Catalyst 6500 [FWSM] [CSM]

Discussion in 'Cisco' started by Bandar, May 4, 2006.

  1. Bandar

    Bandar Guest

    Hi All ,

    I have two questions about firewall module and content services module

    Q1- Firewall module, when using Multi-Context and if one of these
    contexts failed shall the whole module fail to the other one or only
    the context alone .
    Q2- (2 CSM) - Content switch Fail-over ,

    a - Is it automated or need human interference?

    b - When fail-over occurs, does the users get disconnected
    or they are
    statefully transferred to the other box?

    c - Can we have load balancing between two modules in
    different boxes?
    Bandar, May 4, 2006
    1. Advertisements

  2. In FWSM software release 2, only the whole blade fails over. Since
    release 3, you can run the blade in active-active configuration, where
    groups of contexts can fail over to the opposite blade, while having
    context groups that are still operational running on the primary blade.

    In fact, this is the whole idea behind active-active. There is no real
    load-sharing. Instead of this, you group contexts together and define
    if the group shall be active on the primary or the secondary blade. In
    case of a failure, the opposite blade takes over operation for a
    specific group.

    IIRC, both modules exchange state information. Clients usually
    addressing a VIP. In case of a failure, the secondary CSM takes over the
    Not if you want both modules to run in active-standby.

    The only way to have both modules active is to treat them as independed
    load balancers (different VIPs).
    Christian Zeng, May 6, 2006
    1. Advertisements

  3. Bandar

    Vikki Guest

    Actually, FWSM fails over when a monitored interface "fails", not when
    a context fails. So for example, if you accidentally clear the whole
    context, FWSM is not going to fail over; but if one of your monitored
    links gets disconnected, the FWSM will fail over. You must specify in
    your configuration which interfaces you want to be monitored, like this
    (and if you don't specify any interfaces to monitor, then you won't be
    doing any failovers, even if you have failover all set up and turned

    monitor-interface inside
    monitor-interface outside
    monitor-interface dmz1

    An interface "fail" means it did not pass one of the FWSM's regular
    interface checks, either because the interface didn't answer at all or
    because it didn't answer in the time specified for such checks. If
    that happens, the FWSM fails over. If it's in multiple mode and you
    are running version 2.x, then the whole blade fails over, including all
    contexts, whether there's a failed interface in all of them or not. If
    it's in multiple mode and you are running version 3.x then you can
    configure it so that just the context with the failed interface fails.

    Vikki, Jun 4, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.