Cisco Cisco Catalyst 6500 Series Network Analysis Module (NAM-3) White Paper
White Paper
All contents are Copyright © 1992–2010 Cisco Systems, Inc. All rights reserved. This document is Cisco Confidential Information. 5
When the FWSM cluster operates in transparent mode, there is no need to configure static routes
either in the VSS or in the FWSM (unless for FWSM management). This is because both the inside
and the outside VLANs share the same subnet, although they have different VLAN IDs.
either in the VSS or in the FWSM (unless for FWSM management). This is because both the inside
and the outside VLANs share the same subnet, although they have different VLAN IDs.
Both access lists and route maps were used during the validation for redistributing the static routes
into OSPF. These routes pointed to the inside subnet of each context.
into OSPF. These routes pointed to the inside subnet of each context.
The table below shows the STP priority, HSRP priority, OSPF cost, and OSPF redistribution metric
used in the testing.
used in the testing.
FWSM
Cluster Mode
Cluster Mode
FWSM
Location
Location
STP Priority /HSRP Priority/ Interface OSPF Cost and
Redistribution Metric in OSPF – OSPF process ID
Redistribution Metric in OSPF – OSPF process ID
A/S
Active in VSS1
Primary/120/9/ - 100
Standby in VSS2
Secondary/90/19/ - 100
A/A
Group 1 active in
VSS1
VSS1
Primary/120/9/ - 100
Group 1 standby in
VSS2
VSS2
Secondary/90/19/ - 100
Group 2 standby in
VSS1
VSS1
Secondary/90/19/ - 200
Group 2 active in
VSS2
VSS2
Primary/120/9/ - 200
Conclusion and Recommendations
Based on the results of the testing, the ECATS Team has made the following recommendations:
1. Connection between the core and each VSS chassis. It is recommended to have two
links between the core and the VSS chassis, rather than a lone connection to the core.
The second link provides redundancy in the event of a failover (which require the reload of
one of the chassis), or in the event of the unavailability of the one of the chassis.
The second link provides redundancy in the event of a failover (which require the reload of
one of the chassis), or in the event of the unavailability of the one of the chassis.
2. OSPF configuration tuning. It is more efficient to adapt the OSPF configuration to take
into account the configured FWSM active default location, and to have the ingress and
egress traffic routed accordingly.
egress traffic routed accordingly.
3. Dual active detection on the VSS. It is highly recommended to have a dual active
detection mechanism that appropriately and efficiently handles the VSS behavior in the
event of the VSL link’s failure and recovery. Cisco recommends the fast-hello dual active
detection mechanism. (This was not implemented for the testing phase.)
event of the VSL link’s failure and recovery. Cisco recommends the fast-hello dual active
detection mechanism. (This was not implemented for the testing phase.)
4. No VSS preemption. This should reduce the outage of the VSS chassis. Preemption will
not be supported in later versions of the code.
5. FWSM preemption. This guarantees that the primary FWSM unit for a particular security
context will return to the active role in the event of an unexpected failover (preemption will
not be triggered if failover is triggered manually with the following CLI:“<no> failover active
<group 1/2>”
not be triggered if failover is triggered manually with the following CLI:“<no> failover active
<group 1/2>”
).