Getting Started Guide, Cisco ACE Application Control Engine Module
Configuring Redundant ACE Modules
Downloads: This chapterpdf (PDF - 158.0KB) The complete bookPDF (PDF - 3.17MB) | Feedback

Configuring Redundant ACE Modules

Table Of Contents

Configuring Redundant ACE Modules

Information About Redundancy

Guidelines and Limitations

Configuring Redundancy

Task Flow for Configuring Redundancy

Configuring an FT VLAN

Configuring an FT Peer

Configuring an Alias IP Address

Configuring an FT Group

Configuration Example for Redundancy

Where to Go Next


Configuring Redundant ACE Modules


This chapter describes how to configure the Cisco Application Control Engine (ACE) module for redundancy, which provides fault tolerance for the stateful switchover of flows.

This chapter contains the following sections:

Information About Redundancy

Guidelines and Limitations

Configuring Redundancy

Configuration Example for Redundancy

Where to Go Next

Information About Redundancy

After reading this chapter, you should have a basic understanding of ACE redundancy and how to configure it. For detailed information on redundancy, see the Administration Guide, Cisco ACE Application Control Engine.

The redundancy (or fault tolerance) feature ensures that your network services and applications are always available. It provides seamless switchover of flows in case an ACE becomes unresponsive or a critical host, interface, or HSRP group fails.

This feature uses a maximum of two ACEs (peers) in the same Catalyst 6500 series switch or in separate switches. Each peer module can contain one or more fault-tolerant (FT) groups. Each FT group consists of two members: one active context and one standby context. For more information about contexts, see the Virtualization Guide, Cisco ACE Application Control Engine.

To outside nodes (clients and servers), the active and standby FT group members appear as one node with respect to their IP addresses and associated virtual MAC (VMAC) addresses. The ACE provides active-active redundancy with multiple-contexts only when there are multiple FT groups configured on each module and both modules contain at least one active group member (context). With a single context, the ACE supports active-backup redundancy and each group member is an Admin context.

Each FT group acts as an independent redundancy instance. When a switchover occurs, the active member in the FT group becomes the standby member and the original standby member becomes the active member.

The ACE sends and receives all redundancy-related traffic (protocol packets, configuration data, heartbeats, and state replication packets) on a dedicated FT VLAN that is not used for normal traffic. The active ACE automatically replicates the configuration, including changes made to the configuration, on the standby peer using a process called configuration synchronization (config sync). After the ACE synchronizes the redundancy configuration from the active member to the standby peer, it disables configuration mode on the standby.

The two redundant modules constantly communicate over the FT VLAN to determine the operating status of each module. The standby member uses the heartbeat packet to monitor the health of the active member. The active member uses the heartbeat packet to monitor the health of the standby member. The ACE uses the heartbeat to probe the peer ACE, rather than probe each context. When an ACE does not receive a heartbeat from the peer ACE, all the contexts in the standby state become active. The ACE sends heartbeat packets over UDP. You can set the frequency with which the ACE sends heartbeat packets as part of the FT peer configuration.

The ACE replicates flows on the active FT group member to the standby group member per connection for each context. The replicated flows contain all the flow-state information necessary for the standby member to take over the flow if the active member becomes unresponsive. If the active member becomes unresponsive, the replicated flows on the standby member become active when the standby member assumes mastership of the context. The active flows on the former active member transition to a standby state to fully back up the active flows on the new active member.

After a switchover occurs, the same connection information is available on the new active member. Supported end-user applications do not need to reconnect to maintain the same network session.

This chapter describes how to configure each ACE in a redundant configuration.

Guidelines and Limitations

Follow these guidelines and limitations when you configure the redundancy feature:

You can configure redundancy only in the Admin context.

Redundancy is not supported between an ACE module and an ACE appliance operating as peers. Redundancy must be of the same ACE device type and software release.

For redundancy to function properly, both members of an FT group must have identical configurations. Ensure that both ACE modules include the same bandwidth software license (4 Gbps, 8 Gbps, or 16 Gbps) and the same virtual context software license. If there is a mismatch in a software license between the two ACE modules in an FT group, the following operational behavior can occur:

If there is a mismatch in the virtual context software license, synchronization between the active ACE and standby ACE may not work properly.

If both the active and the standby ACE modules have the same virtual content software license but have a different bandwidth software license, synchronization will work properly but the standby ACE may experience a potential loss of traffic on switchover from, for example, an 8-Gbps ACE module to a 4-Gbps ACE module.

Redundancy uses a dedicated FT VLAN between redundant ACEs to transmit flow-state information and the redundancy heartbeat. Do not use this dedicated VLAN for any other network traffic, including HSRP and data. You must configure this same VLAN on both peer modules. You also must configure a different IP address within the same subnet on each module for the FT VLAN.

In bridged mode (Layer 2), two contexts cannot share the same VLAN.

The IP address and the MAC address of the FT VLAN do not change at switchover.

For multiple contexts, the FT VLAN resides in the system configuration file. Each FT VLAN on the ACE has one unique MAC address associated with it. The ACE uses these device MAC addresses as the source or destination MACs for sending or receiving redundancy protocol state and configuration replication packets.

One virtual MAC address (VMAC) is associated with each FT group. The format of the VMAC is 00-0b-fc-fe-1b-groupID. Because a VMAC does not change upon switchover, the client and server ARP tables do not require updating. The ACE selects a VMAC from a pool of virtual MACs available to it. For more information about VMACs, see the Routing and Bridging Guide, Cisco ACE Application Control Engine.

In a user context, the ACE allows a switchover only of the FT group that belongs to that context. In the Admin context, the ACE allows a switchover of all FT groups in all configured contexts in the module.

To achieve active-active redundancy, a minimum of two contexts and two FT groups are required on each ACE.

When you configure redundancy, the ACE keeps all interfaces that do not have an IP address in the Down state. The IP address and the peer IP address that you assign to a VLAN interface should be in the same subnet, but different IP addresses. For more information about configuring VLAN interfaces, see the Routing and Bridging Guide, Cisco ACE Application Control Engine.

By default, connection replication is enabled in the ACE and is not configurable.

The ACE does not replicate SSL and other terminated (proxied) connections from the active context to the standby context.

You must manually copy the SSL certificates and keys to the standby ACE. You can use the crypto import command.

You must manually copy scripts to the standby ACE.

Configuring Redundancy

This section describes how to configure redundancy. You must configure each ACE in the fault-tolerant (FT) group. It contains the following topics:

Task Flow for Configuring Redundancy

Configuring an FT VLAN

Configuring an FT Peer

Configuring an Alias IP Address

Configuring an FT Group

Task Flow for Configuring Redundancy

Follow these steps to configure redundancy:


Step 1 Configure a dedicated FT VLAN.

Step 2 Configure an FT peer, including a query VLAN.

Step 3 Configure an alias IP address as the shared gateway for the two ACEs.

Step 4 Configure an FT group.


Configuring an FT VLAN

Procedure

 
Command
Purpose

Step 1 

changeto context
 
        

Example:

host1/VC_WEB# changeto Admin
host1/Admin#

Changes to the correct context if necessary. Check the CLI prompt to verify that you are operating in the desired context.

Step 2 

config
 
        

Example:

host1/Admin# config
host1/Admin(config)# 

Enters configuration mode.

Step 3 

ft interface vlan number

Example:

host1/Admin(config)# ft interface vlan 
60
host1/Admin(config-ft-intf)#

Configures a dedicated FT VLAN for communication between the members of the FT group. This FT VLAN is global and is shared by all contexts.

Step 4 

ip address address netmask

Example:

host1/Admin(config-ft-intf)# ip address 
10.10.60.10 255.255.255.0

Specifies the IP address and netmask of the FT VLAN.

Step 5 

peer ip address address netmask

Example:

host1/Admin(config-ft-intf)# peer ip 
address 10.10.60.11 255.255.255.0

Specifies the IP address and netmask of the remote peer.

Step 6 

exit

Example:

host1/Admin(config-ft-intf)# exit

host1/Admin(config)#

Exits FT interface configuration mode.

Step 7 

do show running-config ft
 
        

Example:

host1/Admin(config)# do show 
running-config ft

Verifies the redundancy configuration.

Step 8 

do copy running-config startup-config

Example:

host1/Admin(config)# do copy running-config startup-config

(Optional) Copies the running configuration to the startup configuration.

Configuring an FT Peer

Procedure

 
Command
Purpose

Step 1 

ft peer number

Example:

host1/Admin(config)# ft peer 1

host1/Admin(config-ft-peer)# 

Configures the local redundancy peer.

Step 2 

ft-interface vlan number

Example:

host1/Admin(config-ft-peer)# 
ft-interface vlan 60

Associates the FT VLAN with the peer.

Step 3 

heartbeat count number

Example:

host1/Admin(config-ft-peer)# heartbeat 
count 20

Configures the heartbeat count.

Step 4 

heartbeat interval seconds

Example:

host1/Admin(config-ft-peer)# heartbeat 
interval 300

Configures the heartbeat interval in milliseconds.

Step 5 

query-interface vlan vlan_id

Example:

host1/Admin(config-ft-peer)# query-interface vlan 1000

Configures a query interface to allow the standby member to determine whether the active member is down or if there is a connectivity problem with the FT VLAN. A query interface helps prevent two redundant contexts from becoming active at the same time for the same FT group. Before triggering a switchover, the ACE pings the active member to make sure that it is down. Configuring a query interface allows you to assess the health of the active member, but it increases the switchover time.

The vlan_id argument specifies the identifier of an existing VLAN. Enter an integer from 2 to 4094. In this example, use VLAN 1000.

Step 6 

exit

Example:

host1/Admin(config-ft-peer)# exit

host1/Admin(config)#

Exits FT peer configuration mode.

Step 7 

do show running-config ft
 
        

Example:

host1/Admin(config)# do show 
running-config ft

Verifies the redundancy configuration.

Step 8 

do copy running-config startup-config

Example:

host1/Admin(config)# do copy running-config startup-config

(Optional) Copies the running configuration to the startup configuration.

Configuring an Alias IP Address

An alias IP address serves as the shared gateway for the two ACEs. If you want to configure only one ACE for redundancy initially (for example, your second ACE will arrive a week or two after the first one), you must complete the redundancy configuration as described in this chapter to use the alias IP address. Otherwise, the alias IP address will be inoperable.


Note The alias IP address is the IP address that the real servers will use as their default gateway. If you do not configure an alias IP address on the VLAN, the ACE will fail over, however, the servers will not be able to route because the primary address will no longer exist in a failure.


Procedure

 
Command
Purpose

Step 1 

interface vlan 1000

Example:

host1/Admin(config)# interface vlan 1000

Enters interface VLAN configuration mode for VLAN 1000.

Step 2 

alias ip address ip_address netmask

Example:

host1/Admin(config-intf-config)# alias 
ip address 172.25.91.112 255.255.255.0

Configures an alias IP address that floats between the active and the standby ACEs.

Step 3 

exit

Example:

host1/Admin(config-intf-config)# exit

host1/Admin(config)#

Exits interface configuration mode.

Step 4 

do show running-config ft
 
        

Example:

host1/Admin(config)# do show 
running-config ft

Verifies the redundancy configuration.

Step 5 

do copy running-config startup-config

Example:

host1/Admin(config)# do copy running-config startup-config

(Optional) Copies the running configuration to the startup configuration.

Configuring an FT Group

Procedure

 
Command
Purpose

Step 1 

ft group number

Example:

host1/Admin(config)# ft group 1
host1/Admin(config-ft-group)# 

Creates an FT group. Create at least one FT group on each ACE.

Step 2 

associate-context name

Example:

host1/Admin(config-ft-group)# 
associate-context VC_WEB

Associates a context with each FT group. You must associate the local context and the corresponding peer context with the same FT group.

Step 3 

peer number

Example:

host1/Admin(config-ft-group)# peer 1

Associates the peer context with the FT group.

Step 4 

inservice

Example:

host1/Admin(config-ft-group)# inservice

Places the FT group in service.

Step 5 

exit

Example:

host1/Admin(config-ft-group)# exit

host1/Admin(config)#

Exits FT group configuration mode.

Step 6 

ft auto-sync running-config | startup-config

 
        

Example:

host1/Admin(config)# ft auto-sync running-config

host1/Admin(config)# ft auto-sync startup-config

(Optional) Enables autosynchronization of the running-configuration and/or startup-configuration file from the active to the standby context. Both commands are enabled by default.

Step 7 

do show running-config ft | interface
 
        

Example:

host1/Admin(config)# do show 
running-config ft 
host1/Admin(config)# do show 
running-config interface

Verifies the redundancy configuration.

Step 8 

do copy running-config startup-config

Example:

host1/Admin(config)# do copy running-config startup-config

(Optional) Copies the running configuration to the startup configuration.

Now that you have configured redundancy on one ACE, configure the other ACE in the FT group in a similar manner.

Configuration Example for Redundancy

The following example shows how to configure redundancy in the Admin context. The commands that you have configured in this chapter appear in bold text.

 
   
switch/Admin(config)# do show run
Generating configuration....
 
   
login timeout 0
 
   
resource-class RC_WEB
  limit-resource all minimum 10.00 maximum equal-to-min
 
   
class-map type management match-any REMOTE_ACCESS
  description Remote access traffic match
  2 match protocol telnet any
  3 match protocol ssh any
  4 match protocol icmp any
 
   
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
  class REMOTE_ACCESS
    permit
 
   
interface vlan 1000
  description Management connectivity on VLAN 1000 and query interface VLAN
  ip address 172.25.91.110 255.255.255.0
  peer ip address 172.25.91.111 255.255.255.0
  alias ip address 172.25.91.112 255.255.255.0
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  no shutdown
 
   
ft interface vlan 60
  ip address 10.10.60.10 255.255.255.0
  peer ip address 10.10.60.11 255.255.255.0
 
   
ft peer 1
  heartbeat interval 300
  heartbeat count 20
  ft-interface vlan 60
  query-interface vlan 1000
 
   
domain DOMAIN1
add-object all
 
   
ip route 0.0.0.0 0.0.0.0 172.25.91.1
 
   
context VC_WEB
  allocate-interface vlan 400
  allocate-interface vlan 500
  allocate-interface vlan 1000
  member RC_WEB
 
   
ft group 1
  peer 1
  associate-context VC_WEB
  inservice
 
   
username admin password 5 $1$JwBOOUEt$jihXQiAjF9igwDay1qAvK.  role Admin domain
default-domain
username www password 5 $1$xmYMkFnt$n1YUgNOo76hAhg.JqtymF/  role Admin domain 
default-domain
 
   

Where to Go Next

In this chapter, you have configured redundancy on the ACE. In the next chapter, you will learn how to configure bridged mode.