Prerequisites

The following are the prerequisites for this solution.

  • Cisco Catalyst 9300 series - 9300, 9300L, 9300LM, 9300X Switch up and running. It is recommended to run ASAc on 9300x for better scale and performance.

  • Cisco Catalyst pluggable USB 3.0 SSD-120G or SSD-240G storage.

  • Cisco ASAv/ASAc Subscription license.

  • DNAC (Digital Networking Architecture Center )-Advantage license for Catalyst 9300 series switches for appHosting functionality.

  • Optional

    • Recommend Catalyst Center for automating the ASAc life cycle management at scale.
    • Recommend CDO for ASAc security policy management and event logging at scale. (Requires CDO license)

Version Compatability

Platform Version
Catalyst 9300/L/LM/X 17.12.0.2
ASAc 9.20.2
DNAC 2.3.0.7

Known Limitations

Following are the known limitations of the ASAc on Catalyst series switches.

  • Transparent mode is not supported on ASAc Firewall when hosted on Catalyst 9300, only routed mode is supported.
  • On-prem Management of ASAc instances with CSM manager is not supported.
  • Jumbo frames are not supported on ASAc on Catalyst 9300 series switches.
  • ASAc supports Stateless HA on Catalyst 9300 stack. It takes around 90 to 120 seconds for the ASAc on standby to start processing the traffic on failover.
  • When ASAc is hosted on 9300, 9300L and 9300LM catalyst series switches, another application cannot be hosted.
  • Catalyst 9300X series switches can host another application like ThousandEves along with ASAc. However, the performance of these two applications may vary when they both run simultaneously.
  • The ASAc interface IP configs and day0 configurations should be passed as files in the DNAC application hosting workflow. The ASAc interface IP configurations in DNAC UI will be ignored.
  • The DNAC application hosting workflow expects the VLANs to be created on the switch before they are allowed on the AppGig Interface.

Catalyst Switch Configuration

Following is the configuration required on the Cat9k host for hosting the ASAc app.

Enable IOX

Enable the IOX on the Cat9k host with the below CLI. 

9300X(config)#iox

Check IOX Services Are Running

Check the IOX services are running with the below CLI.
Below listed IOX services needs to be in running for hosting the ASAc app.
Sync Status can be Enabled or Disabled. 

    9300X#show iox  
    IOx Infrastructure Summary:  
    ---------------------------  
    IOx service (CAF)              : Running  
    IOx service (HA)               : Running  
    IOx service (IOxman)           : Running   
    IOx service (Sec storage)      : Running   
    Libvirtd 5.5.0                 : Running  
    Dockerd v19.03.13-ce           : Running  
    Sync Status                    : Disabled

Check IOX Apphosting Infra Resource Availability

Check IOX infra details with the below CLI.
The "Quota" value should be "7400(Units)" for hosting the ASAc app. 

    9300X#show app-hosting infra 
    IOX version: 2.11.0.0
    App signature verification: disabled
    CAF Health: Stable
    Internal working directory: /vol/usb1/iox

    Application Interface Mapping
    AppGigabitEthernet Port #  Interface Name                 Port Type          Bandwidth  
              1	        	AppGigabitEthernet1/0/1        KR Port - Internal   10G
               
              2         	AppGigabitEthernet1/0/2        KR Port - Internal   10G

    CPU:
    Quota: 25(Percentage) 
    Available: 0(Percentage)
    Quota: 7400(Units)
    Available: 0(Units)

Configuration Files

ASAc requires day0 and the interface-config files for the deployment.

Day0 Configuration File

Day0 configuration should be copied under usbflash1:/iox_host_data_share/ folder as usbflash1:/iox_host_data_share/day0-config

Here is a sample day0-config file.

    interface management 0/0
    nameif management
    ip address dhcp setroute
    security-level 100
    no shut
    username admin password password1
    aaa authentication ssh console LOCAL
    aaa authentication http console LOCAL
    aaa authentication telnet console LOCAL
    ssh 0.0.0.0 0.0.0.0 management
    no ssh stack ciscossh
    telnet 0.0.0.0 0.0.0.0 management
    http server enable
    http 0.0.0.0 0.0.0.0 management
    crypto key generate rsa modulus 2048

Interface Configuration File

Interface configuration file should be copied under usbflash1:/iox_host_data_share/ folder as usbflash1:/iox_host_data_share/interface-config

Here is a sample interface-config file.

    [interface0]
    iface_id = eth0;
    uio_driver = afpacket;
    [interface1]
    iface_id = eth1;
    uio_driver = afpacket;
    [interface2]
    iface_id = eth2;
    uio_driver = afpacket;

Note:

  1. The interface configuration filename should not have any extensions.
  2. A minimum of 3 interfaces need to be configured for management, inside and outside.
  3. Up to 10 logical interfaces can be created.

Configuration Profiles

ASAc can be deployed with the following two configuration.

  • 2vCPU/ 1 CPU cores and 2GB memory on C9300 series switches.
  • 4vCPU / 2 CPU cores and 8GB memory on C9300X series switches.

Here is the sample configuraton required on the C9300 series switch for installing ASAc with 2 vCPU and 2GB memory.

    9300X#show running-config | sec <ASAc app name>
    app-hosting appid <ASAc app name>
    app-vnic AppGigabitEthernet port <Appgig port number> trunk
    vlan <vlan number> guest-interface 1
    vlan <vlan number> guest-interface 2
    app-vnic management guest-interface 0
    app-resource docker
    run-opts 2 "--cap-add=NET_ADMIN  --device=/dev/net/tun:/dev/net/tun"
    run-opts 3 "-v /vol/usb1/iox_host_data_share/:/mnt/disk0/interface-config 
           	    -v /vol/usb1/iox_host_data_share:/asac-day0-config"
    run-opts 4 "-e ASAC_MEMORY=2048M -e ASAC_CPUS=2 -e ASA_DOCKER=1 -e ASAC_CAT9K=1
                -e ASAC_DEALER_ENDPOINT=localhost:5555"

Here is the sample configuraton required on the C9300x series switch for installing ASAc with 4 vCPU and 8GB memory. 

    9300X#show running-config | sec <ASAc app name>
    app-hosting appid <ASAc app name>
    app-vnic AppGigabitEthernet port <Appgig port number> trunk
    vlan <vlan number> guest-interface 1
    vlan <vlan number> guest-interface 2
    app-vnic management guest-interface 0
    app-resource docker
    run-opts 2 "--cap-add=NET_ADMIN  --device=/dev/net/tun:/dev/net/tun"
    run-opts 3 "-v /vol/usb1/iox_host_data_share/:/mnt/disk0/interface-config 
                -v /vol/usb1/iox_host_data_share:/asac-day0-config"
    run-opts 4 "-e ASAC_MEMORY=8192M -e ASAC_CPUS=4 -e ASA_DOCKER=1 -e ASAC_CAT9K=1 
                -e ASAC_DEALER_ENDPOINT=localhost:5555"

ASAc app configuration files are mounted in the following two locations.

  • /mnt/disk0/interface-config
  • /asac-day0-config

Note: To modify the run opts, stop and deactivate the app. After changing the run opts, activate and start the app again.

ASAc Interface Mapping

Here is the ASAc interface configuration Mapping

guest-interface Asac interface
eth0 (guest-interface 0) Management 0/0
eth1 (guest-interface 1) GigabitEthernet0/0
eth2 (guest-interface 2) GigabitEthernet0/1
eth3 (guest-interface 3) GigabitEthernet0/2
eth4 (guest-interface 4) GigabitEthernet0/3
eth5 (guest-interface 5) GigabitEthernet0/4
eth6 (guest-interface 6) GigabitEthernet0/5
eth7 (guest-interface 7) GigabitEthernet0/6
eth8 (guest-interface 8) GigabitEthernet0/7
eth9 (guest-interface 9) GigabitEthernet0/8

ASAc Management

ASAc Life Cycle Management

ASAc life cycle management can be done with DNAC or CLI. ASAc life cycle management involves, install, activate, start, stop, uninstall and upgrade of the ASAc.

ASAc Policy Management

ASAc policy management can be done with ASDM (Adaptive security device manager) or CDO (Cisco Defense Orchestrator). ASAc policy management involves, enforcing configuration policies and event logging.

ASAc Policy Management With CDO

  • For cloud managed, CDO can be used for configuration and policy management of ASAc.

  • The configuraton and policy management of ASAc through CDO is same as in ASAv

ASAc Policy Management With ASDM

  • For on prem, ASDM can be used for the policy management of the ASAc.

  • The configuraton and policy management of ASAc through ASDM is same as in ASAv.

App Life Cycle Management With DNAC

ASAc can be installed through DNAC, by passing the day0 and interface configuration files. Here are the steps for installing the ASAc through DNAC.

  1. On board Cat9k host on to DNAC.

  2. In the "Configure App" menu, provide the "Interface Name" and the "Address Type" as "Dynamic" for interfaces to be configured. "Address Type" should be always "Dynamic". Providing the static ip addresses from this menu is not supported. However, interface configuration like ip address etc can be passed throug the day0 configuration file.

    DNAC_Config_App

Note: The maximum number of supported interfaces is 10, including the Management interface.

  1. Upload the "interface-config" file through "Upload App Data" menu option. Please refer to the interface-config section above for the interface configuration details.

    DNAC_upload_Interface_Config

Note: The interface configuration file name should be "interface-config" and shouldn't have any extenstions.

  1. Upload the "day0-config" file through "Upload App Data" menu option. Please refer to the Day0-config section above for the day0 configuration details.

    DNAC_upload_Day0_Config

  2. The day0 configuration file name should be "day0-config" and shouldn't have any extenstions.

  3. Install the app. Once the app is installed, app goes to "RUNNING" state.

App Life Cycle Management With CLI

App Installation

ASAc app can be installed through CLI by following the below steps.

  1. Copy the ASAc image to the usbflash1 on the Cat9k host
    e.g: Device#copy scp:<ASAc image location>  usbflash1:
  1. Install the app with the below CLI. After installing app goes to "DEPLOYED" state.
    app-hosting install appid <appid name> package <asac package-path>
    e.g: Device#app-hosting install appid asac_app package usbflash1:ASAc-9.18.2.150-app-SPA.tar
  1. Activate the app with the below CLI. After activating app goes to "ACTIVATED" state.
    app-hosting activate appid <appid name>
    e.g: Device# app-hosting activate appid asac_app 
        asac_app activated successfully
        Current state is: ACTIVATED
  1. Start the app with the below CLI. After starting app goes to "RUNNING" state.
    app-hosting start appid <appid name>
    e.g: Device# app-hosting start appid asac_app
    asac_app started successfully
    Current state is: RUNNING
  1. Connect to the app with the below CLI.
    app-hosting connect appid <appid name> session
                
    e.g: Device# app-hosting connect appid asac_app session
    sh-5.1#
  1. Get into the app shell command line with the below CLI.
    sh-5.1# lina_cli
    ciscoasa>

App Uninstallation

ASAc app can be uninstalled through CLI by following the below steps.

  1. Stop the app with the below CLI. After stopping, app goes to "STOPPED" state.
    app-hosting stop appid <appid name>
    e.g: Device# app-hosting stop appid asac_app
    Current state is: STOPPED
  1. Deactivate the app with the below CLI. After deactivating, app goes to "DEPLOYED" state.
    e.g:Device#app-hosting deactivate appid asac_app
    asac_app deactivated successfully
    Current state is: DEPLOYED
  1. Uninstall the app with the below CLI.
    e.g: Device#app-hosting uninstall appid asac_app

The ASAc image(for Catalyst 93xx switches) can be downloaded using this link.