IDSM-2 - VSS Load Balance

Hi everyone ...
I have two 6509 configured with VSS, in each 6509 we have one FWSM and IDSM2.
We have configured the FWSM with contexts and we have Failover working fine.
Now we want to configure IDMS as IPS inline but we want to use both IDSM in load balance for improve the performance and get high availability with security.
Is this possible ?
I know we can get load balance with IPS appliances using etherchannel in switching (ECLB) but I don't know if we can do this with the IDSM modules in catalyst 6509 considering VSS.  
Any suggestions ?

The VSS is a special configuration. 
You can configure the FWSM modules to be Failover partners but in IDSM modules you need to configure the same input/output VLANs to get the Failover or balance behaviour.  The Cisco IPS architecture has not Failover configuration.  you can find some examples with Etherchannels or Port-Channels configuration shared with some IPS units to balance the bandwith.   That's the case in VSS solucion, both chasis shared the VLANs and it's necesary to configure the input/output VLANs pairs shared between the modules to balance the bandwith.

Similar Messages

  • IDSM-2 load balancing on inline mode is it possible ..?

    Hi there .. I am currenty working on a project and need to find out as to whether etherchanelling load balancing can be configured between several IDSM-2 running on inline mode. The IPS 5.1 admin guide states that it is possible for IOS based switches having the IDSM-2 configured on promiscuous mode, however I have heard that it might also be possible to configure etherchannelling load balance when the IDSM-2 are on inline mode. Any help .. commments will be appreciated .. any links to refer to will be even better
    Thanks !!!

    To configure EtherChannel load balancing on IDSM-2, you must install Cisco IOS 12.2(18)SXE and have Supervisor Engine 720. Cisco IOS only supports promiscuous IDSM-2 EtherChanneling using VACL capture (not SPAN or monitor). Refer the URL
    http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df92.html#wp1044800

  • Multihomed eBGP load balancing with 3 ISP's

    We currently peer with 2 ISPs using BGP in an active/failover configuration.  My company wants to move to a 3 ISP model where Internet traffic is split across the 3 providers so that bandwidth is equally distributed on outgoing traffic across our 2 /22 ARIN IP ranges.  This is from our 2 edge switches that have VSS.  
    Within my limited knowledge of BGP, I have determined that we could do load sharing pretty easily by adding multiple default routes and breaking up our /22's into /24 and advertising them that way.  However, I don't think this satisfies the request that downtime must be seamless, should one link drop.  
    Currently, our ISP's advertise default routes.  From the research that I've done, we could get close to load balanced links if we receive full BGP routes and community settings and definitions.  I'm nervous about this because it looks really complicated, and I don't want our AS to turn into a transit AS.  I've been told the same can be accomplished with only partial BGP routes and community settings and definitions.  
    Personally, I think we just need a WAN load balancer.  However, given the request, is there a thread out there that can explain this, or can someone discuss this requested scenario a little bit?  
    Thanks!

    Hi there
    First question would be what is the required reconvergence time for the applications using the Internet? Should an outage occur, when do they lose their state? Once you know that, you then have a target to aim for in terms of recovery
    With regards load-balancing, with BGP we are always talking inbound and outbound.
    The outbound solution is relatively simple - each ISP advertises a default route to your Internet edge router(s). Create an eBGP session from each edge router to the core, advertise the default route and redistribute into the IGP. Ensure the IGP cost to each BGP next hop is equal and you have ECMP for outbound routing.
    Inbound influence is usually via MED (not likely in this case given 3 ISPs), adjusting local-pref in the ISP via BGP EXT communities configured your end, or via AS-PATH prepending for longer prefixes from your /22. Prepending would be simplest, but your unlikely to get an exact inbound traffic split, however a relatively even distribution should be sufficient. 

  • ACE: load balancing servers using DMZ ports on FWSM

    devices; (2 core with the ff config)
    6500
    fwsm
    idsm
    msfc
    SETUP;
    Servers are connected to the dmzs on the core
    REQUIREMENT;
    to load balance the servers
    QUESTION;
    Using the ACE module, is it possibe to load balance the servers which are connected to the port which is configured as DMZ?
    Thanks

    does not matter where the servers are connected.
    However, be aware that the flows from client to server needs to go through the loadbalancer BUT also the flows server to client.
    So, you should be careful where you attach the ACE module.
    The easier would be to attach to the DMZ as well between the FW and the servers.
    Gilles.

  • 6509 Load Balancing

    Hello guys,
    How can I implement load balancing and redundancy at my two 6509 Switch?
    Thanks in advance.
    Cheers!

    The easiest way would be to implement VSS. It may require a Sup and/or chassis upgrade.
    http://www.cisco.com/en/US/products/ps9336/index.html
    Another way is to implement first hop gateway redundancy using HSRP or GLBP.
    http://www.cisco.com/en/US/tech/tk648/tk362/tk321/tsd_technology_support_sub-protocol_home.html
    http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a00807d2520.shtml
    Hope that helps.

  • Etherchannel Load-Balance

    Hi All,
    I have one Catalyst 6509 connected to Catalyst 4500X-VSS using a Layer 2 Etherchannel.
    So, 6509 are using src-dst-ip for Etherchannel Load Balance and 4500X are using src-dst-port.
    Anyone knows if this will work fine or if I may have some problem?
    Is recommended change that configuration or not?
    Tks.

    I agree with Karsten, That there would be any problem.
    As you know Etherchannel is kind of load sharing among the links...It has its own way of load sharing/balancing the traffic if you leave it to default. (which means you might end up using the same link most often times if you dont change the default load balancing method). Hence we see people change the default method to the one which they want and get the nearest load sharing/balancing over the links utilization.
    HTH
    REgards
    Inayath

  • IPS etherchannel load balancing design

    Is it possible to do a etherchannel load balancing with the design attached? i know I need to configure vlan pairs but I'm not sure if it's possible with my current design

    Etherchannel design will work with interface pair as well ,provided the design is appropriate to take care of the asymmetry.
    Coming to your design, if i understand the requirement correctly, you wish to create etherchannel between 3750 stacked switch and the pair of CAT6K. Enabling VSS on the pair of CAT6K switches and then creating etherchannel should help.But the flow symmetry will not be guaranteed ( meaning the same IPS may not see the forward and the reverse packets of the flow).

  • 2 locations, 2 core switch stacks, fibre in between, equal cost load balancing between?

    Hi,
    We've recently inherited a job that another company was doing, so we've had our hand slightly forced on the kit and overall topology involved, however that's all fine and we can make it work.
    This is a collapsed core topology with core and access switches, split over 3 blocks (fibre connections between), one core switch/stack is in block B and the other in block C, with access switches throughout.
    They require all access switches to be connected to the Core in B and the Core in C, and then obviously cross connects between the two cores.
    They state:
    "Core switches shall be linked with 2x 1Gbps links bonded into a standard compliant Etherchannel"
    "Uplinks between access and core switches shall be non-blocking - for example equal cost load balancing at layer 3, or layer 2 bonded multi-chassis Etherchannel"
    The specced kit for the core are 3850's, in an ideal world I'd use VSS (Virtual Switch System) to achieve the above statements beyond repute; but this is only supported on 4500/6500 and Nexus platforms.
    Do we think a cross stack etherchannel (LACP between both core switch stacks) would satisfy the above statements? Or the statements may just be badly worded...
    I look forward to your thoughts and views on this! Thanks!

    Disclaimer
    The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
    Liability Disclaimer
    In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
    Posting
    As the others have noted, the 3850s, to stack, are restricted to the length of the longest stack cables.
    As you have noted, VSS physical units would allow the "logical" unit to be far apart.
    For a "small" VSS core, the 4500-X might be an idea unit.  (Other than cost, the 4500 would be a better choice for a core device.)
    Something to watch for, or understand, when running VSS, Etherchannel doesn't load balance as it does on a single chassis or stack.  VSS will avoid using the VSL cross link unless it must.
    As many access switches, today, support basic L3 routing, you might also determine whether a L3 edge would be a suitable alternative choice.  It would allow retention of the 3850s and can offer some advantages even over VSS.  (Where VSS is very nice [as too the Nexus] supporting servers with Etherchannels.)

  • Error while selecting Load Balancing in JCO creation

    While creating JCO i am facing this error.It is working fine with Single server connection,but when i chose Load balancing i error comes out.Please tell me the solution.
    I have read couples of forum mentioned you need to start both Portal and ECC.
    For you information my Portal and Java are both on diffrrent Box.
    com.sap.mw.jco.JCO$Exception: (102) RFC_ERROR_COMMUNICATION: Connect to message server host failed Connect_PM  TYPE=B MSHOST=olameccpdvr GROUP=PUBLIC R3NAME=DVR MSSERV=sapmsDVR PCS=1 LOCATION    CPIC (TCP/IP) on local host with Unicode ERROR       service 'sapmsDVR' unknown TIME        Thu Feb 24 12:19:54 201 RELEASE     701 COMPONENT   NI (network interface) VERSION     38 RC          -3 MODULE      nixxhsl.cpp LINE        776 DETAIL      NiHsLGetServNo: service name cached as unknown COUNTER     5

    Is your backend system configured correctly in your SLD ?
    Go to transaction SMMS on your backend system that your are connecting to. Click on Goto=>Parameters=>Display. Look for "server port" value.
    This should give you the TCP/IP port for your message server. It could be 3600 or 3601 (36NN - where NN is the instance number).
    In your services file, if you made the entry at the end of the file, press Enter (Return) after your entry.
    Try restarting your server after making the above changes.
    - Shanti

  • Error in creation of JCO with Load balancing server

    Hi,
    We are using a ABAP user base for our WEBAS server 6.40 (with ABAP+JAVA). i have created a Public group in concerned ECC 5.0 system. I have already configured SLD, and then i maintain data supplier bridge in SLD and run RZ70 in ECC 5.0 system to load system information.. i can see details in SLD ..
    now i am trying to create JCO connections .. here i am unable to create JCO with load balancing option..  i get
    com.sap.mw.jco.JCO$Exception: (102) RFC_ERROR_COMMUNICATION: Connect to message server host failed Connect_PM  TYPE=B MSHOST=<servername> GROUP=PUBLIC R3NAME=SID MSSERV=sapms<SID> PCS=1 ERROR       service 'sapms<SID>' unknown TIME        Fri Jun 16 12:41:20 2006 RELEASE     640 COMPONENT   NI (network interface) VERSION     37 RC          -3 MODULE      ninti.c LINE        505 DETAIL      NiPGetServByName2: service 'sapms<SID>' not found SYSTEM CALL getservbyname_r COUNTER     1
    i am able to create single server JCO, but it fails in load balancing.. is there anything i have  missed out in settings...
    Thanks and regards,
    Sudhir

    Thanks, Bogdan Rokosa
    I have the same problem,and solved it following the steps provided by Bogdan Rokosa  :
    you must insert an entry for your R3 system
    (like: sapms<SID> 3600/tcp)
    in services file
    (C:\WINDOWS\system32\drivers\etc\services) on Java WAS.
    I test the Jco successful without restart J2EE Engine.

  • ISE 1.2 - Multiple NICs/Load Balancing for DHCP Probe

    Hello guys
    Just prepping an ISE 1.2 patch 8 setup in our organization. I am going for the virtual appliances with multiple NICs. It will be a distributed deployment with 4 x PSNs behind a load balancer and there is no requirement for wireless or guest user at the moment. I've got 2 points I will like to get some guidance on:
    Our DC has a dedicated mgmt network and I plan to IP the gig0 interface of the PANs, MNTs and PSNs from this subnet. All device admin, clustering, config replication, etc will be over this interface. However, RADIUS/probe/other user traffic to the ISE PSNs will be over the gig1 interface which will be addressed from another L3 network. Is this a supported configuration in ISE?
    I intend to use the DHCP probe as part of device profiling and will ideally like to have just an additional ip helper to add to our switch SVI config. Also, it will appear that WLCs can only be configured for 2 DHCP servers for a given network so another consideration for when we bringing our WLAN in scope. We however use ACE load balancers within our DC and from what I have read, they do not support DHCP load balancing. Are there any workarounds to using the DHCP probe with multiple PSNs without having to add each node as an ip helper/DHCP server on the NADs?
    Thanks in advance
    Sayre

    Hello Sayre-
    For Question #1:
    Management is restricted to GigabitEthernet 0 and that cannot be changed so you should be good there
    You can configure Radius and Profiling to be enabled on other interfaces
    Even though you are not using guest services yet, you can dedicate an interface just for that. As a result, you can separate guest traffic completely from your production network
    Take a look at this link for more info:
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_c-ports.html
    For Question #2
    If you are using a Cisco WLC and running code 7.4 and newer you don't need to mess with the IP helper configurations. 
    The controller can be configured to act as a collector for client profiling and interact with the DHCP thread along with the RADIUS accounting task that is running on the controller. The controller receives a copy of the DHCP request packet sent from the DHCP thread and parses the DHCP packet for two options:
    –Option 12—HostName of the client
    –Option 60—The Vendor Class Identifier
    After this information is gathered from the DHCP_REQUEST packet, a message is formed by the controller with these option fields and is sent to the RADIUS accounting thread, which is in turn transmitted to the ISE in the form of an interim accounting message.
    Both DHCP and HTTP profiling settings are located under the "Advanced" configuration tab in the WLC
    On the other hand, you can also use Anycast for profiling. You can check out some of Cisco Live's sessions for more info on that. Here is one that is from a couple of years (There are more recent ones that are available as well):
    http://www.alcatron.net/Cisco%20Live%202013%20Melbourne/Cisco%20Live%20Content/Security/BRKSEC-3040%20%20Advanced%20ISE%20and%20Secure%20Access%20Deployment.pdf
    I hope this helps!
    Thank you for rating helpful posts!

  • SAP GLM Print Request - Load Balancing of WWI server

    Hi GLM Experts,
    I am using new GLM + module that generates labels based on Print Requests. I am unable to understand how I can load balance the WWI services when there are multiple label printing requests.
    In GLM + we associate a WWI to a Print Station and which can then be associated with a printer. So in the configuration we are tying up a printer a WWI.
    Also during label printing, if the scenario uses print request module, then the use need to select a print station and printer. What happens if the WWI related to the print station is down?
    For example I have two services in WWI server GENPC1 and GENPC2. I created WWII and WWI2 as two print stations. I will associate my printer PRNWWI to both the print stations WWI1 and WWI2.
    During label printing if the user picks and WWI1 and Printer PDNWWI and if the GENPC1 WWI server assocaited with print status WWI1 is busy and down I want WWI GENPC2 to generate the label?
    How to setup the above load balancing or fall back? Please let me know.
    Thanks
    Pugal

    Dear Pugal
    we are not using GLM + and I am not sure about the technqiue used there to handle load balancing. Regarding general WWI setup I assume you know this Note: EH&amp;amp;S: Availability and performance of WWI and Expert servers
    On the top there is a further SAP Note abvailable which might be of interest. This is referenced here:
    http://de.scribd.com/doc/191576739/011000358700000861002013-e
    May be check OSS note: 1958655; OSS Note 1155294 is more related to normal WWI stuff; but may be check it as well. May be 1934253 might help better
    May be this might help.
    C.B.
    PS: may be check as well: consolut - EHS_MD_140_01 - EH&amp;amp;S-Management-Server einrichten
    The load balancing of synchron WWi servers is donein the "RFC" layer, therefore you have no inffluence here, for asynchron WWI servers you can do a lot to manage the WWI load balancing by using "exits" etc.

  • APEX SSO and Load balancing: Could not determine workspace for application

    We had a single HTTP Server serving APEX in a 10.2.0.2 database configured with SSO to be used by the developers. APEX has been registered as a partner application and the login url has been CA Siteminder protected so that the SM_USER details are forwarded in the header for the application to use for authorization. Everything is fine so far.
    Now we have added a HTTP Server on another host and have it all set up for APEX and its pointing to the same database. APEX_ADMIN access works as normal, but applications previously using SSO now get the following error after entering the URL.
    Expecting p_company or wwv_flow_company cookie to contain security group id of application owner.
    Error ERR-7620 Could not determine workspace for application ().
    Using HTTP Watch I find that the application is not even trying to redirect to the login page.
    What is wrong here?

    APEX has been registered as a partner application as described in
    http://www.oracle.com/technology/products/database/application_express/howtos/sso_partner_app.html
    In the meantime I found metalink document 368746.1 which describes the cause of this problem. Please read carefully what I wrote, it all works when the the new APEX web server is turned off in the server farm on the load balancer and directed through the original web server. When running regapp.sql the hostname in the listener token was using the virtual hostname. This works fine if the request comes from the original APEX server which proofs that there is nothing wrong with the installation and set up of SSO. When directing the request to the new APEX web server the APEX_ADMIN page still works only existing work spaces using SSO don't seems to work anymore resulting in a error as described in the subject.
    As for metalink document 368746.1 naming the causes of this error:
    - there are no duplicate entries in WWSEC_ENABLER_CONFIG_INFO$
    -LISTENER_TOKEN clearly works for requests coming from the first web server
    -theoretically the web server listener port could be changed from 7777, but port 80 needs to be maintained here as production is mimiced as far down as possible.
    Is there some cache table which can be cleared? How is it that the flows schema (apex engine) can not find the work space when the request comes from a new web server which can however access the APEX_ADMIN pages.
    anyone?

  • SSO with SAP R/3 with load balancing as backend over the Web AS

    Hi,
    we have Netweaver 2004 at this time and we have to connect the portal to a BSP application in a load balancing environment.
    We set user mapping for the user and set the connection type from SAPLOGONTICKET to UIDPW. This is running for a test environment with only one R/3 system without load balancing.
    Does anyone know the setting parameters for a load balancing environment (ok, the message server and...?).
    Thank you.
    Best regards
    Patrizia

    Hi all,
    run into the same problem. Setting up a mapping with UIDPW in a non load balanced WEB-AS enviroment for BSP or Webdynpro for ABAP works fine. But if I go to set it up in a balanced system I can see the following behavior. The http request is send to the messageserver. This request enclosed my mapped user and password. The messageserver responds with an HTTP 301 wich contains one of my applicationservers, so far so good. The client sends a new request to the mentioned applicationserver but this time without the UIDPW. So the user will not be logged in.
    I was wondering if my backend have to issue logonticket too, cause today it only accept tickets from the portal.
    Is this is a bug or a feature?
    Regards,
    Bernd

  • How to change the OraSSO login link in webcache/load balance

    Hi
    we have 10gAsR1 installed as a Portal instance. We have 6-server
    load balancer => webcache as loadbalancer (listening port 80)
    Wb ch1 and wb ch2 => webcache (listening port 7777)
    portal1 and portal2 => Portal listening 7778
    infra =>Infrastruture with repository Portal/Oracle SSO (listening 7777)
    This set up is working fine for our intranet setup, now we need to open this for couple of external clients. Well initially we need to open on the load balancer server on port 80 for external team to access, it works fine when we make it publc access.
    Now when we need to make it SSO (siteminder) enables, when users click on login link it first goes oracle sso then it internally redirects the page to site minder sso.
    Well, I have noted that the sso server details are mentioned in global setting sso/oid details. Since we need to open this for external client we have to add a DNS entry for this so that we can allow its access over firewall..
    Now I have made DNS name change at my infrserver level, now I need to update the change at the load balancer server (where wheb chache is running).
    Any one know how to chang the URL at load balancer.
    I am struck at this point please suggest how should i proceed..
    Thanks,

    Extract from Personalization Guide - Page Footer - Personalization Considerations
    * If you wish to personalize the URL that points to the Privacy Statement for a page that displays a standard Copyright and Privacy (that is, its Auto Footer property is set to true), set the Scope to OA Footer, in the Choose Personalization Context page of the Personalization UI.
    * If you wish to personalize the URL that points to the Privacy Statement for a page that displays a custom Copyright and Privacy (that is, its Auto Footer property is set to false), set the Scope to Page in the Choose Personalization Context page of the Personalization UI. In the following Page Hierarchy Personalization page , identify and personalize the Privacy page element.

Maybe you are looking for

  • Need help undoing photo transfer from iPhone 4s.

    Hello gang, I need some help with a photo transfer as things have gone awry! I had ~100 photos in my Camera Roll on my 4s.  Went to transfer these to a PC, as usual; however, I did (2) thiings differently this time: (a) did this directly to a USB (in

  • Download and Appleworks unable to open

    On Dec. 3, 2006 I downloaded security update 2006-007 1.0 Since then each time I open an appleworks folder or letter, it opens than a small color wheel displays, spins around for about 15 to 20 minutes before the folder or letter will open and I can

  • Requirement types & requirement class for trading goods.

    Dear all, I am working on a project in which there are only trading goods. Majority of the items are make to order & few are make to stock. For the make to order scenario, what will be the requirements type & requirements class to be used for the tra

  • Creating Users with RDBMS realm

    "I am currently creating new users in the RDBMS realm by an EJB that inserts into

  • Getting started with WEB reporting

    HI, I am working on SAP 4.7 version. I have released my reports through transaction SMW0. Please let me knwo now how do i view and run my reports on web?..... also what URL to type in the adress bar to view the same.... Kindl help... its urgent!