to configure
a virtual MAC on the span-cluster
port-channel (or sub-interface) to
make the port-channel MAC stable
in cluster
servers located on VLAN 1001 will
use this IP address (25.1.1.254) as
default GW
Note: configuration on Nexus 7000:
route outside 0.0.0.0 0.0.0.0 10.101.10.254 1
interface Vlan1002
ip address 10.101.10.1/24
hsrp version 2
hsrp 1002
ip 10.101.10.254
This default static route is used for S
-> N traffic (from ASA to Nexus
7000)
vPC/vPC+
Cluster Data Link
ASA
Cluste
r
•
vPC/vPC+
Configure ip local pool for management ports:
ASA-1(config)# ip local pool mgmt 172.26.246.253-172.26.246.254
•
Configure management0/0 port:
interface Management0/0
Virtual IP Address
management-only
for the ASA cluster
nameif management
security-level 0
ip address 172.26.246.252 255.255.255.0 cluster-pool mgmt
•
Each ASA in the
cluster will be
allocated with 1
address in the IP
pool ‘mgmt’
Define static route with associated next-hop for Management0/0 port:
ASA-1(config)# route management 10.21.70.1 255.255.255.0 172.26.246.1 1
•
Allow SSH access for specific subnet of network:
ssh <allowed subnet> management
ssh timeout 5
Management0/0 and SSH access
Use console
port for this
phase
Cluster Data Link
ASA Configuration
ASA
Cluste
r
ASA Configuration
Filtering Rule – Enable all Traffic
•
Apply the following filtering rules to enable all traffic on outside and inside interfaces:
access-list inbound extended permit ip any any
access-list outbound extended permit ip any any
access-group outbound in interface inside
access-group inbound in interface outside
•
Note: these filtering rules only apply for the purpose of this presentation. In production environment, configure filtering
rules as needed.
Individual
ASA Configuration
Use console
Clustering Configuration – Per ASA FW port for this
phase
•
Configure cluster interface-mode with ‘individual’ parameter:
ASA-1(config)# cluster interface-mode individual
•
Configure Cluster Control Link (CCL) as port-channel:
no nameif
no security-level
!
no nameif
• Generate License key for cluster mode and activate it:
no security-level
!
description Clustering Interface
ASA Configuration
Use console
Clustering Configuration – Per ASA FW port for this
phase
•
Configure cluster group:
key <passowrd key>
local-unit ASA-1
priority 1
console-replicate
enable
•
Note:
device
IP address for CCL
ASA-1
99.99.99.1
ASA-2
99.99.99.2
ASA Configuration
Clustering Configuration – Centrally Managed
Starting from this point, all ASA are now port of the cluster and configuration is centrally managed.
•
Configure Cluster Data Link as port-channel:
ip local pool inside 10.10.10.6-10.10.10.9
ip local pool outside 209.165.201.2-209.165.201.5
!
nameif inside
ip address 10.10.10.5 255.255.255.0 cluster-pool inside
security-level 100
!
nameif outside
ip address 209.165.201.1 255.255.255.224 cluster-pool outside
security-level 0
!
no nameif
no security-level
no ip address
!
Configure Cluster via ASDM (cont)
Polling
Question 4
Quando um ASA membro sai do
Cluster por falha em alguma interface
de dados, quais são os tempos de
validação para este mesmo ASA
tentar fazer o re-join no Cluster?
a) 5, 10, 20 segundos
b) 3, 6, 12 minutos
c)
5, 10, 20 minutos
d) 10, 20, 30 segundos
Monitoring and Troubleshooting commands
• cluster exec allows to execute non-configuration commands on all members
• show cluster interface-mode verifies current interface mode
• show cluster history helps to understand state transitions and failure reasons
• show cluster cpu helps to check CPU utilization across cluster
• show cluster info shows the status
• show cluster info health helps to monitor aggregated unit health data
• show cluster info trace shows cluster state machine debug data for Cisco TAC
• show conn displays the number of active TCP and UDP connections
Connection Table and Roles
• The connection table can display:
• UIO – Owner flow
• c – cluster centralized flow
• Y – Director stub flow
• y – Backup stub flow
• z – Forwarder stub flow
Troubleshooting/Debugging
• Viewing connections in a cluster (TCP example)
•
•
•
•
Deductions:
ASA 3 is the owner of the connection (flags UIO)
ASA 2 is the backup/director flow for this connection (flags Y)
ASA 1 is receiving traffic for this flow on both inside and outside interfaces
Troubleshooting/Debugging (cont)
• Viewing connections on individual ASAs:
ASA 1
ASA 2
ASA 3
• Check status of cluster members:
• Dynamic routing show commands
• show route cluster
• Health-check show command
• Execute cluster –wide command
• Eg. cluster exec show cpu
(shows cpu usage on all units)
• Eg. cluster exec unit A show cpu (shows cpu usage on unit A in cluster)
• Change prompt to reflect Cluster state
• Use 'state' option
• Show activation-key is modified to include combined license information
Troubleshooting/Debugging - cLACP
• Show cLACP System MAC:
• Show cLACP System ID:
• Show port-channel summary
• show port-channel brief
• show port-channel brief (continued)
Troubleshooting/Debugging - Crash
• Crash scenarios
• Slave unit crash
• Crashinfo and Coredump can be saved locally (if enabled)
• Can view crashinfo on master unit after slave unit reboots and re-joins cluster
• Console# cluster exec unit slave_A show crashinfo
•
Master unit crash
•
•
•
Crashinfo and Coredump can be saved locally (if enabled)
If health-check is disabled, cluster is destroyed
If health-check is enabled, new master is elected
•
Extra information appended to 'sh tech' and 'sh crashinfo'
•
•
show cluster info
show asp cluster counter
Troubleshooting/Debugging – Load
balancing
• If customers observe one unit has much higher cpu/memory usage than other units, one
possible reason is that the switch’s port-channel load-balance configuration is inefficient.
• To check whether the port-channel load-balance is optimal or not, users can check the traffic
rate statistics under member ports on the switch.
• For Catalyst 6K, users can use CLI ‘clear counters interface’ on all members ports of a port-
channel on switch. Traffic can then be allowed to go through the cluster.
• After observing unbalanced resource usage among cluster units, users can check the traffic
statistics of port-channel member ports on the switch by CLI ‘show interface’ on all member
ports.
• Higher traffic statistics indicate greater traffic for that particular ASA
• For Nexus7K, the ‘show port-channel traffic’ CLI shows Rx and Tx load percentage of each
member port of a port-channel interface. CLI ‘clear counter interface port-channel <number>’
clears the statistics.
Troubleshooting/Debugging – Debug CLI
• Clustering Debug CLI
• More Cluster Debug CLI
ciscoasa(config)# debug cluster
?
exec mode commands/options:
<1-255>
Specify an optional dbg level (default is 1)
ccp
cluster control protocol
datapath
cluster datapath events
fsm
cluster finite state machine
general
cluster general events
hc
cluster health check
license
cluster license
rpc
cluster RPC module
transport Cluster transport service
ciscoasa(config)# sh cluster info ?
exec mode commands/options:
clients
Show version of register clients
conn-distribution
Show connection distribution in cluster
incompatible-config Show commands that are incompatible with clustering in
current running configuration
loadbalance
Show load balancing information
old-members
Show former members in cluster
packet-distribution Show packet distribution in cluster
trace
Show clustering control module event trace
transport
Show transport related statistics
|
Output modifiers
<cr>
Clustering Syslogs
• Syslog messages contains three parts: PRI, HEADER and MSG
• Changes are made to HEADER field (timestamp and device-id) in Clustering
• Each ASA can insert it’s local timestamp in the HEADER field. Time is sync'ed periodically
across the cluster
• console# logging timestamp
• Each ASA can insert it's unique local IP address as DEVICE ID in the HEADER field
• console# logging device-id ipaddress <nameif>
• ASA will insert local IP address in layer-3 mode and virtual system IP in layer-2 mode
• console# logging device-id <cluster-id>
• To use cluster-id in the syslog header
Clustering Syslogs - Cont
• Syslog over UDP
•
Recommended configuration. Each ASA sends syslog independently
• Syslog over TCP
•
•
Each ASA opens it's own connection with the collector
Return traffic might arrive on a different ASA unit. Gets forwarded to owner unit
• Syslog to ftp-server
•
•
Similar to Syslog over TCP
File name format: LOG-<cluster local-unit name>-YYYY-MM-DDHHMMSS.TXT
• 747004
• Error Message %ASA-6-747004: Clustering: state machine changed from state state-name to statename.
• Explanation The cluster FSM has progressed to a new state.
• 747020
• Error Message %ASA-4-747020: Clustering: New cluster member unit-name rejected due to
encryption license mismatch.
• Explanation The master unit found that a new joining unit has an incompatible encryption license.
• 747021
• Error Message %ASA-3-747021: Clustering: Master unit unit-name is quitting due to interface health
check failure on interface-name.
• Explanation The master unit has disabled clustering because of an interface health check failure.
• 747022
• Error Message %ASA-3-747022: Clustering: Asking slave unit unit-name to quit because it failed
interface health check x times, rejoin will be attempted after y min. Failed interface: interface-name.
• Explanation This syslog message occurs when the maximum number of rejoin attempts has not been exceeded. A
slave unit has disabled clustering because of an interface health check failure for the specified amount of time. This
unit will re-enable itself automatically after the specified amount of time (ms).
• 747030
• Error Message %ASA-3-747030: Clustering: Asking slave unit unit-name to quit because it failed
interface health check x times (last failure on interface-name), Clustering must be manually enabled
on the unit to re-join.
• Explanation An interface health check has failed and the maximum number of rejoin attempts has been exceeded. A
slave unit has disabled clustering because of an interface health check failure.
Other ‘cluster show’ commands (cont)
• Display aggregated current and denied resource usage:
• show cluster resource usage
• Display aggregated cluster-wide traffic statictics
• show cluster traffic
• Display aggregated statistics for user and user group identity
• show cluster user-identity user all list detail
• show cluster user-identity statistics
• show cluster user-identity user-group <user-group>
• show cluster user-identity user <user>
Other ‘cluster show’ commands (cont)
• show cluster conn count
ASA Clustering – Capture
• cluster exec capture <capture_name> [variables….]
• Most common variables for capture command are:
• interface
• match
• access-list
• Buffer
• cluster exec capture ICMP interface INSIDE match icmp any any
•
•
•
•
•
•
Obtaining the captures for further analysis:
Via CLI:
copy /pcap capture:<context_name>/<capture_name> flash:/<capture_name>
Via HTTP:
https://<context_ip>/capture/<capture_name>/pcap
NOTE: This will only capture the pcap file from the Master unit
ASA Clustering – Capture (cont)
• Display captures already configured
• cluster exec show capture <capture_name>
• Delete a capture
• cluster exec no capture <capture_name>
© 2010 Cisco and/or its affiliates. All rights reserved.
105
Migração Failover para ASA cluster
• On the ASA, break the failover between the ASAs by issuing the “no failover” command on both
the ASAs.
• Clear all configuration on the previously Primary and Secondary ASAs(make sure the
configuration has been backed up).
• Set the interface mode on all the ASAs using the command “cluster interface-mode".
• Configure and enable clustering on the master ASA.
• Restore all configuration to the master ASA, except the failover configuration.
• Configure and enable clustering on the other slave ASAs.
• As the ASA failover migration to a cluster setup will interrupt the applications and traffic flow at
that site, it is mandatory to take down time for this activity.
Reference Information
• http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-
cli/ha-cluster.html
• https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=78721&tclass=popu
p
• http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-
H/cmdref1/c4.html
• http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-
reference/S/cmdref3/s4.html#pgfId-1624536
Faça suas perguntas agora!
Use o painel de P&R para enviar sua pergunta e nossos especialistas irão
responder
Cisco Support Community Webcast em Português
XR com ASR9000
Quarta-feira, 18 de Maio de 2016
Fernando Gonçalves
Customer Support Engineer
Cisco Support Community Português – Pergunte
ao especialista
CUBE – Configuração e Troubleshooting
Disponível até o dia 22 de Abril de 2016
Eddwan Hallen da Silva
Cisco Support Community Português – Pergunte
ao especialista
Media Gateway Control Protocol - MGCP
Disponível entre os dias 9 a 20 de Maio de
2016
Moises Moza
Programa Participantes em destaque
O reconhecimento como "Participantes em Destaque" da comunidade é
entregue para os membros que demonstrem liderança e compromisso como
participantes de cada comunidade.
Categorias:
O Novato
Melhor Publicação
Escolha da audiência
Como participar? Postando conteúdos: Documentos, Blogs, vídeos.
Colabore com
nossos canais de
Mídias Sociais
Saiba sobre os
próximos eventos
A Cisco possui
Comunidades de
Suporte em outras
linguas!
Se você fala Inglês, Espanhol, Japonês,
Russo ou Chinês, nós convidamos você
para participar e colaborar em outras
linguas.
Spanish
https://supportforums.cisco.com/community/spanish
Portuguese
https://supportforums.cisco.com/community/portuguese
Japanese
https://supportforums.cisco.com/community/csc-japan
Russian
https://supportforums.cisco.com/community/russian
Chinese
http://www.csc-china.com.cn
Avalie Nosso Conteúdo
Agora suas avaliações sobre os
documentos, vídeos e blogs darão
pontos aos autores !!!
Então, quando você contribuir e receber
ratings, você poderá obter os pontos em
seu perfil.
Incentivar e reconhecer as
pessoas que generosamente
compartilham seu tempo e
experiência
Ajude-nos a reconhecer o conteúdo de
qualidade na comunidade e tornar as
suas pesquisas mais fácil. Avalie o
conteúdo na comunidade.
A sua opinião é importante para nós!
Para preencher a pesquisa de satisfação, aguarde um momento e a pesquisa
aparecerá automaticamente ao fechar o browser da sessão.
Obrigado!

ASA Cluster - Cisco Support Community

Transcrição

Documentos relacionados

mainstreaming examples - European Cluster Collaboration Platform

March 9 , 2015 TO WHOM IT MAY CONCERN This letter is to

Brochura de

Allodynia in cluster headache: a review

Menu - Portuguese American Suncoast Association

Mogi Skate Park

Regional Transit Plan Comments

www.aecidiomas.com.br

A non-parametric statistical test to compare clusters with

Winter Concert Reminder/Lembrete do Concerto do Inverno

Characterising flow patterns in soils by feature extraction

Juramento de Maimônides

Capa 85 ING.indd - Serasa Experian

The Relevance of Clusters for Innovation Policy in Latin America