Multiple context on Cisco Content Switching

Hi Everyone
I had new case with Cisco Content Switching design. The current network has two Cisco Content Module (CSM) and each of them response for switching content on one Vlan.
Now i want to reconfigure it, to meet the redundancy requirement. But i don't know Cisco Content Module have same idea of design with ACE on Route Mode.
I want configure CSM with two or more vlan pair in routed mode and it can HA between each other.
Thanks
Phai La Quy

Hi Phai,
Yes you can configure CSM in routed mode with clients in one VLAN and server in another. Pasting the link for your reference. You can find more in routing and switching guide.
http://www.cisco.com/c/en/us/support/docs/interfaces-modules/content-switching-module/26220-csm-config.html
Regards,
Kanwal

Similar Messages

  • Cisco Content Switch 11503

    Directed towards any users of this product line out there.
    I have a client who is on the older hardware platform (11100);. and is
    looking to invest in a pair of new switches/balancers. I have the follwoing
    outsntanding questions that i'm needing to confirm on the 11503
    - Source NAT - is this required to always be on? for marketing, reporting and debugging purposes, we're wanting to ensure we can have the client's original ip address preserved once request hits web/app, not rewritten at the content switch.
    - sessions - any concerns running up to 30 - 50k of simultaeous sessions on
    the 11503? require the the addt'l session accel modeule?
    thanks for the input.
    > Byron
    > www.kennedytechgroup.com

    Byron,
    source nat is not a requirement of the CSS.
    It depends how you design your network and where you place the CSS.
    If you do not want source nat, make sure the servers are placed behind the CSS and that the path from server to client always goes through the CSS.
    For the amount of connections, each module can handle up to 200k concurrent connections.
    So, the CSS with only 1 module should be ok.
    Gilles.

  • Cisco content switch capacity stats

    Hi, I know there is a 200,000 limit on concurrent connection on our CSS devices, but is there any way to see how the CSS has behaved historically in terms of the most concurrent connections there has been on the box at a time, average concurrent connections?
    Or do you know if there is a MIB we can receive and graph on?
    cheers,
    Mike

    Doing some more digging, from the 'Show IP statistics' command is this the amount of max concurrent connections the box has seen. (in BOLD and RED text below)
    lamsdc1cs003> show ip statistics
    IP Statistics - SP Slot 1, Subslot 1:
    UDP Statistics:
    Input Datagrams:             81,467,201 Output Datagrams:            81,467,201
    No Port Errors:                       0 Input Errors:                   104,620
    IP Fragments:                       110
    TCP Statistics:
    Retransmit Algorithm              other Min Retransmit Time:                500
    Max Retransmit Time:             15,000 Max TCP Connections:             32,768
    Active Opens:               302,647,530 Passive Opens:            2,831,374,249
    Failed Attempts:             49,337,843 Resets:                     966,887,218
    Established Conns:        2,392,842,101 Input Segments:           1,112,029,840
    Output Segments:          2,452,796,476 Retransmit Segments:            208,657
    Input Errors:                    69,601 Output Resets:               29,953,594
    IP Fragments:                    40,642 VIP Unavail Reset:                    0

  • Citrix and Content Switches

    I'm curious if anyone is using the Cisco Content switches to load balance traffic/sessions across a citrix server farm. Any luck and what type of load balancing method did you use? Round robin? Response time? And do these methods REALLY work with Citrix applications/servers for appropriate load balancing?

    I just load balanced two Citrix servers using Cisco CSS11150 load balancing switches. Because Citrix uses login for each user, load balancing required stickyness. I load balanced using cookies. This works great. You need to configure the cookie string in the service. You need to configure prefix and length in the content rule. There are several ways to load balance using cookies. The server needs to set the cookie in the first reply back to the client.
    [email protected]

  • Dynamic Routing Protocol Support in Cisco ASA Multiple Context Mode

                       Dear Experts,
    Wold like to know whether dynamic Routing Protocol Support in Cisco ASA Firewall Multiple Context Mode. If yes then please provide OS version and Hardware Model of Cisco ASA Firewall. Appreciate the quick response.  Thanks.

    Hi,
    Check out this document for the information
    http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html#wp93116
    Its lists the following for software level 9.0(1)
    Multiple   Context Mode Features
    Dynamic routing in Security   Contexts
    EIGRP and OSPFv2 dynamic   routing protocols are now supported in multiple context mode. OSPFv3, RIP, and multicast routing   are not supported.
    Seems to me you would need some 9.x version to support the above mentioned Dynamic Routing Protocols.
    I don't think its related to the hardware model of the ASA other than that it requires a model that supports Multiple Context Mode. To my understanding the only model that doesnt support that is ASA5505 of the whole ASA5500 and ASA5500-X series.
    Hope this helps
    - Jouni

  • Cisco ASA5520 multiple context revert back to single context

    Hi all,
    We have a redudant set of Cisco ASA5520's. This firewalls runs in multiple context mode.
    No we want to make both "virtual" firewalls physical.
    We already migrated on of the two firewalls to another physical set.
    Now we would like to revert back the multiple context into single context mode, with keeping on of the two firewalls as the new running config.
    We would like to do this with a minimum downtime.
    Is this possible, can someone advise?
    Kind regards,
    Danny van der Aa

    The config will be saved as config.old when you change the mode of the firewall (this goes both ways I believe).  As Luis has mentioned it is a major change but if you have ASA's in a failover pair then doing this with little or no down time should be possible.
    I would first go about this by taking the current Standby ASA and take a backup of the running configuration on it, and make any required changes to the configuration to suite your needs.  Most likely you will not have much need of what is in the system context, but take a backup of it anyway just be on the safe side.  Then change it to single mode with the command "mode single".  Now copy the configuration into the ASA.
    Now, assuming that both ASAs have the same IP addresses assigned to its interfaces, remove the currently active ASA and then connect the ASA that is now in single mode back into the network.  You may have to clear the MAC address table on some servers depending on how old they are and how touchy they are.
    Do the same for the second ASA and connect it back to the network.  Now, if you have kept the failover configuration, the ASAs will setup an Active/Standby failover in single mode and replicate the configuration.
    Your down time should only be dependent on how fast you can remove the second ASA and add the first ASA back to the network.
    Please remember to rate and select a correct answer

  • Setting http headers from Cisco Content Services Switch

    Hi
       is it possible to set the http response headers for some particular type of requests.
    we want to set the http header (
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    Cache-Control) for statuc resources to force browser/proxy server to cache them for a particular amount of time.
    From the following confuguration guide it looks it is not possible. is it correct ?
    Cisco Content Services Switch
    Content Load-Balancing
    Configuration Guide
    Software Version 8.10
    thank you very much for your help.
    Regards
    Hafiz

    Hafiz
    You will get a faster and much better response if you move this post into the "Data Center - Application Networking" forum where they deal specifically with load-balancing issues.
    Jon

  • Multiple content switches on same subnet

    Can anyone confirm if there is an issue having two pairs of content switches (11500s) on the same subnet? The circuit addressing, interface redundancy and VIPs all use the same subnet. Wondering if there would be any issues with the redundancy, arps, etc.. Am stuck with this arrangement during the migration phase of the project.
    Appreciate your input.
    Rob

    Rob,
    they can be on the same subnet but they must use different VIP ip addresses.
    For the VRRP protocol, you should use different group number on each pair to avoid collision.
    Otherwise, that is no problem. I have many pairs like this in the lab sharing the same subnets and this is ok.
    Gilles.

  • SSLVPN/webvpn in multiple context mode?

    We already know that ASA 9.0 supports site-to-site VPN in multiple context mode. But remote access VPN isn't supported. Obviously, SSL-VPN is a very important feature for most multi-tenant deployment scenarios where each context acts as a border firewall towards the Internet for each tenant. The alternative to terminate all tenant remote-access VPNs in one context means that each tenant would have to be routable from the ASA, which of course isn't a reasonable requirement in most cases.
    So, what I'd like to do is to deploy an ASA cluster, and provide remote access VPNs for each tenant, where the connectivity for each remote access group can be addressed with whatever IP address space, and that goes into it's own VRF in the back-end.
    As far as I can tell, this isn't doable with the ASA, since multiple context mode prohibits the use of remote access VPN, and I can't think of any other work-around than either having individual firewalls running in single context mode for each tenant, or demand that all tenants are interoperable routing-wise and configure a separate ip address pool in a single context mode for each tenant.
    Essentially, there's no good way to implement this with multiple virtual firewalls, using cisco firewalls? Or am I missing something?

    If you set up a pair of single-context ASAs for VPN termination, configure a group policy per customer and use the 'Restrict access to VLAN' feature, you could separate customers' traffic and still just use one FW pair for all customers. This pair would connect to the same switch infrastructure as your multi-context edge firewall and thus allow a consolidated solution.
    Sent from Cisco Technical Support iPad App

  • Remote Access VPN Support in Multiple Context Mode (9.1(2))?

    Hi Guys,
    I am currently running two Cisco ASA5520 (ASA Version: 9.1(2)) firewalls in Active/Standby failover and was contemplating the option of migrating my remote access VPN to these firewalls. However seeing that the new IOS now support mixed multiple context mode and dynamic routing. Is it safe to ask whether or not Remote Access VPN is now support in this IOS upgrade?
    Multiple Context Mode New Features:
    Site-to-Site VPN in multiple context mode | Site-to-site VPN tunnels are now supported in multiple context mode.
    New resource type for site-to-site VPN tunnels | New resource types, vpn other and vpn burst other, were created to set the maximum number of site-to-site VPN tunnels in each context.
    Dynamic routing in Security Contexts | EIGRP and OSPFv2 dynamic routing protocols are now supported in multiple context mode. OSPFv3, RIP, and multicast routing are not supported.
    New resource type for routing table entries | A new resource class, routes, was created to set the maximum number of routing table entries in each context. We modified the following commands: limit-resource, show resource types, show resource usage, show resource allocation. We modified the following screen: Configuration > Context Management > Resource Class > Add Resource Class.
    Mixed firewall mode support in multiple context mode | You can set the firewall mode independently for each security context in multiple context mode, so some can run in transparent mode while others run in routed mode. We modified the following command: firewall transparent. You cannot set the firewall mode in ASDM; you must use the command-line interface. Also available in Version 8.5(1).
    Regards,
    Leon

    Hey Leon,
    According to the ASA 9.1 Configuration Guide, Remote Access VPN is not yet supported with version 9.1(2). Only Site-to-Site VPN support in multiple context was introduced with release ASA 9.0(x). This was mentioned in the 9.0(x) release notes.
    Regards,
    Dennis

  • Explain about transparent mode, single mode, multiple context mode

    You can explain about the differents of transparent mode, single mode, multiple context mode in ASA 5500? Thank you very much.

    Great question. Hope the below helps:
    Transparent Mode: In this mode, the ASA will filter traffic without requiring L3 on the ASA. This means that in your config you will not put IPs on the interfaces to be used for traffic filtering. Thus, filtering is transparent to the traffic as the traffic isn't directly routed to the firewall. Think of it like you have a server plugged into a switch. In transparent mode, you place the ASA between the server and the switch and no configuration change is required to the server. In routed mode, you place the ASA in the same physical location between the server and switch, but have to change the server to use the ASA as a default gateway.
    Single Mode: Default mode of an ASA. The ASA acts as a single firewall and all interfaces are provisioned to be managed through a single firewall configuration.
    Multiple Context Mode: The ASA is split into multiple virtual configurations. With the ASA now virtualized, you provision the physical interfaces on the ASA to the virtual firewall configured. Each context has it's own configuration seperate from the rest of the firewall. Multi-context is meant for enterprises to invest in a single piece of hardware and scale it for use as multiple security devices.
    Hope this helps. Let me know if you have anymore questions!
    -Mike
    http://cs-mars.blogspot.com

  • Specs for 11500 Content Switches

    I am looking for more specs on the 11500 series content switches. Specs such as http connections per second, tcp connections total.

    Ted,
    The following link:
    http://www.cisco.com/en/US/products/hw/contnetw/ps792/prod_bulletin09186a008017dc5d.html
    states that "A Cisco CSS 11506 can now achieve more than 45,000 TCP connections per second and, if configured with 4 SSL modules, can attain over 4000 SSL transactions per second."
    Is that what you are looking for?
    Keep in mind that performance will be slower with layer 5 rules than strictly layet 4 rules.
    -Steve

  • Support IPSec VPN Client in ASA Multiple Context Mode

    I've looked at under "Cisco ASA Series CLI Configuration Guide, 9.0" on "Configuring Multiple Context Mode", it says
    "IPsec sessions—5 sessions. (The maximum per context.) ".  Does it mean in ASA Multiple Contest Mode support IPSec VPN Client? I just want to confirm it because I can't seem find any doc that clearly spell it out.  I'll appreciate anyone who can clarify it.
    Thank Jason.
    ( Please direct me to the right group if I'm not for the first time I post it in the Cisco support forum)

    This is from the v9.3 config-guide:
    Unsupported Features
    Multiple context mode does not support the following features:
    Remote access VPN. (Site-to-site VPN is supported.)

  • Are VPN Clients supported in multiple context mode?

    Hi,
    Recently our company has bought two Cisco ASA 5515-X firewalls for at our datacenter. I am new on configuring a Cisco ASA but sofar things are looking good. I have configured them both with HA (active/active) in multiple context mode. Currently they host two security contexts.
    I want to configure VPN Client functionallity for Remote Access. As far as I know they come with two user licenses. But there is no VPN Client wizard available and I can't find a way to enable it.
    - Is VPN Client supported in Multiple Context mode?
    - What is AnyWhere Essentials vs Premium Peers?
    Boudewijn
    Here is some additional output fromt he current configuration:
    Cisco Adaptive Security Appliance Software Version 9.1(2) <context>
    Device Manager Version 7.1(3)
    Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1)
                                 Boot microcode        : CNPx-MC-BOOT-2.00
                                 SSL/IKE microcode     : CNPx-MC-SSL-PLUS-T020
                                 IPSec microcode       : CNPx-MC-IPSEC-MAIN-0024
                                 Number of accelerators: 1
    Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
    Licensed features for this platform:
    Maximum Physical Interfaces       : Unlimited      perpetual
    Maximum VLANs                     : 100            perpetual
    Inside Hosts                      : Unlimited      perpetual
    Failover                          : Active/Active  perpetual
    Encryption-DES                    : Enabled        perpetual
    Encryption-3DES-AES               : Enabled        perpetual
    Security Contexts                 : 2              perpetual
    GTP/GPRS                          : Disabled       perpetual
    AnyConnect Premium Peers          : 2              perpetual
    AnyConnect Essentials             : Disabled       perpetual
    Other VPN Peers                   : 250            perpetual
    Total VPN Peers                   : 250            perpetual
    Shared License                    : Disabled       perpetual
    AnyConnect for Mobile             : Disabled       perpetual
    AnyConnect for Cisco VPN Phone    : Disabled       perpetual
    Advanced Endpoint Assessment      : Disabled       perpetual
    UC Phone Proxy Sessions           : 2              perpetual
    Total UC Proxy Sessions           : 2              perpetual
    Botnet Traffic Filter             : Disabled       perpetual
    Intercompany Media Engine         : Disabled       perpetual
    IPS Module                        : Disabled       perpetual
    Cluster                           : Disabled       perpetual
    This platform has an ASA 5515 Security Plus license.

    Hi,
    No form of VPN Client is supported when you are using an ASA in Multiple Context mode.
    The only type of VPN supported in the newer 9.x softwares is L2L VPN / Site to Site VPN
    This might answer the VPN Licensing related question
    http://packetpushers.net/cisco-asa-licensing-explained/
    I never seem to remember it exactly myself even.
    - Jouni

  • ASA 5512-X version 9.1 multiple contextes supported?

    Hi All,
    could soumeone please let me know if on the ASA 5512-X virtual contexts are supported with version 9.1 ?
    I found different information on the Cisco web,  the ASA datasheet says it is supported but in the configuration guide I found exactly the opposite information.
    Cisco ASA Series General Operations CLI Configuration Guide 9.1 and 8.6
    http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/ha_contexts.html#wp1188797
    http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html#wp1329030
    Cisco ASA 5500 and ASA 5500-X Series Next- Generation Firewalls for Small Offices and Branch Locations Data Sheet (Updated)
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-701253.html
    thanks in advance
    Best Regards
    Frank

    Hi,
    you find the information in the ASA Configuration Guide section "Licensing Requirements for Multiple Context Mode"
    http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/ha_contexts.html#wp1188797
    http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html#wp1329030
    Licensing Requirements for Multiple Context Mode
    ASA 5512-X      No support.
    Best Regards
    Frank

Maybe you are looking for

  • 3G and GPRS internet on MacBook Pro

    I am currently using a G4 PowerBook together with a Vodafone 3G/GPRS data card for internet access. I am considering buying a new MacBook Pro but note that there is no PC slot so I would not be able to use my cellular internet access. Is there any so

  • A Servlet question...

    hi, What happen to the Servlet if there are thousands Forms were being submitted ? Will there be thousands of instances of doGet or doPost being created to handle the requests ? My answer is NO, but I am not quite clear why ? Would you please explain

  • Avoid opening last application/window when starting

    hi, im currently using osx lion, I have a behaviour to shut down my computer and let the application that currently running closed by itself during shut down (including massive finder windows). But when I turn on my computer again, those windows reap

  • Getting data from tables

    Hello All,     I have a scenario where I have two different software systems (SAP and xyz systems), where a intermediate table will be created between the two systems that is shared. Data will be updated by the xyz systems into this shared table. Now

  • I have purchased three different audiobooks over the last two months and none will download. It keeps giving me error 3259. What is wrong?

    I have purchased three different audiobooks and none of them will download. It keeps giving me error 3259. It will let me download tv shows no problem. What is the problem?