• Service module clustering, enabled Data Center customers to scale firewall from 20Gbps to 160Gbps.
• Service module (ASASM) is used for firewall/vpn services in Cat6K

• Design Clustering of ASASM service modules of cat6K
• The clustering solution should support both Intra chassis and Inter chassis clustering (VSS)
• The clustering solution should not require any hardware change in any of the components of cat6K
• The clustering solution should provide single point of configuration and configuration.
• Clustering should support N+1 HA
• Clustering should support both single and multi-context firewalls
• A linear 0.7 to 0.8 scaling factor for both total connections and throughput

• The design had to cater to multiple product lines like:
  • ASA appliance
  • ASASM modules of Cat6K
  • Agni modules of Nexus 7K.

ASA appliance clustering solution was in deploymentbut the original ASA clustering solution did not have provision for using the solution on other products.

• First the existing solution had to be re-architected to create separation of control/data path and also to create abstraction layers so that multiple products can be supported.
• The solution had to cater to products with different hardware capabilities and for different deployment scenarios
• Agni module was under development and base platform software was undergoing lot of changes.
• Collaborate the with Multiple business unitseach spread across multiple locations and synchronize design, development and testing phase.
• Explain and get buy in from product management for some of the feature and performance limitations.

• Modular design and abstraction layers to enable multiple products with diverse hardware capability to use common management and control plane code
• Flow load balancing and Flow backup algorithm that enables one to use simple hash based load balancer.
• The algorithm enabled implementation of clustering of service modules using pre-existing ether-channel support on SUP-2T backplane.
• Single physical channel used for both control and data traffic with Igxge priority scheduler.
• Abstract cluster unit that could be appliance, a service module or a processor cluster in a service module.