Cisco Cisco Email Security Appliance C650 Guía Del Usuario
40-28
User Guide for AsyncOS 10.0 for Cisco Email Security Appliances
Chapter 40 Centralized Management Using Clusters
Best Practices and Frequently Asked Questions
A. When a machine joins a cluster, all of that machine's clusterable settings will be inherited from
the cluster level. Upon joining a cluster, all locally configured non-network settings will be lost,
overwritten with the settings of the cluster and any associated groups. (This includes the
user/passphrase table; passphrases and users are shared within a cluster).
the cluster level. Upon joining a cluster, all locally configured non-network settings will be lost,
overwritten with the settings of the cluster and any associated groups. (This includes the
user/passphrase table; passphrases and users are shared within a cluster).
Q. I have a clustered machine and I remove it (permanently) from the cluster. What happens to my
settings?
settings?
A. When a machine is permanently removed from a cluster, its configuration hierarchy is “flattened”
such that the machine will continue to work the same as it did when it was part of the cluster. All
settings that the machine has been inheriting will be applied to the machine in the standalone setting.
such that the machine will continue to work the same as it did when it was part of the cluster. All
settings that the machine has been inheriting will be applied to the machine in the standalone setting.
For example, if there is only a cluster-mode Global Unsubscribe table, that Global Unsubscribe table
data will be copied to the machine's local configuration when the machine is removed from the
cluster.
data will be copied to the machine's local configuration when the machine is removed from the
cluster.
General Questions
Q. Are log files aggregated within centrally managed machines?
A. No. Log files are still retained for each individual machines. The Security Management appliance
can be used to aggregate mail logs from multiple machines for the purposes of tracking and
reporting.
can be used to aggregate mail logs from multiple machines for the purposes of tracking and
reporting.
Q. How does User Access work?
A. The Cisco appliances share one database for the entire cluster. In particular, there is only
admin
account (and passphrase) for the entire cluster.
Q. How should I cluster a data center?
A. Ideally, a data center would be a “group” within a cluster, not its own cluster. However, if the data
centers do not share much between themselves, you may have better results with separate clusters
for each data center.
centers do not share much between themselves, you may have better results with separate clusters
for each data center.
Q. What happens if systems are offline and they reconnect?
A. Systems attempt to synchronize upon reconnecting to the cluster.
Network Questions
Q. Is the centralized management feature a “peer-to-peer” architecture or a “master/slave” architecture?
A. Because every machine has all of the data for all of the machines (including all machine-specific
settings that it will never use), the centralized management feature can be considered a peer-to-peer
architecture.
settings that it will never use), the centralized management feature can be considered a peer-to-peer
architecture.
Q. How do I set up a box so it is not a peer? I want a “slave” system.
A. Creating a true “slave” machine is not possible with this architecture. However, you can disable
the HTTP (GUI) and SSH (CLI) access at the machine level. In this manner, a machine without GUI
or CLI access only be configured by clusterconfig commands (that is, it can never be a login host).
This is similar to having a slave, but the configuration can be defeated by turning on login access
again.
the HTTP (GUI) and SSH (CLI) access at the machine level. In this manner, a machine without GUI
or CLI access only be configured by clusterconfig commands (that is, it can never be a login host).
This is similar to having a slave, but the configuration can be defeated by turning on login access
again.
Q. Can I create multiple, segmented clusters?
A. Isolated “islands” of clusters are possible; in fact, there may be situations where creating them
may be beneficial, for example, for performance reasons.
may be beneficial, for example, for performance reasons.