Cisco CSM 4.0 large deloyment

Hi!
when i can get information about hardware requirements for management of up to 2000 security devises? (IPS's and ASA's)  ?

Alex,
let's go back to the design guide. 500 is the recommended number of device for that hw, however there is no hard limit on the number of device that you can import. So there are chance that if you import 2000 device your CSM still works fine.
However this really depends on the number/complexity of the policies you have on these devices and you might hit peformance issue even with less then 500 devices if these policies are too complex, as stated in the doc:
http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.0/deployment/guide/cmsdg40.html#wp44044
Now, most likely 2000 device on a single server might be too much and you might notice some performance hit, so you might want to use different servers to manage your devices (this is usually good choice). The way you organize your servers is arbitrary (you can do per location, per device type per technology etc...) An idea on how to organize multiple servers is given in the deployment guide as well:
http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.0/deployment/guide/cmsdg40.html#wp45159
I advice anyway to reach your Account Team, they will be able to suggest the solution that best fits your requirements
Hope this helps
Stefano

Similar Messages

  • Cisco CSM and WCS on same server

    Hi,
    Currently we are running Cisco CSM and Cisco WCS applications on different servers.
    Please let me know can it possible to install Cisco CSM and Cisco WCS on one server.
    Regards,

    As per their datasheet, both CSM and WCS support VMware or can run as virtual servers. So it should be possible to implement both as virtual servers and run on the same physical server.

  • Cisco CSM - Has anyone deployed it in their environment for IDS/IPS devices

    We are an MSP and are evaluating Cisco CSM to manage about 50 IDS/IPS devices. Each of these devices has their own customer signature policy.
    Does anyone use it in their production environments? Do you find it useful?
    Regarding policy management for devices that already have a signature policy, I know you can discover the policy, what we want to do is take the current discovered policy, modify it if we need to and then re-deploy it to the device. I'm finding that this is all read only once the policy is discovered.
    Is there a way to modify the signature, for example, adding a logging parameter and then re-deploy?
    Just curious if others had similar experiences with CSM.
    Thanks!

    haxworthy,
    I currently use CSM to manager a variety of IPS devices (IOS IPS, 42xx Sensors, 65xx-series blades). The policies vary on some devices. CSM works wonderfully. CSM discoveries the various policies on the device on an individual basis. Policies can then be edited on a per-sensor basis or on a group level. Has worked wonderful in our environment. A nice upgrade from the old IPSMC. Let me know if you have any other questions.
    -Mike
    http://cs-mars.blogspot.com

  • Cisco CSM 4.1: import/export IPv6 networks/hosts

    Does sombodey know an import/export functionality for the IPv6 network/host objects in Cisco CSM? The existing perl script PolicyObjectImportExport.pl supports only IPv4 objects.
    Thx

    Yep
    I had this issue with the service objects. When I created the fliter for the service objects also the CSM predefined objects are displayed. I selected all these objects and choose to delete them. During the delete process CSM stopped to delete the objects by the first CSM predefined object.
    I think you have the same issue (for example with the predefined "any" object, if not referenced in your polocies).
    Workaround:
    - apply filter again and delete the displayed objects (deselect the predefined objects before).

  • CISCO CSM- IP transparency

    Hi,
    I work for a software development company. Our application clients (Typically different TCP/IP devices) connect to the server a over custom port (44XX).
    Now we want to support server farms, load balancing using CISCO CSM to fulfill a customer need.
    Our application requires knowing the IP address of the client connecting. If load balancer is in between client and server, when client connected to our server port, Do we (Server) see the IP address of load balancer or IP address of the client when opening the socket or sending the data ?
    If Server sees load balancer IP, is there any thing we can configure in load balancer so that Server/port sees the IP address of client instead of load balancer IP ?
    Thanks for your help.

    Hi,
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin:0in;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;}
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin:0in;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;}
    All depends on your logical/physical topology between your 6500/CSM/Servers.
    Iif the CSM is configured on bridging mode meaning that your servers are on a L2 VLAN on the MSFC and pointing their default gateway to the CSM then you won't require source NAT on your set up. In this case the backend servers will be able to see/log the real IP address of your clients as the CSM does not modify anything at L3.
    On the other hand if you have a "routed" mode where your servers are sitting on a L3 VLAN on the MSFC and their default gateway usually points to the SVI they belong to then most likely you'll face asymmetric routing issues where the response from a load balance connection will bypass the CSM as the servers are able to respond to the client directly. In this case you do implement source NAT on your SF's which will overwrite the source IP address of the client with the IP address that you configure on the Natpool in question.
    In the second case for HTTP traffic you can always perform the header-insert function on the CSM so that the real IP address of the client will be appended to a new HTTP header, the configuration will look like this:
    map HEADER-INSERT header
      insert protocol http header X-Forwarder-For header-value %is
    policy INSERT
    header-map HEADER-INSERT
    serverfarm WEBFARM
    vserver Webfarm               
      virtual 10.44.60.160 any
      slb-policy INSERT <--- Policy
      advertise
      persistent rebalance
      inservice
    You will see the following in the HTTP header:
    Hypertext Transfer Protocol
        GET / HTTP/1.1\r\n
            Request Method: GET
            Request URI: /
            Request Version: HTTP/1.1
               X-Forwarder-For: 161.44.77.112\r\n
    Hope this helps.
    Pablo
    Cisco TAC

  • Cisco CSM - reals / VIP seperated by a firewall

    Hi,
    Briefly, for various reasons, we are locating a pair of applicances on a DMZ frontended by a firewall. We intend to configure inbound traffic via a Cisco CSM located infront of that firewall.
    My question  is what interface would send the health probes from the CSM ? We are using a source NAT client pool so I`m assuming it would be the interface of the CSM in that vlan...is this correct ?
    Many Thanks

    Hello!
    The CSM will send the probe with the source IP of the packet that the probe leaves based on the best route to it.
    i.e
    If the destination IP on the probe matches a layer 2 segment, then we arp for the MAC, then send the packet with the source ip of the interface vlan the arp was responded to.
    If the IP is not layer 2 adjacent, the CSM will send the probe out of the interface vlan based on its routing table. The source ip of the packet is the vlan ip on the chosen outbound interface.
    Please let me know if that clarifies what you were asking for.
    Regards,
    Chris

  • How cisco CSM parses packets?

    Hi all, Some days ago i had a problem with a Cisco CSM configuration. The short history is that i had to change the parse-length (virtual server submode) command to the max. 4000 bytes value for this implementation to work, if i dont do this the CSM sends resets to the client. what i would like to know is if someone knows how the CSM parses packets when it is "searching" for a string,cookie,etc, i am having some difficulties finding info about this.

    The parse length on the CSM is the amount of bytes we can store to find the needed information (ie: cookie).
    So when we get an HTTP request or response the CSM will buffer everything it received up to max parse-len or header limit (\r\n\r\n).
    Once we reached the end of the HTTP header we stop buffering.
    While buffering we also start looking for the info that we need.
    If we do find it we also stop buffering.
    There is nothing magic here.
    If the HTTP header gets so big that the info we are looking for goes beyond the max-parse-len when we start buffering looking for the info, we endup using all the buffer space allocated to the connection and decide to drop the connections as we don't know if the info is just not there, or somewhere further in the header but we don't have space to buffer more.
    When the CSM was created a long time ago, 2000bytes for the header was normal.
    Nowadays, http header tends to be bigger and it is very often require to bump the parse length even further than 4000 bytes.
    This can be done with a variable.
    Gilles.

  • Cisco CSM 4.1: delete unused networks/hosts objects

    I will delete all unused networks/hosts objects in Cisco CSM 4.2 befor I compare the objects with the entries in our IPAM. Does somebody know how this is possible?
    Many thanks for your support.

    Yep
    I had this issue with the service objects. When I created the fliter for the service objects also the CSM predefined objects are displayed. I selected all these objects and choose to delete them. During the delete process CSM stopped to delete the objects by the first CSM predefined object.
    I think you have the same issue (for example with the predefined "any" object, if not referenced in your polocies).
    Workaround:
    - apply filter again and delete the displayed objects (deselect the predefined objects before).

  • Cisco CSM URL REQUEST

    Hello,
    I'm looking for 'Support Pages' if any for cat65k CSM module. I have found ample documentation etc but I normally begin with support docs before touching basic and advanced config guides...
    Any help would be appreciated.
    regards
    Ajaz Nawaz

    Hi Ajaz,
    Check this link as it may be of help
    This appendix describes how to troubleshoot the CSM and system messages.
    http://www.cisco.com/en/US/products/hw/switches/ps708/module_installation_and_configuration_guides_chapter09186a008022ff45.html
    http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/relnotes/ol_7156.htm#wp42504
    HTH, if yes please rate the post.
    Ankur

  • NTP protocol support in Cisco CSM module

    Can anyone plz advice if CSM module will support load balancing NTP traffic on the server ?

    Here is what i see in CSM with ntp traffic reaching real servers
    prot vlan source destination state
    In UDP 45 10.200.210.20:123 172.20.95.39:123 ESTAB
    Out UDP 39 172.20.88.101:123 10.200.210.20:123 ESTAB
    vs = NFTBZTKVIP, ftp = No, csrp = True
    real = (n/a)
    Could it be that..real servers not replying back to these ntp based packets or from your point what could be holding them back.
    I will send you the trace once i pick them up.
    Kashi

  • Cisco CSM: Duplication of udp packets possible instead of load balancing?

    Hi all,
    Does anybody know if it's possible to use the csm (WS-X6066-SLB-APC, OS 4.3.1) to duplicate udp packets to several real servers instead of balancing them.
    In our special case we want to test duplicating snmp traps to several network management systems whereas on the snmp clients only one target address (the vserver address) is configured.
    Many thanks in advance,
    Thorsten

    Hi Thorsten,
    I'm afraid this is not possible. With the CSM you can only load-balance.
    Regards
    Daniel

  • Cisco IOS SLB or CSM?

    I am trying to inform myself if Cisco IOS supports Server Load Balancing (SLB) without the CSM. It appears this software has been integrated into a hardware module known as a Content Switching Module. (CSM)
    Aside from cost and being a hardware module (faster) in a IOS based Catalyst 6500, Is there a functional advantage / disadvantage of using the Cisco CSM over Cisco IOS Server Load Balancing or vice versa. Any comments would be appreciated. Thanks.
    Mark

    IOS SLB shares the same software code base as Cisco IOS and has all the software features sets of Cisco IOS software. IOS SLB is recommended for customers desiring complete integration of SLB technology into traditional Cisco switches and routers.
    The CSM is specifically designed to meet the demands of large Internet service providers (ISPs), Co-location facilities, Application service providers (ASPs), and Enterprise web server farms.
    These links might help you gain a better understanding:
    http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121limit/121e/121e8/iosslb8e.htm#xtocid32
    http://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_qanda_item09186a0080092384.shtml
    http://www.cisco.com/warp/customer/cc/pd/si/casi/ca6000/prodlit/ccsm_ds.htm

  • Cisco C6500 CSM - Real server cannot ping its VIP.

    I've been running into an issue with Cisco CSM for a number of years, but always found a way around it.  Im attempting to get to the bottom of this to find out once and for all, if this is infact a limitation of the device, or a config issue/work around is possible.
    Here is my situation.  My CSM's are configured in bridging mode.  Traffic works great, traffic bridges across vlans correctly.  Everything works and have many instances of smilar configurations running in production.  Every once and a while, a client requests that a "real" server (ie LWCMW-021)
    cannot ping its VIP address (10.95.88.68).  I am assuming this is related to the NAT Server, but not 100% sure.  Clients have requested this functionality for some type of application based purpose, but Im unaware if CSM in bridging mode can provide this or not. 
    Any suggestions?
    real LWCMW-021
    address 10.95.88.59
    inservice
    real LWCMW-022
    address 10.95.88.60
    inservice
    serverfarm LWCMW-80
    nat server
    no nat client
    real name LWCMW-021 80
      inservice
    real name LWCMW-022 80
      inservice
    probe HTTP-80 (defined elsewhere)
    vserver LWCMW-80
    virtual 10.95.88.68 tcp WWW
    vlan 120
    serverfarm LWCMW-80
    persistent rebalance
    inservice

    Sorry for giving false hope. It is only possible in ACE module. In case of CSM I believe we can only use workaround.
    In case of ACE we can bind the Virtual IP to mutliple vlan. In that case we see a ARP entry like this.
    10.10.10.111    e0.5f.b9.a1.72.2b  vlan345   VSERVER    LOCAL     _         up
    10.10.10.111    e0.5f.b9.a1.72.2b  vlan346   VSERVER    LOCAL     _         up
    As Virtual IP is not bound to a particular vlan in case of CSM it does not work here, but I can say for sure it is expected behavior.
    The logic would be that the server tries to resolve the ARP for Virtual IP and it does not get a response.
    In my case virtual ip is 10.10.10.111 before applying policy on ACE  you can see that it is exhibiting the same behaviour.
    Time     | Vmware_b4:72:11                       | 10.0.0.0                              | 10.10.10.4                            |
    |         |                   | Broadcast         |                   | 224.0.0.1         |                   | 224.0.0.22        |                  
    |0.000    |         Who has 10.10.10.11           |                   |                   |                   |                   |ARP: Who has 10.10.10.111?  Tell 10.10.10.11
    |         |(0)      ------------------>  (0)      |                   |                   |                   |          |
    |0.999    |         Who has 10.10.10.11           |                   |                   |                   |                   |ARP: Who has 10.10.10.111?  Tell 10.10.10.11
    |         |(0)      ------------------>  (0)      |                   |                   |                   |                   |
    |         |                   |                   |                   |                   |(0)      ------------------>  (0)      |
    |1.998    |         Who has 10.10.10.11           |                   |                   |                   |                   |ARP: Who has 10.10.10.111?  Tell 10.10.10.11
    |         |(0)      ------------------>  (0)      |                   |                   |                   |                   |
    |3.014    |         Who has 10.10.10.11           |                   |                   |                   |                   |ARP: Who has 10.10.10.111?  Tell 10.10.10.11
    |         |(0)      ------------------>  (0)      |                   |                   |                   |                   |
    |4.014    |         Who has 10.10.10.11           |                   |                   |                   |                   |ARP: Who has 10.10.10.111?  Tell 10.10.10.11
    |         |(0)      ------------------>  (0)      |                   |                   |                   |                   |
    Hope that helps.

  • Cisco 6500 X6066 CSM Module Reporting

    Hi;
    Is there any tool for reporting on csm module reals/vservers etc. connections between given time periods ?
    If not , may i export these values with any commands from cli ?
    Thanks
    Umut

    Hi,
    You can use any SNMP tool to monitor CSM using SNMP MIBS.The Cisco CSM supports two Read Only MIBs: CISCO-SLB-MIB and CISCO-SLB-EXT-MIB, which are available at  ftp://ftp.cisco.com/pub/mibs/.
    Traps can be sent based on real server, virtual server, and fault tolerant state changes. This is an old product and not much options are available SNMP wise.
    While searching more related to this TOPIC i found a similar discussion. Kindly go through it and see if it helps you.
    https://supportforums.cisco.com/thread/2024621
    The CSM also allows you to confiure TCP scripts for HM and other particular tasks. Please have a look at the link below for details regarding the scripts:
    http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csm/3.2/configuration/guide/scriptg.html
    Regards,
    Kanwal

  • Cisco Security Manager some firewalls don't have global policies assigned for the base definitions

    Hello Experts,
    In CSM 4.6 I noticed, some firewalls don't have global policies assigned for the base definitions like (SSH/SNMP/syslog/AAA,etc).
    Unfortunately in Cisco CSM each policy has to be applied individually, it's easy to miss one policy or another. Is there any better way to verify and get the list of devices, which does not have SSH/SNMP/syslog/AAA
    Thanks,

    Sorry if this comes to late, I just now came across this thread.  I have rtorrent and rutorrent sunning successfully on my x64 Arch Linux install.
    Try putting the "SCGIMount /RPC2 127.0.0.1:5000" line in your httpd.conf file right after the LoadModule lines (it's line 124 for me).
    I seem to recall it not working when I put it at the end of the file.
    Best of Luck!
    Martian

Maybe you are looking for

  • How To Use iCal To It's Full Potential?

    I've had iCal on my Macbook since I bought it 9 months ago and have used iCal on a moderate basis. It's only been moderate because it never really hooked me to organizing my life within it. Usually I just use a pen and paper to jot down my priorities

  • Hide Tab Bar command

    Under the View menu, there is a command that says 'Hide Tab Bar'. Mine is grayed out. Is anyone else able to select it? This command works with the Windows version. btw- I liked the tabs on top in the Mac beta version

  • Question about Mobilink best practice

    Hello, I have the following data workflow: Around 20 tables synchronize upload only. 7 tables synchronize download only. 2 tables have bidirectional sync. I was wondering if it could be a good idea to create 3 schema models, instead of one. This way,

  • From one iTunes to another

    How would i get all my songs videos with all their album artwork to another itunes?

  • How to properly create a calendar using OMB*Plus, to schedule a workflow ?

    Hello all, I want to schedule a workflow when deploying via OMB*Plus. It looks like I have a syntax error, but this happens even with the example given on [the OMBCREATE CALENDAR documentation|http://download-uk.oracle.com/docs/cd/B31080_01/doc/owb.1