Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: IDP Series HA Design with Cisco Catalyst Switches

    The following sections describe an example redundant path deployment where the Cisco Catalyst switch deployment uses Spanning Tree Protocol (STP) to select the active path:

    Topology

    Figure 1 shows a network topology where there are redundant paths to the Internet. One path is active and the other is passive.

    Figure 1: Redundant Path Design: IDP Series HA Depends on STP (Cisco Catalyst Switch)

    Image g036668.gif

    The IDP Series device does not participate in STP. Rather, when Layer 2 bypass is enabled, the IDP Series devices pass through the BPDU packets so the switches can communicate with each other. If Layer 2 bypass is not enabled, the IDP Series device drops the BPDU packets and the route cannot be chosen. The same is true when the IDP Series device is gracefully shutdown or encounters failure. The IDP Series device cannot forward the BPDU packets, so STP forwards traffic through the backup path.

    Deployment Steps

    To deploy this solution, follow these basic steps:

    1. Set up and configure the Catalyst switch using the documentation that came with your switch. Note the following requirements.

      • Hardware—Connect the switch ports to IDP Series traffic interface pairs to so that the IDP Series deployment is transparent to the original network path. You connect the switch on one side to IDP Series eth2 and the switch on the other side to IDP Series eth3.
      • Failure detection mechanism—Implement spanning tree protocol (STP). For information on Cisco spanning tree protocol, see the Cisco Catalyst documentation. The following command sample shows the configuration of a switch in this example:

        Switch# show configuration
        Using 3285 out of 32768 bytes
        !
        version 12.0
        no service pad
        service timestamps debug uptime
        service timestamps log uptime
        service password-encryption
        !
        hostname Switch
        !
        enable secret 5 $1$dupS$SVj8hOWfUzqDeJe.887TQ0
        enable password 7 06080A355F4D1B1C001952
        !
        ip subnet-zero
        no ip domain-lookup
        !
        !         
        !
        interface FastEthernet0/1
         switchport access vlan 17
         no cdp enable
        !
        interface FastEthernet0/2
         switchport access vlan 51
         no cdp enable
        !
        interface FastEthernet0/3
         switchport access vlan 19
         no cdp enable
        !
        interface FastEthernet0/4
         switchport access vlan 21
         no cdp enable
        !
        interface FastEthernet0/5
         switchport access vlan 15
         no cdp enable
        !
        interface FastEthernet0/6
         switchport access vlan 15
         no cdp enable
        !
        interface FastEthernet0/7
         switchport access vlan 17
         no cdp enable
        !
        interface FastEthernet0/8
         switchport access vlan 17
         no cdp enable
        !
        interface FastEthernet0/9
         switchport access vlan 19
         no cdp enable
        !
        interface FastEthernet0/10
         switchport access vlan 19
         no cdp enable
        !
        interface FastEthernet0/11
         switchport access vlan 21
         no cdp enable
        !
        interface FastEthernet0/12
         switchport access vlan 21
         no cdp enable
        !
        interface FastEthernet0/13
         switchport access vlan 31
         no cdp enable
        !
        interface FastEthernet0/14
         switchport access vlan 33
         no cdp enable
        !
        interface FastEthernet0/15
         switchport access vlan 27
         no cdp enable
        !
        interface FastEthernet0/16
         switchport access vlan 29
         no cdp enable
        !
        interface FastEthernet0/17
         switchport access vlan 27
         no cdp enable
        !         
        interface FastEthernet0/18
         switchport access vlan 27
         no cdp enable
        !
        interface FastEthernet0/19
         switchport access vlan 29
         no cdp enable
        !
        interface FastEthernet0/20
         switchport access vlan 29
         no cdp enable
        !
        interface FastEthernet0/21
         switchport access vlan 31
         no cdp enable
        !
        interface FastEthernet0/22
         switchport access vlan 31
         no cdp enable
        !
        interface FastEthernet0/23
         switchport access vlan 33
         no cdp enable
        !
        interface FastEthernet0/24
         switchport access vlan 33
         no cdp enable
        !
        interface GigabitEthernet0/1
         switchport access vlan 51
         no cdp enable
        !
        interface GigabitEthernet0/2
         switchport access vlan 51
         no cdp enable
        !
        interface VLAN1
         no ip directed-broadcast
         no ip route-cache
         shutdown
        !
        interface VLAN7
         ip address 10.209.95.14 255.255.240.0
         no ip directed-broadcast
         no ip route-cache
        !         
        interface VLAN9
         no ip directed-broadcast
         no ip route-cache
         shutdown
        !
        ip default-gateway 10.209.95.254
        mac-address-table aging-time 10
        no cdp run
        !
        line con 0
         exec-timeout 0 0
         transport input none
         stopbits 1
        line vty 0 4
         exec-timeout 0 0
         password 7 1419171F1F07382E2126
         login
        line vty 5 15
         exec-timeout 0 0
         password 7 1419171F1F07382E2126
         login
        !
        end 
    2. Set up and configure the IDP Series devices. Consider the following configuration notes.

      Table 1: IDP Series Configuration Guidelines

      Component

      Guideline

      IDP Series device hardware

      Use a cross-over cable to connect one device HA port to the other HA port.

      State sync

      Use ACM to enable Third-Party HA and assign each device an identifier.

      Figure 2: ACM Third-Party HA Pages

      Image s036850.gif

      Cluster

      In NSM, create a cluster object and then add the IDP Series devices to NSM as cluster members. Whenever you push updates (such as OS version updates, detector engine updates, or security policy updates), select the cluster object as the target. NSM pushes updates to members in sequence: member A and then member B.

      Figure 3: NSM Device Cluster

      Image s036849.gif

      Note: For third-party high availability deployments, the cluster status displayed in the NSM Realtime Monitor > IDP Cluster Monitor always indicates failure. Disregard this status. You cannot use the NSM Cluster Monitor to display status.

      Layer 2 bypass

      Use ACM to enable Layer 2 bypass.

      Interface signaling

      Do not enable. When interface signaling is disabled, the HA feature monitors the state of IDP engines. If an IDP engine fails, any remaining IDP engines are signaled to disregard the Layer 2 bypass setting and drop Layer 2 traffic, including BPDUs.

      Peer port modulation

      Do not enable.

    3. On the IDP Series device, you can use the synchronization details in sctop flow tables and the device log files to verify and troubleshoot the HA deployment. Logs related to HA communication are written locally to /var/idp/device/sysinfo/logs/hasignal.log.

    Published: 2011-02-08