6509 + SUP720 + CSM redundancy

Hi everyone,
Just cuirious if anyone has setup something similar before. We have a clustered setup for customers, where we setup a virtual server on the 6509 which then load balances across multiple servers.
What I want to do is somehow track the servers and if they are unavailible, redirect incoming traffic for that VIP to another server (which has a "sorry we are down at the moment") automatically.
Any help/info would be appreciated.

EHSA (Enhanced High System Availability) is redundancy feature available when
cat6500 is running Native IOS. EHSA provides auto-startup and bootvar sync
between active and standby supervisors. However, the image has to be manually
sync'ed between the two supervisors.
There are three redundant configuration elements that can be enabled or disabled.
startup-config
config-registers
bootvar
"auto-sync standard" command synchronizes the starup-config, config-register
and the bootvar configuration of the active supervisor engine with the
redundant supervisor engine.
Router(config)# redundancy [ Enter redundancy configuration mode ]
Router(config-r)# main-cpu [Enter main-cpu configuration submode ]
Router(config-r-mc)# auto-sync standard
[auto-sync {startup-config | config-register | bootvar | standard} ]
Router(config-r-mc)# end [Return to privileged EXEC mode ]
Router# copy running-config startup-config

Similar Messages

6509 sup720 active to standby switchover

How do I gracefully shutdown the active sup720 and bring up the standby sup720 on a 6509, without causing any outage.

CHANDRATHILAKA,
Please read this URL
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/srmsso.htm
"Manual user-initiated switchover using the redundancy force-switchover command."
However, I think you will experience a minor outage when doing so.

CSM Redundancy : FT or HSRP +FT .. Which is the better option?

Hi,
I would like to know for redundancy between CSMs which is the better option FT or HSRP with FT.. and why ?
Regards
Kas

The CSM does not run HSRP.
So your only option is FT failover.
Gilles.

CSM redundant bridged mode - alias IP required?

Hi! I am a little bit confused about the configuration guides concerning csm + fwsm
+ csm bridged mode. in my opinion when using bridged mode with the csm i do not really need any alias ip configuration - neither in the client vlan nor the server vlan. in bridged mode the csm does not route - thus i won't have any routes pointing to the csm. why are there always alias ip configurations in redundant bridged mode config guides? can somebody please clear that up for me? is there any other function of the alias IPs that I need them for?
Thanks,
Daniel

Daniel,
In general, if no router is present on a server-side VLAN, then each server's default route points to the aliased IP address. In the case of bridge mode, like you have, there is no need for the alias ip.
Regards
Pete..

CSM redundant or failover management configurations?

Is it possible to have more than one CSM server in a network? We would like to deploy CSM 3.1 but company requirements call for more than one device management server at different locations that can manage all devices.
Is this possible? I can't find any documentation to tell me yes or no.
Any help?

Cisco Security Manager 3.1 will support various high-availability and disaster recovery deployment configurations using Symantec VERITAS software. Cisco Security Manager 3.1 has an estimated availability of mid to late April 07. If you are interested to beta-test this capability prior to release please contact me at [email protected]

6509 -sup720 problem

We are having a problem where the CPU is being driven to over 90% at times and we can't even get at this box , high input on the CPU is "ip input" . This box has all DFC3 cards in it . Under what circumstances does ip traffic get forwarded to the CPU when you have DFC cards installed ? Anyone have any ideas on how to track something like this down? Have checked all links for errors , everything clean . Looked at spanning tree , don't see an issue there . Hard to get any info off the box when this is happening . You look at any of the interfaces and the traffic is not that high , these are gig links down to access layer boxes that are trunked . Frankly I am running out of ideas on what to do with this , any ideas appreciated .

There are quite a bit of reasons traffic may be punted to the MSFC for process switching. Some include unsupported features in hardware, IP options, ttl = 1, and ICMP unreachables/redirects. Here is a link with a more complete list:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00804916e0.shtml
The best way to determine what is causing the process switching is to dump the packet buffers on the interface(s) that is seeing the large volumes of process level traffic. You can do this one of two ways:
1. "show interface switching" and look for the interfaces with increasing IP Process counter.
or
2. "show interfaces" this is probably easier. You can look at the Input Queue for drops or packets actually in the queue.
Vlan10 is up, line protocol is up
Hardware is EtherSVI, address is 00d0.0061.040a (bia 00d0.0061.040a)
Description: VLAN10: Uplink
Internet address is xxx.xxx.xxx.xxx/xx
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 33/75/3385/3367 (size/max/drops/flushes); Total output drops: 0
In this case we have 33 packets in the queue and we are seeing drops and flushes due to the amount of process level traffic. So once I have this information I can dump those packets by entering "show buffer input-interface vlan10 dump". This will dump those packets from the queue so you can take a look at whats in there. Should look like this:
Router# show buffers input-interface vlan10 dump
Buffer information for Small buffer at 0x437874D4
data_area 0x8060F04, refcount 1, next 0x5006D400, flags 0x280
linktype 7 (IP), enctype 1 (ARPA), encsize 14, rxtype 1
if_input 0x505BC20C (GigabitEthernet4/1), if_output 0x0 (None)
inputtime 00:00:00.000 (elapsed never)
outputtime 00:00:00.000 (elapsed never), oqnumber 65535
datagramstart 0x8060F7A, datagramsize 60, maximum size 308
mac_start 0x8060F7A, addr_start 0x8060F7A, info_start 0x0
network_start 0x8060F88, transport_start 0x8060F9C, caller_pc 0x403519B4
source: xxx.xxx.xxx.xxx, destination: xxx.xxx.xxx.xxx, id: 0x0000, ttl: 63,
TOS: 0 prot: 17, source port 63, destination port 63
08060F70: 000A 42D17580 ..BQu.
08060F80: 00000000 11110800 4500002E 00000000 ........E.......
08060F90: 3F11EAF3 64646401 64646402 003F003F ?.jsddd.ddd..?.?
08060FA0: 001A261F 00010203 04050607 08090A0B ..&.............
08060FB0: 0C0D0E0F 101164 ......d
I would suggest sending this output to me as well so I can take a look at it as well. Other useful commands are:
1. show ip traffic
This command is useful to see if things like bad hop count, fragments, unreachables, redirects, and other various common traffic that can cause IP Input.
2. show cef not
3. show cef drop.
Please email me with the buffer output when you get a chance. Sup720 has some good hw rate-limiters that we can use if we can not correct the situation.
Warm Regards
Anthony
[email protected]

CSM-BridgeMode redundancy... Help

I have been looking for a configuration example of CSM redundancy using two 6500 with a single CSM each in bridge mode.
I already have one CSM working in one of the 6500s, I'm planning to install the second CSM to provide redundancy.
Let's say that I'm using the following configuration in my working CSM:
module ContentSwitchingModule 3
vlan 210 client
ip address 192.168.223.131 255.255.255.192
gateway 192.168.223.129
vlan 323 server
ip address 192.168.223.131 255.255.255.192
serverfarm FTPFARM
nat server
no nat client
real 192.168.223.141
inservice
real 192.168.223.142
inservice
serverfarm HTTPSFARM
nat server
no nat client
real 192.168.223.136
inservice
real 192.168.223.137
inservice
vserver FTPVIP
virtual 192.168.223.140 tcp ftp
serverfarm FTPFARM
persistent rebalance
inservice
vserver HTTPSVIP
virtual 192.168.223.135 tcp https
serverfarm HTTPSFARM
persistent rebalance
inservice
vserver HTTPVIP
virtual 192.168.223.145 tcp www
serverfarm HTTPSFARM
persistent rebalance
inservice
What would I need to do in order to make it work in redundant mode with the other CSM?

You will need to add IPs for the CSM peer on current CSM. The current config will
be something like this (where x1 & x2 are the IP addr of the secondary CSM)
for e.g.
module ContentSwitchingModule 3
vlan 210 client
ip address 192.168.223.131 255.255.255.192 alt 192.168.223.x1
gateway 192.168.223.129
vlan 323 server
ip address 192.168.223.131 255.255.255.192 alt 192.168.223.x2
Then you need to configure a FT VLAN on MSFC (both chasis).For E.g if 900 is the FT VLAN then
your FT config will be some thing like this
ft group 1 vlan 900
priority 20 alt 15
heartbeat-time 1
failover 3
preempt
ON secondary CSM just put these lines and the config will be syncronized
module ContentSwitchingModule 3
vlan 210 client
ip address 192.168.223.x1 255.255.255.192 alt 192.168.223.131
gateway 192.168.223.129
vlan 323 server
ip address 192.168.223.x2 255.255.255.192 alt 192.168.223.131
ft group 1 vlan 900
priority 15 alt 20
heartbeat-time 1
failover 3
preempt
For details
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csm/4.2.x/configuration/guide/redun.html
Syed

CSM reporting failed ARP request

Hi!!
We have a CSM on Catalyst 6509 SUP720, the IOS is 12.2(18)SXD7b.
We have a problem with load-balanced portal servers with the CSM. Checking Catalyst log we see the following messages:
Jun 7 06:17:42.145 UTC: %CSM_SLB-6-RSERVERSTATE: Module 4 server state changed: SLB-NETMGT: Server [ip address] failed ARP request
Jun 7 06:17:43.505 UTC: %CSM_SLB-6-RSERVERSTATE: Module 4 server state changed: SLB-NETMGT: Server [ip address]now responding to ARP requests
Jun 7 06:19:23.445 UTC: %CSM_SLB-6-GATEWAYSTATE: Module 4 gateway state changed: SLB-NETMGT: Gateway [ip address]failed ARP request
Jun 7 06:24:12.241 UTC: %CSM_SLB-6-GATEWAYSTATE: Module 4 gateway state changed: SLB-NETMGT: Gateway [ip address]now responding to ARP requests
At the begining, the message were on refer to failed ARP for the real servers, but now the CSM reports failed ARP request on the Gateways (Vlan Interfaces) too.
Any idea?? We don?t now if the problem is the network, or is the CSM Card or the IOS version.
The Catalyst 6500 is on Distribution Layer, connecting 4 Access switches (Enterasys) and 2 Core Cat6500 switches. The balanced servers are on a Access Enterasys N7 Switch.
Thanks in advance...
Pedro

Hi Gilles, thanks for your quick response.
But, as well as the problem with missing ARP?s, we have very slow responses and sites pages are shown with missing objets every time we point to the CSM virtual address with 2 internet proxi servers on a CSM Serverfarm, while if we point to the Real IP Address of any proxi-sever, all is fine and fast.
Now we are pointing directly to real servers (not to the CSM virtual), and all is fine, but it is not the final idea.
It sounds like a problem with the Channel betwen the CSM and the Switch.
We made traces monitoring the PortChannel 260, and we saw very ARP request but just a few replys.
Is very strange that also the CSM is reporting missing ARP?s on Gateways, because this gateway is an interface Vlan into the MSFC!! The only way to disappear the log missing ARP messages is configuring static arp on CSM.
What you think about?.
The version on CSM is 4.2(2)
Thanks!!
Pedro.

PIX balancing with CSMs on both ends...

I'm preparing configurations for CSM oriented solution. Now i'm testing PIX load balancing using CSM. For simplisity there is situation like in:
Configuring Regular Firewall Load Balancing, page 5-17
where we got:
Internet -> CSM@6509 -> PIXes -> CSM@6509 -> DMZs
where DMZs could be internet users, intranet with FW-1 and so on.
I had configuration exactly as in mentioned document:
cat6509 (Internet side):
module ContentSwitchingModule 5
vlan 100 client
ip address 100.0.0.25 255.255.255.0
gateway 100.0.0.13
vlan 101 server
ip address 100.0.0.25 255.255.255.0
alias 100.0.0.20 255.255.255.0
serverfarm FORWARD-SF
no nat server
no nat client
predictor forward
serverfarm INSEC-SF
no nat server
no nat client
predictor hash address source
real 100.0.0.3
inservice
real 100.0.0.4
inservice
vserver FORWARD-VS
virtual 0.0.0.0 0.0.0.0 any
vlan 101
serverfarm FORWARD-SF
persistent rebalance
inservice
vserver INSEC-VS
virtual 200.0.0.0 255.255.255.0 any
vlan 100
serverfarm INSEC-SF
persistent rebalance
inservice
interface Vlan100
ip address 100.0.0.13 255.255.255.0
ip route 10.0.0.0 255.0.0.0 100.0.0.20
ip route 200.0.0.0 255.0.0.0 100.0.0.20
cat6509:DMZs/intRAnet side:
module ContentSwitchingModule 5
vlan 201 server
ip address 200.0.0.26 255.255.255.0
alias 200.0.0.20 255.255.255.0
vlan 20 server
ip address 10.1.0.26 255.255.255.0
vlan 200 client
ip address 200.0.0.26 255.255.255.0
serverfarm GENERIC-SF
nat server
no nat client
real 10.1.0.66
inservice
serverfarm SEC-SF
no nat server
no nat client
predictor hash address destination
real 200.0.0.3
inservice
real 200.0.0.4
inservice
vserver GENERIC-VS
virtual 200.0.0.127 tcp 0
vlan 201
serverfarm GENERIC-SF
persistent rebalance
inservice
vserver SEC-20-VS
virtual 200.0.0.0 255.255.255.0 any
vlan 20
serverfarm SEC-SF
persistent rebalance
inservice
vserver SEC-200-VS
virtual 200.0.0.0 255.255.255.0 any
serverfarm SEC-SF
persistent rebalance
inservice
VLANs:
100 - Internet
101 - PIX Outisdes
201 - PIX Insides
200 - sample DMZ with users..
20 - sample DMZ with servers
Internet need access to servers@VLAN20
Hosts from VLAN 200 and VL 20 need access to Internet
Trafice beetwen DMZs need to be allowed

I see one problem already.
Your MSFC has an interface vlan 100 and a static route pointing at address 100.0.0.20 which is the alias in vlan 101.
Your MSFC probably can't ping 100.0.0.20
You should configure an alias in vlan 100 of the CSM and have the MSFC pointing to this alias.
Also, the 2nd CSM does not have a serverfarm FORWARD.
You will need one normally to forward traffic to your local subnet without loadbalancing.
[what you configured is possible but I'm not sure this is the result you are expecting]
Regards,
Gilles.

Regarding LACP commands on Cisco 6509 to connect server

Hi All ,
We have to connect two servers to cisco 6509 (sup720 with MFFC R7000) switches and we have to configure LACP on the 6509 to bundle two ports to get 2 Gbps through put.
Each server has four NIC ports ..out of which two ports will be connected to Switch 1 ( active ) and remaning two ports will be connected to switch 2 ( standby).
We are going to use below commands for LACP on both the switches.Apart from below commands do we need to have any other commands to make LACP to work as soon as we connect the servers.
Switch 1 :
set channelprotocol lacp 1
set port lacp-channel 1/1-2 73
set port lacp-channel 1/1-2 mode active
Set port vlan 10 1/1-2
set spantree bpdu-guard 1/1-2 enable
set port lacp-channel 1/9-10 85
set port lacp-channel 1/9-10 mode active
Set port vlan 10 1/9-10
set spantree bpdu-guard 6/9-10 enable
On the MFFC we have so many vlans along with vlan 10
int Vlan 10
ip address 10.10.10.2 255.255.255.0
standby 10 ip address 10.10.10.1
standby 10 timers 1 3
standby 10 priority 200
same series of port will be used on Switch 2 to connect servers.
Servers support LACP protocol only.
diagram is enclosed...If any suggetions on this would be appreciated..
Thanks ,
M S K

Interesting I thought all sup 720's were non hybrid and used IOS only . Guess you learn something everyday. Looks like it should work with what you
have as long as the servers are setup with lacp in a active/standby mode.

CSM overwrites Configurations

Hello.
We have installed CSM 3.2 which we want to use for managing Catalyst 6509 and 3845. We also have a VPN tunnel between 6509 and a Checkpoint Firewall.
We have find out a problem: if we configure a little thing (e.g. setting snmp-server) on Catalyst 6509 with CSM, then it will overwrite and delete the tunnel between Checkpoint and the catalyst.
How can we configure CSM that it only deploys the difference betwen the old and the new config. so that CSM doesnt remove any configuraion made manually.
thanks for help
markus

Have a look at this:
"After configurations are deployed, you should make changes only through Security Manager for configurations that Security Manager controls. This varies based on operating system:
â¢ASA, PIX, FWSM, IPS operating systems-Security Manager controls the entire configuration. You should make all changes through Security Manager.
â¢IOS Software-You have more control over which aspects of the device configuration Security Manager controls. If you do not create policies for a feature in Security Manager, such as routing policies, Security Manager does not control those features on the device. If you do create policies for these features, Security Manager overwrites the settings on the device with the settings you defined in Security Manager. Through administration settings, you can control the types of policies that will be available for IOS devices, thereby preventing Security Manager from displaying or changing policies for these features. To see the available features for IOS routers and control whether they are available for management in Security Manager, select Tools > Security Manager Administration, then select Policy Management. For IOS devices, Security Manager does manage VPN-related policies. "
http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.2.1/user/guide/dpman.html#wp307170
Regards
Farrukh

CSM-S mode -One-Arm-vs- routed

We currently have an environment with CSS running in routed mode. We are building a new data center with 6509s and CSM-S. My question is what is the best mode to run the CSM-S in routed or one-arm and why?

Gilles,
What do you recommend when the traffic flows from the load balanced server are significant?
ie: you are using Oracle application and database servers, load balancing http and https to the app servers. There is significant traffic flow from the app server to the database servers, such that the load balancer in a 2-armed configuration(particularly a CSS11501 w/ 8 10/100 interfaces and a single 1000Base-T interface) would be a significant bandwidth bottleneck.
Also, if Cisco usually does not recommend one-armed config.... why does the latest Server Farm Security Solution Reference Network Design v2.0 (http://www.cisco.com/warp/public/732/systems/docs/dcsrndbk.pdf) recommend a one-armed configuration for the CSS?

Upgrade core switches.

Guys,
The core of our network, basically a LAN, consists of two Cisco switches 6509 / sup1, run with HSRP. The distribution layer consists of about 20 4912 switches. Were going to replace them with two new 6509 /720 Sup. Although Ive done something similar, Ive never done an upgrade same as this.
I post my idea here and Id like you guys give me some opinions as whether it is feasible or whether there is another better way and what should be carefully dealt with.
These are the steps with which I want to implement the upgrade. Lets use New-6509 as two new 6509, Old-6509 reference the two old ones that are running on our network.
1. Install the two New-6509/SUP720 physically.
2. Configure the tow New-6509, making them have the similar setting as the Old-6509.
3. put them into the HSRP group;
4. connect distribution lay to the two New-6509;
5. test and observe;
6. if the network is stable, change the HSRP server in the HSRP group from one of the Old-6509 to one of the New-6509;
7. test and observe;
8. if the network runs fine, get the Old-6509 one by one.
One of the steps that I am worried is Step 4, because this cost another 2 set of cables and ports to distribution layers.
Thanks,
Han,

That sounds OK to me...
If you configure them as you say in a fully redundant confuration you should not have many problems.
Pull the active HRSP router across with preempt, make sure all your new uplinks contain all your vlans. You could trim the VLANs out of your old uplinks one by one to have less impact in case anything goes wrong.
Dave

Design suggestions for a four 6500 layer 3 network?

Hi folks,
We've just purchased two 6509's with redundant sup720's and two 6506's with sup32's, and I need to configure them to replace our aging Extreme switches.
Two will be in the MDF on ground floor, and two in the IDF on second floor. All floors have their own VLAN and IP subnet, and there is a datacenter VLAN for servers, and a firewall VLAN acting as a glue network to the internet.
I'll use GigE channels for trunks between them in a fully meshed configuration.
My question concerns how to configure the VSI's on each switch. Each subnet has a default gateway, but how to virtualize this among the sup modules? It seems that HSRP, VRRP, and GLBP are available, with GLBP being preferred(correct me if I'm wrong).
Would I need to configure a separate VSI for each VLAN on each switch, then setup GLBP for all of them? Can this even be done?
Help please because I'm out of my depth on this one. Thanks for any responses,
Ian

Couple of options here:
1) You keep the Sup32's in the IDF Layer2 only, connecting with DOT1Q trunks to the 720s in the MDF. Only the 720s have the Layer3 SVIs.
2) You configure the Sup32s as Layer3, with 'no switchport' Layer3 links to the 720s in the MDF. Each Sup32 has an SVI for each VLANs on its switch.
Option 1 is your typical Campus Wide VLAN approach.
Option 2 is a Routed Campus Design.
Take a look at the attached document.
Hope this helps.
Please rate all helpful posts.
Regards,
Brad

Copp and management traffic

Good afternoon fellow Ciscorians.
I have configured a Copp to rate limit ICMP traffic and fragmented traffic from saturating the RP via the control-plane and also ignore the same traffic class from our trusted IP addresses. But i am wondering about management traffic such as telnet and SSH, we have an access list on the VTY lines dropping traffic from un-trusted sources on 22+23, i am wondering what the benefits are to employing a Copp policy as well as the access-list on the VTY lines?
Could an attack still saturate the RP with an access-list dropping the un-trusted traffic on the VTY lines? (6509-Sup720)
Matthew.

Hi Matthew,
access-list applied on interface is applicable for all traffic, data traffic (transit traffic) and control-plane traffic (destined to router or punted to RP), while CoPP is only applicable to traffic punted to RP.
Access list will either permit or drop but CoPP is service-policy and you can rate-limit the traffic. So if we take example of ICMP traffic, and requirement is we want to allow ICMP traffic to router (ICMP is useful tool to check reachability and latency) but not more than 500kbps (to avoid any DDOS attack), in this case blocking ICMP with ACL on interface will not solve the purpose but CoPP will do the job.
If you are blocking some traffic via ACL, it should not saturate the RP.
--Pls dont forget to rate helpful posts--
Regards,
Akash

6509 + SUP720 + CSM redundancy

Similar Messages

Maybe you are looking for