« Welcome | Main | HA Features on ASA - Part 2 Security Contexts »

HA Features on ASA - Part 1 Security Contexts

1.1 Describe, implement, and troubleshoot HA features on Cisco ASA and Cisco FirePOWER Threat Defense (FTD)
1.2 Describe, implement, and troubleshoot clustering on Cisco ASA and Cisco FTD

So we have the line items from the blueprint (above) - but we don't have the version of ASA. The lab equipment list has: Cisco Adaptive Security Virtual Appliance (ASAv): 9.6.1 and Cisco Adaptive Security Appliance 5512-X: 9.6.1 listed on the equipment list. So let's start with that version and take a look at HA.

"HA" covers quite a bit of ground. Under the CLI Configuration Guide, this section covers Multiple Contexts, Failover and Clusters.

The ASA allows you to create multiple "virtual" firewalls which are known as security contexts. This is similar to creating contexts on the Nexus. Here are the reasons you would do that:

- You are a service provider and you want to provide firewall services to your customers
- Your environment houses two groups that need to be segregated (students/faculty)
- Your environment has different departmental groups which want to implement their own security policies
- You have overlapping networks and want to provide firewall services without changing the addressing (merger)
- You currently manage many physical firewalls and you want to integrate them into one physical firewall
- You manage a data center environment and you want to provide end-to-end virtualization to reduce OpEx

When you create contexts, you divide the firewall into:
+ A system execution space
+ An admin context
+ One or more user contexts

The system execution space does not have any Layer 2 or Layer 3 interfaces or any network settings. It is mainly used to define the attributes and settings of other security contexts. The config for the system execution space resides in NVRAM with the context configs stored in local flash. When you create a context, the items you define are: Context name, Location of startup config and interface allocation. So wherever you define the "location," that's where the context config resides. Just like IOS configs, it could also be stored on a network storage server using TFTP, FTP, HTTPS or HTTP for retrieval. I have never seen this in a production environment, but it's possible.

The Admin context provides connectivity to the network resources. Assign the management interface to the admin context and configure it with an IP address. You can only switch to other contexts from the admin context. The appliance also uses the admin context to send the syslog messages that relate to the physical system. This context must reside on the physical disk. When you convert from single-mode to muti-mode, the network-related config is saved as the admin context. [And it requires a reboot - do this first when configuring multiple context mode on the lab so you can spend time on something else while the device reboots.]

The user context is one (or more) contexts that you create. The number of contexts that you can configure is controlled by licensing. The simple show version command will display the number of user contexts that you can configure. The admin context is not included in that number.

EXAMPLE:
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 10
GTP/GPRS : Enabled
VPN Peers : 750
WebVPN Peers : 500
Advanced Endpoint Assessment : Disabled

ASA Series Feature Licenses

Security Contexts, Clustering and Failover

ASAv5 >> Contexts/Clustering - no support || Failover - Active/Standby
ASAv10 >> Contexts/Clustering - no support || Failover - Active/Standby
ASAv30 >> Contexts/Clustering - no support || Failover - Active/Standby
Firepower 4100 >> Contexts - 10 Optional license: Max of 250 in increments of 10 || Clustering: Enabled
Firepower 9300 >> Contexts - 10 Optional license: Max of 250 in increments of 10 || Clustering: Enabled

Firepower eXtensible Operating System (FXOS)

The Cisco FXOS chassis is a next-generation platform for network and content security solutions. The FXOS chassis is part of the Cisco Application Centric Infrastructure (ACI) Security Solution and provides an agile, open, secure platform that is built for scalability, consistent control, and simplified management.

It has a FXOS CLI and a FXOS REST API - this fits into the SDN and NFV materials. I don't see this listed on the blueprint, but it's really a coin toss if it's there or not. (For the ASA on the FXOS chassis) Only the FXOS chassis registers as a device, while the ASA applications in the chassis request their own licenses. This appears to come with support for contexts, clustering and failover. This support seems to be on the Standard license with the ability to increase the numbers with optional licensing.


PAK Licenses for the other ASAs mentioned in the blueprint.

ASA 5506-X >> Contexts/Clustering - no support || Failover - Active/Standby (Security Plus License)
ASA 5508-X >> Clustering - no support || Contexts 2 Optional: 5 || Failover - Active/Active or Active/Standby
ASA 5512-X >> Clustering - 2 || Contexts 2 Optional: 5 || Failover - Active/Active or Active/Standby
(note: no support for clustering, contexts or failover in base license - all items require Security Plus License)
ASA 5515-X >> Clustering - 2 || Contexts 2 Optional: 5 || Failover - Active/Active or Active/Standby
ASA 5516-X >> Clustering - 2 || Contexts 2 Optional: 5 || Failover - Active/Active or Active/Standby
ASA 5525-X >> Clustering - 2 || Contexts 2 Optional: 5 | 10 | 20 || Failover - Active/Active or Active/Standby
ASA 5545-X >> Clustering - 2 || Contexts 2 Optional: 5 | 10 | 20 | 50 || Failover - Active/Active or Active/Standby
ASA 5555-X >> Clustering - 2 || Contexts 2 Optional: 5 | 10 | 20 | 50 | 100 || Failover - Active/Active or Active/Standby

ASA5585-X with SSP-10
Clustering - Disabled Optional license for 16 units || Contexts 2 Optional: 5 | 10 | 20 | 50 | 100 || Failover - Active/Active or Active/Standby

ASA5585-X with SSP-20
Clustering - Disabled Optional license for 16 units || Contexts 2 Optional: 5 | 10 | 20 | 50 | 100 | 250 || Failover - Active/Active or Active/Standby

ASA 5585-X with SSP-40 and -60
Clustering - Disabled Optional license for 16 units || Contexts 2 Optional: 5 | 10 | 20 | 50 | 100 | 250 || Failover - Active/Active or Active/Standby

All ASA 5585-X series adaptive security appliances ship with a core Security Services Processor (SSP); you can install an additional core SSP, IPS SSP, CX SSP, or FirePOWER SSP, or up to two network modules. You must have the core SSP to run the other modules. The core SSP resides in slot 0 (the bottom slot). The add-on core SSP, IPS SSP, CX SSP, or FirePOWER SSP must be of the same designation level as the originally installed SSP model.


Sections

Powered by
Movable Type 3.2