IronPort ESA - HA and Dual Homing

Similar Messages

• VMware ESX and dual homing

  We are beginning to deploy VMware ESX servers for Windows production environments. How do I set up the VNICs to dual home the VM's to separate Catalyst 6500's.
  Thanks, Lisa

  Hi Steve,
  Specific to VSS by itself, that is available and shipping today, but support for the FWSM with VSS is not yet available (as you have already noted :-). I am currently hearing Q3CY08 as a possible timeframe for supporting VSS and the FWSM, but that is not written in stone. In the mean time, you could still take advantage of VSS to do the multi-chassis EtherChannel, just not with the FWSM included.
  Specific to the question on the quad mezz cards, I personally do not have any experience with this specific card, but do know that teaming/bonding software is getting better every day, but we all know that not everything works as advertised, so in that case (and actually, in every case if you think about it), any such design should be fully tested before going into production, to make sure it works as expected/desired.
  In your post you mention the 3020 (HP Cisco blade switch). That does indeed throw a bit of a wrench in the works, since as you noted, the NICs will each go to separate physical switches in the enclosure, thus making EtherChannel type solutions on the server impossible. In that case, I normally recommend a simple Active/Standby form of teaming/bonding, as it is robust and deterministic (proprietary forms of Active/Active, in my experience, are neither). If you did decide to go with pass-thru (instead of 3020) to a VSS environment, you could then take advantage of the EtherChannel type teaming, but then you introduce the headache of all of those cables from the pass-thru's, which defeats one of the more common purposes many people go to blades, reduced cabling.
  Another solution that would give you the best of both worlds in a blade enclosure (reduced cabling and EtherChannel teaming on the servers), is to look at the new 3120's just coming out. With their stacking ability, multiple switches look and act as a single logical switch (exactly like the 3750E), so when these are deployed in the enclosure and stacked, you can indeed use EtherChannel on the server NICs while still getting cable reduction for the enclosure.
  HTH, Matt

• SAN design : core edge and dual-homing access switch

  Hello all.
  It may sound as a dumb question (from a LAN guy) but when designing a core/edge or edge/ecore/edge design, why do we connect access switches to both core switches ? Doesn't it break the isolation of a dual fabric backbone ?
  If an access switch fails the fault (bug or anything else) will propagate to both core switches ? Am I wrong ?
  Example :
  http://www.cisco.com/en/US/prod/collateral/modules/ps5991/prod_white_paper0900aecd8044c807_ps5990_Products_White_Paper.html
  or from netrworkers sessions in 2006

  Answer also from LAN guy,
  Most likely this design diagram is due to assumption that there is no use of VSANs and SAN Multipathing drivers in host.
  Following is excerpt from same like yo posted.
  "SAN designs should always use two isolated fabrics  for high availability, with both hosts and storage connecting to both  fabrics. Multipathing software should be deployed on the hosts to manage  connectivity between the host and storage so that I/O uses both paths,  and there is non-disruptive failover between fabrics in the event of a  problem in one fabric. Fabric isolation can be achieved using either  VSANs, or dual physical switches. Both provide separation of fabric  services, although it could be argued that multiple physical fabrics  provide increased physical protection (e.g. protection against a  sprinkler head failing above a switch) and protection against equipment  failure. "

• Single Homed or Dual Homed FEX

  With the ability to do enhanced VPCs now on the FEXs is there any benefit to have a mixture of having of single attached FEXs and dual homed FEXs?
  Here are some benefits as I see them
  Single homed FEX is easier to trouble shoot as the topology is not as complex.
  A dual homed FEX will support both dual attached hosts and a single attached host. So this means we only have one topology to deal with (everything dual homed)
  Any other pros or cons?         
  Thanks

  If you have any servers with only one uplink, you want dual homed FEXes for redundancy.
  Also, it depend on the number of FEXes you are connecting to the same set of switches.  For example: the max number of FEXes that can be uplinked to a set of 6k switches is 24 if you are dual homed, but if you are single homed the max is 48 (24 per switch).
  HTH

• Replace Faulty IronPort ESA in a Cluster

  I have a cluster of 2 IronPort ESA appliances and one of these is faulty and will not boot. I am awaiting a replacement from Cisco.
  I cannot find an exact guide that explains how to re-instate the new appliance to cluster and therefore am making an assumption that the easiest way to do this is as follows:-
  1) Physically connect the new device.
  2) Login with console and ensure the new device has centralised management feature and all other keys.
  3) Configure the management interface with the original machine level IP address from the old configuration of the faulty device.
  4) Use Clusterconfig command to join new device to cluster.
  The only thing I am concerned about is licensing and serial numbers. I seem to remember that the primary cluster device will check the serial number at some point and therefore if its a new device then it will not join the cluster. If this is the case then I assume we would have to remove the orignal device from cluster and add the new one as a brand new one. This would mean all other machine level configuration would be lost such as IP addresses of Data interfaces and DNS names etc.
  Can anyone clarify please. Also can anyone point me to which configuration is required for machine level only.
  Regards
  Paul Tribe

  So - to help out - yes... it would be pretty much...
  1) Once you get the RMA appliance, rack and cable the appliance, and bring it online with the quickstart guide.  We'll call this ESA3.
  2) Once ESA3 is online - you'll need to make sure that you get the RMA on the same matching AsyncOS version as ESA1.  (*This may mean you'll need to upgrade ESA1 to get a compairible revision running...)  Also, just go ahead and make the IP and hostname the same as you had for ESA2... if not done @ quickstart.
  3) Once the version is matching - just transfer over the license/feature keys from the old ESA2 to your new ESA3 (RMA unit):
  http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118000-technote-esa-00.html
  4) Once licnesing is completed - just join to cluster.  (*If you are running 8.5.6 --- clustering is included in the release --- just run clusterconfig on the CLI to assure operation.)  From ESA1, running clusterconfig and removemachine - choosing ESA2.  From ESA3, clusterconfig and join cluster:
  http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118174-technote-esa-00.html
  I hope this helps!
  -Robert
  (*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

• Fabric Extender question to a dual-homed N5k

  According to latest release notes:
  http://www.cisco.com/en/US/customer/docs/switches/datacenter/nexus5000/sw/release/notes/Rel_4_2_1_N1_1/Nexus5000_Release_Notes_4_2_1_N1_1.html#wp144071
  "Support for a maximum of 12 Fabric Extenders dual-homed to a vPC Cisco Nexus 5000 Series switch pair and a maximum of 576 hosts connected to Fabric Extenders connected to Cisco Nexus 5000 Series switches"
  I have mixed mode so some of the FEX will only connect to one N5k despite the 2N5k will be vpc. Cisco calls this "Fabric extender straight-through topology". This is because I am running port-channel with VM on these particular FEX.
  http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572829-00_Design_N5K_N2K_vPC_DG.pdf
  question is:
  1. Can I assume 2148 is included per release notes?
  2. Can I have more than 2 ports in the portchannels in straight-through mode?
  3. Release notes show 576 host which is (12 max times 48 ports). I assume I can have more logical host meaning vm host via the port channels, right...?
  Thx

  Any Nexus 5000 can have a total of 12 FEX's connected to it physically.  If you have 12 FEX's in dual-homed mode, then that is the limit for both Nexus 5000's.  If you had 24 FEX's evenly distributed between the Nexus 5000's in straight-through mode, then that would be maximum in that configuration.  If you are mixing straight-through and dual-homed configurations, you would have to be within the 12 FEX per Nexus 5000 limit.
  The 2148 is the first FEX, so yes it is the focus of the release notes.
  The 2148 cannot have a local port-channel.  This is why you can only channel to a 2148 when using dual-homed (called Active-Active mode), one interface on each 2148, and it is tied together with a vPC configuration to make a port-channel.  The individual 2148's each only have one connection on them down to the server below.  The 2248 and 2232 do not have this restriction.
  As of 4.2(1)N1(1), 576 refers to host interfaces.  If your host has virtual hosts, you just need to make sure you are within the limit of mac addresses in the system, which is 16,000 (13,800 unicast).
  Regards,
  John Gill
  Reference:
  configuration limits -
  http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/configuration_limits/limits_421/config_limits_4_2_1_chapter1.html

• Has anyone upgraded the Ironport ESA to 8.5.6-074 and had the issues of Raid status showing unknown?

  Has anyone upgraded the Ironport ESA to 8.5.6-074 and had the issues of Raid status showing unknown? After we upgraded our appliances we are having issues with our ESA appliances showing the RAID status as unknown. When we reported the issue to CISCO we were updated there were no issues reported at all. Could anyone please confirm if you have experienced the same issue. 

  You should see OPTIMAL - meaning the drives in the C170 are in good health/status:
  myc680.local> version
  Current Version
  ===============
  UDI: C680 V FCH1611V0B2
  Name: C680
  Product: Cisco IronPort C680 Messaging Gateway(tm) Appliance
  Model: C680
  Version: 8.5.6-074
  Build Date: 2014-07-21
  Install Date: 2014-07-29 11:16:34
  Serial #: xxx-yyy1611Vzzz
  BIOS: C240M3.1.4.5.2.STBU
  RAID: 3.220.75-2196, 5.38.00_4.12.05.00_0x05180000
  RAID Status: Optimal
  RAID Type: 10
  BMC: 1.05
  There are times post-reboot, that you'll see and get notification of RAID sub-optimal --- meaning that the appliance is running through on a health-check of the appliance's RAID.  You should be getting a notification once RAID status has returned to OPTIMAL, or as per the older OS revisions, READY:
  myc170.local> version
  Current Version
  ===============
  UDI: C170 V01 FCH1428V06A
  Name: C170
  Description: Cisco IronPort C170
  Product: Cisco IronPort C170 Messaging Gateway(tm) Appliance
  Model: C170
  Version: 7.6.3-019
  Build Date: 2013-06-09
  Install Date: 2014-09-12 13:52:24
  Serial #: xxxxxxD87B39-yyyyyy8V06A
  BIOS: 9B1C115A
  RAID: 02
  RAID Status: READY
  RAID Type: 1
  BMC: 2.01

• How do i change the $Date variable format on an Ironport ESA to be DD/MM/YYYY

  I have an Ironport ESA running ASyncOS 7.6 and i use the $Date variable in notification emails.  It is currently formatted in the US way of MM/DD/YYYY but we need it to be formatted as DD/MM/YYYY.  Is there any way to do this?  The time zone is correct but i can't find anywhere to modify system variables.

  There doesn't appear to be any way to change the formatting of that variable.  Perhaps you can make use of $Timestamp or $GMTimeStamp instead?

• How to replace Nexus5596 with dual-homing N2K

  What is the correct process to replace a FEX parent switch with dual-homing fex?
  Traffic should not be interrupted.        

  Hi
  Do you have VPC between Parent Switches & are you running VPC on dual homed FEX fabric ports. ?
  If yes Below is the procedure,
  1)  boot the replacement switch without VPC, peer-links & FEX ports connected to it.
  2)  Make sure it has same Software version matches with the peer switch.
  3)  enable Pre-Provisioning for slots with appropriate FEX model.
  , here find the guide:
  http://www.cisco.com/en/US/partner/docs/switches/datacenter/nexus5000/sw/system_management/521_n1_1/b_5k_System_Mgmt_Config_521N11_chapter_0100.html#task_05BB53AD7AFB49CF9A8E4A5C6C37CB38
  So, on the replacement switch you will pre-provision the Fabric Extender and configure the ports so it will be ready when you add the module to the RMA SW.
  Please make sure you put the appropriate FEX model on the provision slot, otherwise, when connected it will not come Online
  Example, FEX 110:
  N5K(config)# slot 110
  N5K(config-slot)#provision model N2K-C2248T
  4) Now  keep all ports at Shut down state Then Configure Entire switch that includes FEX host ports, FEX Fabric Ports & VPC peer-link, VPC Domain Configuration.
  keep FEX host ports in shut state.
  5)  keep VPC Role priority on existing switch lower than , new switch
  6) Connect Peer-link ports to Peer switch & wait till VPC Comes up-
  7) Then connect Fabric ports from FEX to the pre-configured ports on replacement switch
  After it comes online Unshut FEX host ports.
  I got similar steps here as well
  http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/operations/n5k_vpc_ops.html#wp425197
  NOTE: I followed same process however, few ping drops were seen....arnd ( 5- 6 ping loss) only on few hosts...
  Mazhar

• IronPort ESA 170 Upgrade Failed

  Hi All,
  We have just got two IronPort ESA 170 appliances delivered.
  I started off with upgrading the firmware from version 7.5.2-101 to 7.6.3-019. One of the appliances got upgraded fine. However, I am getting an error on the other one. Exactly when the upgrade reaches at 72% it throws the error " The following error occured during upgrade: Upgrade exited without success. Please attempt upgrade again after clearing the error". Attached is the screnshot.
  I tried upgrade three times and got the same error all the time. Just wanted to know if anyone else has faced anything similar before raising a TAC. Is it because of disk space issue?
  Please assist.
  Thanks in advance.
  Faiz

  If you try to upgrade more than once and you keep getting the same error at the same time, then you could think about bandwidth control in the network or web traffic redirection.
  A packet capture could help finding more info about what can be the case or you may want to go through TAC. With remote access to your appliance they can identify if the issue is with your appliance or not. And if it is not, they may be able to assist you identifying the cause.
  Last but not least, you can try Local Upgrade. Please refer to the Technical Article below.
  =============================================
  Comprehensive Guide to Local Upgrade Servers
  Knowledge Base Answer ID: 1558
  http://tools.cisco.com/squish/212fd
  I hope this helps. If that is the case, please mark the question as answered.
  Regards,
  -Valter

• BGP in Dual Homing setup not failing over correctly

  Hi all,
  we have dual homed BGP connections to our sister company network but the failover testing is failing.
  If i shutdown the WAN interface on the primary router, after about 5 minutes, everything converges and fails over fine.
  But, if i shut the LAN interface down on the primary router, we never regain connectivity to the sister network.
  Our two ASR's have an iBGP relationship  and I can see that after a certain amount of time, the BGP routes with a next hop of the primary router get flushed from BGP and the prefferred exit path is through the secondary router. This bit works OK, but i believe that the return traffic is still attempting to return over the primary link...
  To add to this, we have two inline firewalls on each link which are only performing IPS, no packet filtering.
  Any pointers would be great.
  thanks
  Mario                

  Hi John,
  right... please look at the output below which is the partial BGP table during a link failure...
  10.128.0.0/9 is the problematic summary that still keeps getting advertised out when we do not want it to during a failure....
  now there are prefixes in the BGP table which fall within that large summary address space. But I am sure that they are all routes that are being advertised to us from the eBGP peer...
  *> 10.128.0.0/9     0.0.0.0                            32768 i
  s> 10.128.56.16/32  172.17.17.241                 150      0 2856 64619 i
  s> 10.128.56.140/32 172.17.17.241                 150      0 2856 64619 i
  s> 10.160.0.0/21    172.17.17.241                 150      0 2856 64611 i
  s> 10.160.14.0/24   172.17.17.241                 150      0 2856 64611 i
  s> 10.160.16.0/24   172.17.17.241                 150      0 2856 64611 i
  s> 10.200.16.8/30   172.17.17.241                 150      0 2856 65008 ?
  s> 10.200.16.12/30  172.17.17.241                 150      0 2856 65006 ?
  s> 10.255.245.0/24  172.17.17.241                 150      0 2856 64548 ?
  s> 10.255.253.4/32  172.17.17.241                 150      0 2856 64548 ?
  s> 10.255.253.10/32 172.17.17.241                 150      0 2856 64548 ?
  s> 10.255.255.8/30  172.17.17.241                 150      0 2856 6670 ?
  s> 10.255.255.10/32 172.17.17.241                 150      0 2856 ?
  s> 10.255.255.12/30 172.17.17.241                 150      0 2856 6670 ?
  s> 10.255.255.14/32 172.17.17.241                 150      0 2856 ?
  i would not expect summary addresses to still be advertised if the specific prefixes are coming from eBGP... am i wrong?
  thanks for everything so far...
  Mario De Rosa

• IronPort best practices and configuration guide

  Hi there,
  I manage a Cisco IronPort ESA appliance for my organisation and made a quick blog post last night about things I thought should be a best practice for a new ESA appliance.
  The reason I wrote this is because some of these things are not configured from the start or are configured poorly by default.
  Take a look and let me know what you think - I plan to make a part 2 because there are some things I did not have time to go through and it was quite long already!
  Remember that your environment will be different from mine so you should understand the things I say before blindly implementing them!
  http://emtunc.org/blog/06/2014/cisco-ironport-e-mail-security-appliance-best-practices-part-1/

  First of all, I think your question is related to the WebCenter (Framework) as such, not just OUCSS.
  As for JDev. vs. run-time, this question is well discussed in Yannick Ongena's tutorial: http://www.yonaweb.be/webcenter_tutorial/part1_configure_webcenter_portal_application
  "Let me first talk a bit about the architecture of WebCenter and the runtime customizations. ADF (and WebCenter) has an additional component since 11g called the MDS (MetaDataServices). The MDS is a repository that stores all the customizations. The page we just created at runtime is not stored in the project folder of JDeveloper but is instead stored in the MDS."
  I guess the answer when to use which methods depends on the situation what page you want to create.
  I am surprised, however, that you state that
  Pages created in JDeveloper are not searchable online. It is possible to link it to a Navigation Model but the path needs to be manually entered.Could you elaborate on your use case?
  As for navigation models, you can check another tutorial: http://docs.oracle.com/cd/E21764_01/webcenter.1111/e10148/jpsdg_navigation.htm#BABJHFCE
  Maybe, what your are looking for is the way how to create a navigation model according to your needs?

• RDS Gateway Best practices Dual-Homed?

  Good Day,
  I am wondering what is a typical amount of time others see when end users launch a RemoteApp session that goes through the RDS Gateway.
  Our two RDS Gateway servers (entire environment is W2k12R2) seem slow to me. They are both Dual-Homed and with a Nic on the DMZ and Internal side of the network. Maybe I would be better off disabling the Internal Nics and reconfiguring the firewall rules
  so that everything routes through the DMZ nic?
  Steve J.

  Hi Steve,
  Thank you for posting in Windows Server Forum.
  Best practice for any server is depends on your environment scenario as you need to decide whether to place the gateway in DMZ or allow 443 to be opened to the internal network. Placing the RDS Gateway in DMZ is more secure, you can have more information from
  beneath article.
  RD Gateway deployment in a perimeter network & Firewall rules
  http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx
  For more detail and understand RD Gateway refer this article.
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Connection problems with ESA C160 and WSA S160

  currently I have deployed ESA C160 and WSA S160 devices in a network but I cannot remotely connect to the devices.
  I have installed Cisco 2811 Terminal server with octal cable connections and cannot seem to get terminal access.
  As well I have connected the Management Interface to a local switch and provisioned VLANs on subnet 192.168.42.X to allow for access but no connection seems to work to gain access to the devices.
  I am wondering if there is a specific cable configuration or connection which will allow me access to the applicances for configuration.
  Any help is appreciated!

  HI
  Are you attempting a remote connection to the serial ports via 2811? I may be missunderstanding your post.
  The serial ports are 9600 Baud 8N1.  Typically you will use a null modem cable for the connection.
  For the network you should be able to connect to the manamgement interface  SSH and HTTPS should be enabled by default. If you connect directly to this port using a crossover cable can you establish a connection?
  If the network connection is failing I would first start with the serial port so you can verify that the configuration is as you expect it to be, meaning the IP address and services enabled. If everything checks out in the configuration. I would next test using a crossover cable on the same subnet. If that works then I would connect the appliance to a switch and test from there. The biggest questions that come up are can you route to the appliance over the network and can you resolve the host over the network.
  Christopher C Smith
  CSE
  Cisco IronPort Customer Support

• Startup network configuration dual homed

  FRUSTRATION: 100% .. Over a month trying to startup network configuration dual homed .. MacMini Intel Dual .. System Preferences --> Network --> Two Locations (BuiltIn ether on the IP my router uses for the world www, smtp, dns, ntp, limited ssh 192.168.local.wired.fixed) and (AirPort for VNC, ssh for admin via laptop)
  Upon reboot, I have o login back to the Mini keyboard/CRT to reset these two locations. I am NOT passthru routing.
  Bad enough the CRT settings will ot start my 20in VGA till I restart the video on an old low-res monitor.
  No where near ready to install the Server pack. Looking thru the web stuff, there are Unix like files (missing) to force the addresses and default route. No ifconfigd found.
  Where do I find a netconfig, rc.conf or like files to force the Mini (OS 10.4.7) to come up with my two interfaces and default route?
  PLEASE .. Ev +1 805 340-6471 [email protected]

  This is the wrong forum for this topic, but I'll assist.
  Without configuration sync enabled, you would have to configure both Nexus 5K exactly the same for the FEX port before traffic will forward.
  Configuration sync would help you in only having to configure it once, but I have had mixed results using configuration sync so I tend not to use it in my deployments.