1. Home
  2. Cisco Systems
  3. Catalyst 6500 [FWSM] [CSM]

Catalyst 6500 [FWSM] [CSM]

Hi All ,

I have two questions about firewall module and content services module :

Q1- Firewall module, when using Multi-Context and if one of these contexts failed shall the whole module fail to the other one or only the context alone .

---------------------------------------------------------------------------- Q2- (2 CSM) - Content switch Fail-over ,

a - Is it automated or need human interference?

b - When fail-over occurs, does the users get disconnected or they are statefully transferred to the other box?

c - Can we have load balancing between two modules in different boxes?

Reply to
Bandar
Loading thread data ...

In FWSM software release 2, only the whole blade fails over. Since release 3, you can run the blade in active-active configuration, where groups of contexts can fail over to the opposite blade, while having context groups that are still operational running on the primary blade.

In fact, this is the whole idea behind active-active. There is no real load-sharing. Instead of this, you group contexts together and define if the group shall be active on the primary or the secondary blade. In case of a failure, the opposite blade takes over operation for a specific group.

automated

IIRC, both modules exchange state information. Clients usually addressing a VIP. In case of a failure, the secondary CSM takes over the VIP.

Not if you want both modules to run in active-standby.

The only way to have both modules active is to treat them as independed load balancers (different VIPs).

Reply to
Christian Zeng

Actually, FWSM fails over when a monitored interface "fails", not when a context fails. So for example, if you accidentally clear the whole context, FWSM is not going to fail over; but if one of your monitored links gets disconnected, the FWSM will fail over. You must specify in your configuration which interfaces you want to be monitored, like this (and if you don't specify any interfaces to monitor, then you won't be doing any failovers, even if you have failover all set up and turned on):

monitor-interface inside monitor-interface outside monitor-interface dmz1 etc.

An interface "fail" means it did not pass one of the FWSM's regular interface checks, either because the interface didn't answer at all or because it didn't answer in the time specified for such checks. If that happens, the FWSM fails over. If it's in multiple mode and you are running version 2.x, then the whole blade fails over, including all contexts, whether there's a failed interface in all of them or not. If it's in multiple mode and you are running version 3.x then you can configure it so that just the context with the failed interface fails.

Vikki

Christian Zeng wrote:

Reply to
Vikki

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.