Overview
The Cisco Adaptive Security Virtual Appliance (ASAv) brings full firewall functionality to virtualized environments to secure data center traffic and multitenant environments.
You can deploy the ASAv on Nutanix.
Guidelines and Limitations
Important |
The ASAv deploys with a disk storage size of 8 GB. It is not possible to change the resource allocation of the disk space. |
Review the following guidelines and limitations before you deploy the ASAv.
Recommended vNIC
The following vNIC is recommended for optimum performance.
VirtIO—A para-virtualized network driver that supports 10 Gbps operation but also requires CPU cycles.
CPU Pinning
CPU pinning is required for the ASAv to function in a Nutanix environment; see Enable CPU Pinning.
Failover for High Availability
For failover deployments, make sure that the standby unit has the same license entitlement; for example, both units should have 2 Gbps entitlement.
Important |
You must add the data interfaces to each ASAv in the same order when creating a high availability pair. If the exact same interfaces are added to each ASAv, but in a different order, you may see errors at the ASAv console, which could impact the failover functionality. |
General Guidelines
-
The maximum number of interfaces supported is ten. You will receive an error message if you attempt to add more than ten interfaces
Note
-
By default the ASAv configures the management interface and inside interface on the same subnet.
-
When you are modifying the network interfaces, you must turn off the ASAv device.
-
-
By default, the ASAv assumes that you configured both the management and inside interfaces on the different subnet. The management interface has “IP address DHCP setroute” and the Default Gateway is provided by DHCP.
-
The ASAv must be powered up on first boot with at least three interfaces. Your system will not deploy without three interfaces.
-
The ASAv supports a total of 10 interfaces—one management interface (nic0) and a maximum of nine network interfaces (nic1-9) for data traffic. The network interfaces for data traffic can follow any order.
Note
The minimum number of network interfaces for ASAv are three data interfaces.
-
For the console access, terminal server is supported through telnet.
-
The following are the supported vCPU and memory parameters:
CPUs
Memory
ASAv Platform Size
License Type
1
2 GB
1vCPU/2 GB (default)
1G (ASAv10)
4
8 GB
4vCPU/8 GB
2G (ASAv30)
8
16 GB
8vCPU/16 GB
10G (ASAv50)
16
32 GB
16vCPU/32 GB
20G (ASAv100)
Supported Features
-
Routed mode (Default)
-
Transparent mode
Note
Service chain in a multi-node cluster is not supported in transparent mode.
See the following concordance of Network Adapters, Source Networks, and Destination Networks for ASAv interfaces:
Network Adapter |
Source Network |
Destination Network |
Function |
---|---|---|---|
vnic0 |
Management0-0 |
Management0/0 |
Management |
vnic1 |
GigabitEthernet0-1 |
GigabitEthernet0/1 |
Outside |
vnic2 |
GigabitEthernet0-2 |
GigabitEthernet0/2 |
Inside |
vnic3-9 |
Data |
Data |
Data |
ASAv on Proxmox VE
Proxmox Virtual Environment (VE) is an open-source server virtualization platform that can manage Nutanix virtual machines. Proxmox VE also provides a web-based management interface.
When you deploy the ASAv on Proxmox VE, you need to configure the VM to have an emulated serial port. Without the serial port, the ASAv will go into a loop during the startup process. All management tasks can be done using the Proxmox VE web-based management interface.
Note |
For advanced users who are used to the comfort of the Unix shell or Windows Powershell, Proxmox VE provides a command line interface to manage all the components of your virtual environment. This command line interface has intelligent tab completion and full documentation in the form of UNIX man pages. |
To have the ASAv start properly, the VM needs to have a serial device configured:
-
In the main management center, select the ASAv VM in the left navigation tree.
-
Power off the virtual machine.
-
Choose
and add a serial port. -
Power on the virtual machine.
-
Access the ASAv VM using Xterm.js.
See the Proxmox Serial Terminal page for information on how to setup and activate the terminal on the guest/server.
Unsupported Features
-
ASAv on Nutanix AHV does not support hot-plugging of interface. Do not try to add or remove interfaces when the ASAv is powered on.
-
Nutanix AHV does not support Single Root I/O Virtualization (SR-IOV) or Data Plane Development Kit-Open vSwitch (DPDK-OVS).
Note
Nutanix AHV supports in-guest DPDK using VirtIO. For more information, refer to DPDK support on AHV.
Related Documentation
System Requirements
ASA Version
9.16.2
ASAv Memory, vCPU, and Disk Sizing
The specific hardware used for ASAv deployments can vary, depending on the number of instances deployed and usage requirements. Each instance of the ASAv requires a minimum resource allocation—amount of memory, number of CPUs, and disk space—on the server.
ASAv Licenses
-
Configure all license entitlements for the security services from the ASAv CLI.
-
See ASAv: Configure Smart Software Licensing in the Cisco ASA Configuration Guide for more information about how to manage licenses.
Nutanix Components and Versions
Component | Version |
---|---|
Nutanix Acropolis Operating System (AOS) |
5.15.5 LTS and later |
Nutanix Cluster Check (NCC) |
4.0.0.1 |
Nutanix AHV |
20201105.12 and later |