Example: IDP Series HA Design with Cisco Catalyst Switches

The following sections describe an example redundant path deployment where the Cisco Catalyst switch deployment uses Spanning Tree Protocol (STP) to select the active path:

Topology

Figure 18 shows a network topology where there are redundant paths to the Internet. One path is active and the other is passive.

Figure 18: Redundant Path Design: IDP Series HA Depends on STP (Cisco Catalyst Switch)

Image g036668.gif

The IDP Series device does not participate in STP. Rather, when Layer 2 bypass is enabled, the IDP Series devices pass through the BPDU packets so the switches can communicate with each other. If Layer 2 bypass is not enabled, the IDP Series device drops the BPDU packets and the route cannot be chosen. The same is true when the IDP Series device is gracefully shutdown or encounters failure. The IDP Series device cannot forward the BPDU packets, so STP forwards traffic through the backup path.

Deployment Steps

To deploy this solution, follow these basic steps:

  1. Set up and configure the Catalyst switch using the documentation that came with your switch. Note the following requirements.

    • Hardware—Connect the switch ports to IDP Series traffic interface pairs to so that the IDP Series deployment is transparent to the original network path. You connect the switch on one side to IDP Series eth2 and the switch on the other side to IDP Series eth3.
    • Failure detection mechanism—Implement spanning tree protocol (STP). For information on Cisco spanning tree protocol, see the Cisco Catalyst documentation. The following command sample shows the configuration of a switch in this example:

      Switch# show configuration
      Using 3285 out of 32768 bytes
      !
      version 12.0
      no service pad
      service timestamps debug uptime
      service timestamps log uptime
      service password-encryption
      !
      hostname Switch
      !
      enable secret 5 $1$dupS$SVj8hOWfUzqDeJe.887TQ0
      enable password 7 06080A355F4D1B1C001952
      !
      ip subnet-zero
      no ip domain-lookup
      !
      !         
      !
      interface FastEthernet0/1
       switchport access vlan 17
       no cdp enable
      !
      interface FastEthernet0/2
       switchport access vlan 51
       no cdp enable
      !
      interface FastEthernet0/3
       switchport access vlan 19
       no cdp enable
      !
      interface FastEthernet0/4
       switchport access vlan 21
       no cdp enable
      !
      interface FastEthernet0/5
       switchport access vlan 15
       no cdp enable
      !
      interface FastEthernet0/6
       switchport access vlan 15
       no cdp enable
      !
      interface FastEthernet0/7
       switchport access vlan 17
       no cdp enable
      !
      interface FastEthernet0/8
       switchport access vlan 17
       no cdp enable
      !
      interface FastEthernet0/9
       switchport access vlan 19
       no cdp enable
      !
      interface FastEthernet0/10
       switchport access vlan 19
       no cdp enable
      !
      interface FastEthernet0/11
       switchport access vlan 21
       no cdp enable
      !
      interface FastEthernet0/12
       switchport access vlan 21
       no cdp enable
      !
      interface FastEthernet0/13
       switchport access vlan 31
       no cdp enable
      !
      interface FastEthernet0/14
       switchport access vlan 33
       no cdp enable
      !
      interface FastEthernet0/15
       switchport access vlan 27
       no cdp enable
      !
      interface FastEthernet0/16
       switchport access vlan 29
       no cdp enable
      !
      interface FastEthernet0/17
       switchport access vlan 27
       no cdp enable
      !         
      interface FastEthernet0/18
       switchport access vlan 27
       no cdp enable
      !
      interface FastEthernet0/19
       switchport access vlan 29
       no cdp enable
      !
      interface FastEthernet0/20
       switchport access vlan 29
       no cdp enable
      !
      interface FastEthernet0/21
       switchport access vlan 31
       no cdp enable
      !
      interface FastEthernet0/22
       switchport access vlan 31
       no cdp enable
      !
      interface FastEthernet0/23
       switchport access vlan 33
       no cdp enable
      !
      interface FastEthernet0/24
       switchport access vlan 33
       no cdp enable
      !
      interface GigabitEthernet0/1
       switchport access vlan 51
       no cdp enable
      !
      interface GigabitEthernet0/2
       switchport access vlan 51
       no cdp enable
      !
      interface VLAN1
       no ip directed-broadcast
       no ip route-cache
       shutdown
      !
      interface VLAN7
       ip address 10.209.95.14 255.255.240.0
       no ip directed-broadcast
       no ip route-cache
      !         
      interface VLAN9
       no ip directed-broadcast
       no ip route-cache
       shutdown
      !
      ip default-gateway 10.209.95.254
      mac-address-table aging-time 10
      no cdp run
      !
      line con 0
       exec-timeout 0 0
       transport input none
       stopbits 1
      line vty 0 4
       exec-timeout 0 0
       password 7 1419171F1F07382E2126
       login
      line vty 5 15
       exec-timeout 0 0
       password 7 1419171F1F07382E2126
       login
      !
      end 
  2. Set up and configure the IDP Series devices. Consider the following configuration notes.

    Table 11: IDP Series Configuration Guidelines

    Component

    Guideline

    IDP Series device hardware

    Use a cross-over cable to connect one device HA port to the other HA port.

    State sync

    Use ACM to enable Third-Party HA and assign each device an identifier.

    Figure 19: ACM Third-Party HA Pages

    Image s036850.gif

    Cluster

    In NSM, create a cluster object and then add the IDP Series devices to NSM as cluster members. Whenever you push updates (such as OS version updates, detector engine updates, or security policy updates), select the cluster object as the target. NSM pushes updates to members in sequence: member A and then member B.

    Figure 20: NSM Device Cluster

    Image s036849.gif

    Note: For third-party high availability deployments, the cluster status displayed in the NSM Realtime Monitor > IDP Cluster Monitor always indicates failure. Disregard this status. You cannot use the NSM Cluster Monitor to display status.

    Layer 2 bypass

    Use ACM to enable Layer 2 bypass.

    Interface signaling

    Do not enable. When interface signaling is disabled, the HA feature monitors the state of IDP engines. If an IDP engine fails, any remaining IDP engines are signaled to disregard the Layer 2 bypass setting and drop Layer 2 traffic, including BPDUs.

    Peer port modulation

    Do not enable.

  3. On the IDP Series device, you can use the synchronization details in sctop flow tables and the device log files to verify and troubleshoot the HA deployment. Logs related to HA communication are written locally to /var/idp/device/sysinfo/logs/hasignal.log.

Related Documentation

The following related topics are included in IDP Series Deployment Scenarios:

The following additional related topics are included in the IDP Series Administration Guide: