Catalyst 6500 [FWSM] [CSM]

Discussion in 'Cisco' started by Bandar, May 4, 2006.

  1. Bandar

    Bandar Guest

    Hi All ,

    I have two questions about firewall module and content services module
    :

    Q1- Firewall module, when using Multi-Context and if one of these
    contexts failed shall the whole module fail to the other one or only
    the context alone .
    ----------------------------------------------------------------------------
    Q2- (2 CSM) - Content switch Fail-over ,

    a - Is it automated or need human interference?

    b - When fail-over occurs, does the users get disconnected
    or they are
    statefully transferred to the other box?

    c - Can we have load balancing between two modules in
    different boxes?
     
    Bandar, May 4, 2006
    #1
    1. Advertisements

  2. * Bandar <> wrote:
    > Q1- Firewall module, when using Multi-Context and if one of these
    > contexts failed shall the whole module fail to the other one or only
    > the context alone .


    In FWSM software release 2, only the whole blade fails over. Since
    release 3, you can run the blade in active-active configuration, where
    groups of contexts can fail over to the opposite blade, while having
    context groups that are still operational running on the primary blade.

    In fact, this is the whole idea behind active-active. There is no real
    load-sharing. Instead of this, you group contexts together and define
    if the group shall be active on the primary or the secondary blade. In
    case of a failure, the opposite blade takes over operation for a
    specific group.


    > Q2- (2 CSM) - Content switch Fail-over ,
    >
    > a - Is it automated or need human interference?


    automated

    > b - When fail-over occurs, does the users get disconnected
    > or they are
    > statefully transferred to the other box?


    IIRC, both modules exchange state information. Clients usually
    addressing a VIP. In case of a failure, the secondary CSM takes over the
    VIP.

    > c - Can we have load balancing between two modules in
    > different boxes?


    Not if you want both modules to run in active-standby.

    The only way to have both modules active is to treat them as independed
    load balancers (different VIPs).
     
    Christian Zeng, May 6, 2006
    #2
    1. Advertisements

  3. Bandar

    Vikki Guest

    Actually, FWSM fails over when a monitored interface "fails", not when
    a context fails. So for example, if you accidentally clear the whole
    context, FWSM is not going to fail over; but if one of your monitored
    links gets disconnected, the FWSM will fail over. You must specify in
    your configuration which interfaces you want to be monitored, like this
    (and if you don't specify any interfaces to monitor, then you won't be
    doing any failovers, even if you have failover all set up and turned
    on):

    monitor-interface inside
    monitor-interface outside
    monitor-interface dmz1
    etc.

    An interface "fail" means it did not pass one of the FWSM's regular
    interface checks, either because the interface didn't answer at all or
    because it didn't answer in the time specified for such checks. If
    that happens, the FWSM fails over. If it's in multiple mode and you
    are running version 2.x, then the whole blade fails over, including all
    contexts, whether there's a failed interface in all of them or not. If
    it's in multiple mode and you are running version 3.x then you can
    configure it so that just the context with the failed interface fails.

    Vikki

    Christian Zeng wrote:
    > * Bandar <> wrote:
    > > Q1- Firewall module, when using Multi-Context and if one of these
    > > contexts failed shall the whole module fail to the other one or only
    > > the context alone .

    >
    > In FWSM software release 2, only the whole blade fails over. Since
    > release 3, you can run the blade in active-active configuration, where
    > groups of contexts can fail over to the opposite blade, while having
    > context groups that are still operational running on the primary blade.
    >
    > In fact, this is the whole idea behind active-active. There is no real
    > load-sharing. Instead of this, you group contexts together and define
    > if the group shall be active on the primary or the secondary blade. In
    > case of a failure, the opposite blade takes over operation for a
    > specific group.
    >
    >
    > > Q2- (2 CSM) - Content switch Fail-over ,
    > >
    > > a - Is it automated or need human interference?

    >
    > automated
    >
    > > b - When fail-over occurs, does the users get disconnected
    > > or they are
    > > statefully transferred to the other box?

    >
    > IIRC, both modules exchange state information. Clients usually
    > addressing a VIP. In case of a failure, the secondary CSM takes over the
    > VIP.
    >
    > > c - Can we have load balancing between two modules in
    > > different boxes?

    >
    > Not if you want both modules to run in active-standby.
    >
    > The only way to have both modules active is to treat them as independed
    > load balancers (different VIPs).
     
    Vikki, Jun 4, 2006
    #3
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. joe

    6500 FWSM question

    joe, Jul 11, 2003, in forum: Cisco
    Replies:
    2
    Views:
    2,249
  2. Gary
    Replies:
    2
    Views:
    884
    Arnold Nipper
    Dec 2, 2005
  3. Bryan
    Replies:
    1
    Views:
    3,323
  4. Andreas Berg
    Replies:
    0
    Views:
    707
    Andreas Berg
    Apr 22, 2010
  5. Andreas
    Replies:
    0
    Views:
    894
    Andreas
    Apr 22, 2010
Loading...

Share This Page