Cisco Cisco Catalyst 6500 Cisco 7600 Router Anomaly Guard Module Libro bianco
White Paper
All contents are Copyright © 1992–2010 Cisco Systems, Inc. All rights reserved. This document is Cisco Confidential Information. 3
Figure 3 depicts the second deployment option. The FWSM cluster is deployed across two VSS
domains inside two Catalyst 6500 service switches (SS), each connected to a VSS as shown. This
method can be used if you don’t want to place the FWSM inside the VSS chassis.
domains inside two Catalyst 6500 service switches (SS), each connected to a VSS as shown. This
method can be used if you don’t want to place the FWSM inside the VSS chassis.
Figure 3 –VSS Deployment Option 2
Once deployed inside the chassis using either of the above options (VSS or SS), the FWSM cluster
can then be configured for a single context, for multiple contexts, for active/standby or active/active
mode, for transparent mode, or for routed mode.
can then be configured for a single context, for multiple contexts, for active/standby or active/active
mode, for transparent mode, or for routed mode.
The advantages or disadvantages of each the above deployment options are beyond the scope of
this document.
this document.
Configuration Guidelines
The interaction of technologies and devices in any VSS/FWSM environment must be carefully
planned and tuned. The location of the primary FWSM for any given security context or a group of
security contexts is pivotal for this planning and the tuning. The following subsections describe the
fundamental characteristics of these devices and technologies.
planned and tuned. The location of the primary FWSM for any given security context or a group of
security contexts is pivotal for this planning and the tuning. The following subsections describe the
fundamental characteristics of these devices and technologies.
VSS Characteristics
The VSS is the essential part of this environment, and its configuration should be appropriately
executed to guarantee a successful deployment. Apart from the standard VSS configuration
guidelines (which can be found using the link provided in the “Introduction” section), there are two
configuration guidelines that are strongly recommended:
executed to guarantee a successful deployment. Apart from the standard VSS configuration
guidelines (which can be found using the link provided in the “Introduction” section), there are two
configuration guidelines that are strongly recommended:
●
A dual-active detection mechanism must be configured. This mechanism prevents both
VSS chassis from becoming active in the event of the VSL links’ failure. Dual active can
cause serious and severe network instabilities and disruptions. It mitigates network
instabilities and disruptions by securely isolating one of the two chassis, and by ensuring an
automatic recovery as soon as the VSL links recover. The dual-active detection mechanism
implemented during the testing was the fast-hello, which is strongly recommended by Cisco.
For more information on dual active documentation and configuration, refer to the “Dual-
Active Detection” section of the Catalyst 6500 Release 12.2SXH and Later Software
Configuration Guide
VSS chassis from becoming active in the event of the VSL links’ failure. Dual active can
cause serious and severe network instabilities and disruptions. It mitigates network
instabilities and disruptions by securely isolating one of the two chassis, and by ensuring an
automatic recovery as soon as the VSL links recover. The dual-active detection mechanism
implemented during the testing was the fast-hello, which is strongly recommended by Cisco.
For more information on dual active documentation and configuration, refer to the “Dual-
Active Detection” section of the Catalyst 6500 Release 12.2SXH and Later Software
Configuration Guide
:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/
vss.html#wp1063718
vss.html#wp1063718
.
●
It is recommended that VSS preemption not be used in this environment as its process
causes outage and possible instabilities. (VSS preemption will be deprecated soon.)
causes outage and possible instabilities. (VSS preemption will be deprecated soon.)