Cisco Cisco Email Security Appliance C160 Mode D'Emploi
39-19
AsyncOS 9.1.2 for Cisco Email Security Appliances User Guide
Chapter 39 Centralized Management Using Clusters
Cluster Communication
Cluster Communication Security
Cluster Communication Security (CCS) is a secure shell service similar to a regular SSH service. Cisco
implemented CCS in response to concerns regarding using regular SSH for cluster communication. SSH
communication between two machines opens regular logins (admin, etc.) on the same port. Many
administrators prefer not to open regular logins on their clustered machines.
implemented CCS in response to concerns regarding using regular SSH for cluster communication. SSH
communication between two machines opens regular logins (admin, etc.) on the same port. Many
administrators prefer not to open regular logins on their clustered machines.
Tip: never enable Cluster Communication Services, even though it is the default, unless you have
firewalls blocking port 22 between some of your clustered machines. Clustering uses a full mesh of SSH
tunnels (on port 22) between all machines. If you have already answered Yes to enabling CCS on any
machine, remove all machines from the cluster and start again. Removing the last machine in the cluster
removes the cluster.
firewalls blocking port 22 between some of your clustered machines. Clustering uses a full mesh of SSH
tunnels (on port 22) between all machines. If you have already answered Yes to enabling CCS on any
machine, remove all machines from the cluster and start again. Removing the last machine in the cluster
removes the cluster.
CCS provides an enhancement where the administrator can open up cluster communication, but not CLI
logins. By default, the service is disabled. You will be prompted to enable CCS from the
logins. By default, the service is disabled. You will be prompted to enable CCS from the
interfaceconfig
command when you are prompted to enable other services. For example:
The default port number for CCS is 2222. You may change this to another open, unused, port number if
you prefer. After the join is complete and the joining machine has all the configuration data from the
cluster, the following question is presented:
you prefer. After the join is complete and the joining machine has all the configuration data from the
cluster, the following question is presented:
Cluster Consistency
The machines that are “cluster aware” will continually verify network connections to other machines
within the cluster. This verification is done by periodic “pings” sent to other machines in the cluster.
within the cluster. This verification is done by periodic “pings” sent to other machines in the cluster.
Do you want to enable SSH on this interface? [Y]>
Which port do you want to use for SSH?
[22]>
Do you want to enable Cluster Communication Service on this interface?
[N]> y
Which port do you want to use for Cluster Communication Service?
[2222]>
Do you want to enable Cluster Communication Service on this interface? [N]> y
Which port do you want to use for Cluster Communication Service?
[2222]>