Cisco Cisco Email Security Appliance C650 Guía Del Usuario
38-18
Cisco AsyncOS 8.5.5 for Email Security User Guide
Chapter 38 Centralized Management Using Clusters
Cluster Communication
Some pages within certain tabs are restricted to machine mode. However, unlike the Incoming Mail
Overview page (which is restricted to the current login host), these pages can be used for any machine
in the cluster.
Overview page (which is restricted to the current login host), these pages can be used for any machine
in the cluster.
Figure 38-7
Centralized Management Feature: Machine Restricted
Choose which machine to administer from the Change Mode menu. You will see a brief flashing of the
text to remind you that you have changed modes.
text to remind you that you have changed modes.
Cluster Communication
Machines within a cluster communicate with each other using a mesh network. By default, all machines
connect to all other machines. If one link goes down, other machines will not be prevented from
receiving updates.
connect to all other machines. If one link goes down, other machines will not be prevented from
receiving updates.
By default, all intra-cluster communication is secured with SSH. Each machine keeps an in-memory
copy of the route table and makes in-memory changes as necessary if links go down or up. Each machine
also performs a periodic “ping” (every 1 minute) of every other machine in the cluster. This ensures
up-to-date link status and maintains the connections in case a router or NAT has a timeout.
copy of the route table and makes in-memory changes as necessary if links go down or up. Each machine
also performs a periodic “ping” (every 1 minute) of every other machine in the cluster. This ensures
up-to-date link status and maintains the connections in case a router or NAT has a timeout.
Note
The connection between two clustered appliances may be dropped if one of the appliances attempts to
open more than the maximum number of SSH connections allowed. The appliances automatically rejoin
the cluster within seconds and no manual configuration is needed.
open more than the maximum number of SSH connections allowed. The appliances automatically rejoin
the cluster within seconds and no manual configuration is needed.
DNS and Hostname Resolution
DNS is required to connect a machine to the cluster. Cluster communication is normally initiated using
the DNS hostnames of the machines (not the hostname of an interface on the machine). A machine with
an unresolvable hostname would be unable to actually communicate with any other machines in the
cluster, even though it is technically part of the cluster.
the DNS hostnames of the machines (not the hostname of an interface on the machine). A machine with
an unresolvable hostname would be unable to actually communicate with any other machines in the
cluster, even though it is technically part of the cluster.
Your DNS must be configured to have the hostname point to the correct IP interface on the appliance
that has SSH or CCS enabled. This is very important. If DNS points to another IP address that does not
have SSH or CCS enabled it will not find the host. Note that centralized management uses the “main
hostname,” as set with the
that has SSH or CCS enabled. This is very important. If DNS points to another IP address that does not
have SSH or CCS enabled it will not find the host. Note that centralized management uses the “main
hostname,” as set with the
sethostname
command, not the per-interface hostname.
If you use an IP address to connect to another machine in the cluster, the machine you connect to must
be able to make a reverse look up of the connecting IP address. If the reverse look up times out because
the IP address isn’t in the DNS, the machine cannot connect to the cluster.
be able to make a reverse look up of the connecting IP address. If the reverse look up times out because
the IP address isn’t in the DNS, the machine cannot connect to the cluster.
Clustering, Fully Qualified Domain Names, and Upgrading
DNS changes can cause a loss of connectivity after upgrading AsyncOS. Please note that if you need to
change the fully qualified domain name of a machine in the cluster (not the hostname of an interface on
a machine in the cluster), you must change the hostname settings via
change the fully qualified domain name of a machine in the cluster (not the hostname of an interface on
a machine in the cluster), you must change the hostname settings via
sethostname
and update the DNS
record for that machine prior to upgrading AsyncOS.