Table Of Contents
Configuring Redundant ACE Modules
Information About Redundancy
Guidelines and Limitations
Configuring Redundancy
Task Flow for Configuring Redundancy
Configuring an FT VLAN
Configuring an FT Peer
Configuring an Alias IP Address
Configuring an FT Group
Configuration Example for Redundancy
Where to Go Next
Configuring Redundant ACE Modules
This chapter describes how to configure the Cisco Application Control Engine (ACE) module for redundancy, which provides fault tolerance for the stateful switchover of flows.
This chapter contains the following sections:
•
Information About Redundancy
•Guidelines and Limitations
•Configuring Redundancy
•Configuration Example for Redundancy
•Where to Go Next
Information About Redundancy
After reading this chapter, you should have a basic understanding of ACE redundancy and how to configure it. For detailed information on redundancy, see the Administration Guide, Cisco ACE Application Control Engine.
The redundancy (or fault tolerance) feature ensures that your network services and applications are always available. It provides seamless switchover of flows in case an ACE becomes unresponsive or a critical host, interface, or HSRP group fails.
This feature uses a maximum of two ACEs (peers) in the same Catalyst 6500 series switch or in separate switches. Each peer module can contain one or more fault-tolerant (FT) groups. Each FT group consists of two members: one active context and one standby context. For more information about contexts, see the Virtualization Guide, Cisco ACE Application Control Engine.
To outside nodes (clients and servers), the active and standby FT group members appear as one node with respect to their IP addresses and associated virtual MAC (VMAC) addresses. The ACE provides active-active redundancy with multiple-contexts only when there are multiple FT groups configured on each module and both modules contain at least one active group member (context). With a single context, the ACE supports active-backup redundancy and each group member is an Admin context.
Each FT group acts as an independent redundancy instance. When a switchover occurs, the active member in the FT group becomes the standby member and the original standby member becomes the active member.
The ACE sends and receives all redundancy-related traffic (protocol packets, configuration data, heartbeats, and state replication packets) on a dedicated FT VLAN that is not used for normal traffic. The active ACE automatically replicates the configuration, including changes made to the configuration, on the standby peer using a process called configuration synchronization (config sync). After the ACE synchronizes the redundancy configuration from the active member to the standby peer, it disables configuration mode on the standby.
The two redundant modules constantly communicate over the FT VLAN to determine the operating status of each module. The standby member uses the heartbeat packet to monitor the health of the active member. The active member uses the heartbeat packet to monitor the health of the standby member. The ACE uses the heartbeat to probe the peer ACE, rather than probe each context. When an ACE does not receive a heartbeat from the peer ACE, all the contexts in the standby state become active. The ACE sends heartbeat packets over UDP. You can set the frequency with which the ACE sends heartbeat packets as part of the FT peer configuration.
The ACE replicates flows on the active FT group member to the standby group member per connection for each context. The replicated flows contain all the flow-state information necessary for the standby member to take over the flow if the active member becomes unresponsive. If the active member becomes unresponsive, the replicated flows on the standby member become active when the standby member assumes mastership of the context. The active flows on the former active member transition to a standby state to fully back up the active flows on the new active member.
After a switchover occurs, the same connection information is available on the new active member. Supported end-user applications do not need to reconnect to maintain the same network session.
This chapter describes how to configure each ACE in a redundant configuration.
Guidelines and Limitations
Follow these guidelines and limitations when you configure the redundancy feature:
•You can configure redundancy only in the Admin context.
•Redundancy is not supported between an ACE module and an ACE appliance operating as peers. Redundancy must be of the same ACE device type and software release.
•For redundancy to function properly, both members of an FT group must have identical configurations. Ensure that both ACE modules include the same bandwidth software license (4 Gbps, 8 Gbps, or 16 Gbps) and the same virtual context software license. If there is a mismatch in a software license between the two ACE modules in an FT group, the following operational behavior can occur:
–If there is a mismatch in the virtual context software license, synchronization between the active ACE and standby ACE may not work properly.
–If both the active and the standby ACE modules have the same virtual content software license but have a different bandwidth software license, synchronization will work properly but the standby ACE may experience a potential loss of traffic on switchover from, for example, an 8-Gbps ACE module to a 4-Gbps ACE module.
•Redundancy uses a dedicated FT VLAN between redundant ACEs to transmit flow-state information and the redundancy heartbeat. Do not use this dedicated VLAN for any other network traffic, including HSRP and data. You must configure this same VLAN on both peer modules. You also must configure a different IP address within the same subnet on each module for the FT VLAN.
•In bridged mode (Layer 2), two contexts cannot share the same VLAN.
•The IP address and the MAC address of the FT VLAN do not change at switchover.
•For multiple contexts, the FT VLAN resides in the system configuration file. Each FT VLAN on the ACE has one unique MAC address associated with it. The ACE uses these device MAC addresses as the source or destination MACs for sending or receiving redundancy protocol state and configuration replication packets.
•One virtual MAC address (VMAC) is associated with each FT group. The format of the VMAC is 00-0b-fc-fe-1b-groupID. Because a VMAC does not change upon switchover, the client and server ARP tables do not require updating. The ACE selects a VMAC from a pool of virtual MACs available to it. For more information about VMACs, see the Routing and Bridging Guide, Cisco ACE Application Control Engine.
•In a user context, the ACE allows a switchover only of the FT group that belongs to that context. In the Admin context, the ACE allows a switchover of all FT groups in all configured contexts in the module.
•To achieve active-active redundancy, a minimum of two contexts and two FT groups are required on each ACE.
•When you configure redundancy, the ACE keeps all interfaces that do not have an IP address in the Down state. The IP address and the peer IP address that you assign to a VLAN interface should be in the same subnet, but different IP addresses. For more information about configuring VLAN interfaces, see the Routing and Bridging Guide, Cisco ACE Application Control Engine.
•By default, connection replication is enabled in the ACE and is not configurable.
•The ACE does not replicate SSL and other terminated (proxied) connections from the active context to the standby context.
•You must manually copy the SSL certificates and keys to the standby ACE. You can use the crypto import command.
•You must manually copy scripts to the standby ACE.
Configuring Redundancy
This section describes how to configure redundancy. You must configure each ACE in the fault-tolerant (FT) group. It contains the following topics:
•Task Flow for Configuring Redundancy
•Configuring an FT VLAN
•Configuring an FT Peer
•Configuring an Alias IP Address
•Configuring an FT Group
Task Flow for Configuring Redundancy
Follow these steps to configure redundancy:
Step 1 Configure a dedicated FT VLAN.
Step 2 Configure an FT peer, including a query VLAN.
Step 3 Configure an alias IP address as the shared gateway for the two ACEs.
Step 4 Configure an FT group.
Configuring an FT VLAN
Procedure
| |
Command
|
Purpose
|
Step 1
|
Example:
host1/VC_WEB# changeto Admin
|
Changes to the correct context if necessary. Check the CLI prompt to verify that you are operating in the desired context.
|
Step 2
|
Example:
|
Enters configuration mode.
|
Step 3
|
ft interface vlan number
Example:
host1/Admin(config)# ft interface vlan
60
host1/Admin(config-ft-intf)#
|
Configures a dedicated FT VLAN for communication between the members of the FT group. This FT VLAN is global and is shared by all contexts.
|
Step 4
|
ip address address netmask
Example:
host1/Admin(config-ft-intf)# ip address
10.10.60.10 255.255.255.0
|
Specifies the IP address and netmask of the FT VLAN.
|
Step 5
|
peer ip address address netmask
Example:
host1/Admin(config-ft-intf)# peer ip
address 10.10.60.11 255.255.255.0
|
Specifies the IP address and netmask of the remote peer.
|
Step 6
|
exit
Example:
host1/Admin(config-ft-intf)# exit
host1/Admin(config)#
|
Exits FT interface configuration mode.
|
Step 7
|
do show running-config ft
Example:
host1/Admin(config)# do show
running-config ft
|
Verifies the redundancy configuration.
|
Step 8
|
do copy running-config startup-config
Example:
host1/Admin(config)# do copy
running-config startup-config
|
(Optional) Copies the running configuration to the startup configuration.
|
Configuring an FT Peer
Procedure
| |
Command
|
Purpose
|
Step 1
|
ft peer number
Example:
host1/Admin(config)# ft peer 1
host1/Admin(config-ft-peer)#
|
Configures the local redundancy peer.
|
Step 2
|
Example:
host1/Admin(config-ft-peer)#
ft-interface vlan 60
|
Associates the FT VLAN with the peer.
|
Step 3
|
heartbeat count number
Example:
host1/Admin(config-ft-peer)# heartbeat
count 20
|
Configures the heartbeat count.
|
Step 4
|
heartbeat interval seconds
Example:
host1/Admin(config-ft-peer)# heartbeat
interval 300
|
Configures the heartbeat interval in milliseconds.
|
Step 5
|
query-interface vlan vlan_id
Example:
host1/Admin(config-ft-peer)#
query-interface vlan 1000
|
Configures a query interface to allow the standby member to determine whether the active member is down or if there is a connectivity problem with the FT VLAN. A query interface helps prevent two redundant contexts from becoming active at the same time for the same FT group. Before triggering a switchover, the ACE pings the active member to make sure that it is down. Configuring a query interface allows you to assess the health of the active member, but it increases the switchover time.
The vlan_id argument specifies the identifier of an existing VLAN. Enter an integer from 2 to 4094. In this example, use VLAN 1000.
|
Step 6
|
exit
Example:
host1/Admin(config-ft-peer)# exit
host1/Admin(config)#
|
Exits FT peer configuration mode.
|
Step 7
|
do show running-config ft
Example:
host1/Admin(config)# do show
running-config ft
|
Verifies the redundancy configuration.
|
Step 8
|
do copy running-config startup-config
Example:
host1/Admin(config)# do copy
running-config startup-config
|
(Optional) Copies the running configuration to the startup configuration.
|
Configuring an Alias IP Address
An alias IP address serves as the shared gateway for the two ACEs. If you want to configure only one ACE for redundancy initially (for example, your second ACE will arrive a week or two after the first one), you must complete the redundancy configuration as described in this chapter to use the alias IP address. Otherwise, the alias IP address will be inoperable.
Note The alias IP address is the IP address that the real servers will use as their default gateway. If you do not configure an alias IP address on the VLAN, the ACE will fail over, however, the servers will not be able to route because the primary address will no longer exist in a failure.
Procedure
| |
Command
|
Purpose
|
Step 1
|
interface vlan 1000
Example:
host1/Admin(config)# interface vlan
1000
|
Enters interface VLAN configuration mode for VLAN 1000.
|
Step 2
|
alias ip address ip_address netmask
Example:
host1/Admin(config-intf-config)# alias
ip address 172.25.91.112 255.255.255.0
|
Configures an alias IP address that floats between the active and the standby ACEs.
|
Step 3
|
exit
Example:
host1/Admin(config-intf-config)# exit
host1/Admin(config)#
|
Exits interface configuration mode.
|
Step 4
|
do show running-config ft
Example:
host1/Admin(config)# do show
running-config ft
|
Verifies the redundancy configuration.
|
Step 5
|
do copy running-config startup-config
Example:
host1/Admin(config)# do copy
running-config startup-config
|
(Optional) Copies the running configuration to the startup configuration.
|
Configuring an FT Group
Procedure
| |
Command
|
Purpose
|
Step 1
|
ft group number
Example:
host1/Admin(config)# ft group 1
host1/Admin(config-ft-group)#
|
Creates an FT group. Create at least one FT group on each ACE.
|
Step 2
|
associate-context name
Example:
host1/Admin(config-ft-group)#
associate-context VC_WEB
|
Associates a context with each FT group. You must associate the local context and the corresponding peer context with the same FT group.
|
Step 3
|
peer number
Example:
host1/Admin(config-ft-group)# peer 1
|
Associates the peer context with the FT group.
|
Step 4
|
inservice
Example:
host1/Admin(config-ft-group)# inservice
|
Places the FT group in service.
|
Step 5
|
exit
Example:
host1/Admin(config-ft-group)# exit
host1/Admin(config)#
|
Exits FT group configuration mode.
|
Step 6
|
ft auto-sync running-config |
startup-config
Example:
host1/Admin(config)# ft auto-sync
running-config
host1/Admin(config)# ft auto-sync
startup-config
|
(Optional) Enables autosynchronization of the running-configuration and/or startup-configuration file from the active to the standby context. Both commands are enabled by default.
|
Step 7
|
do show running-config ft | interface
Example:
host1/Admin(config)# do show
running-config ft
host1/Admin(config)# do show
running-config interface
|
Verifies the redundancy configuration.
|
Step 8
|
do copy running-config startup-config
Example:
host1/Admin(config)# do copy
running-config startup-config
|
(Optional) Copies the running configuration to the startup configuration.
|
Now that you have configured redundancy on one ACE, configure the other ACE in the FT group in a similar manner.
Configuration Example for Redundancy
The following example shows how to configure redundancy in the Admin context. The commands that you have configured in this chapter appear in bold text.
switch/Admin(config)# do show run
Generating configuration....
limit-resource all minimum 10.00 maximum equal-to-min
class-map type management match-any REMOTE_ACCESS
description Remote access traffic match
2 match protocol telnet any
4 match protocol icmp any
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
description Management connectivity on VLAN 1000 and query interface VLAN
ip address 172.25.91.110 255.255.255.0
peer ip address 172.25.91.111 255.255.255.0
alias ip address 172.25.91.112 255.255.255.0
service-policy input REMOTE_MGMT_ALLOW_POLICY
ip address 10.10.60.10 255.255.255.0
peer ip address 10.10.60.11 255.255.255.0
query-interface vlan 1000
ip route 0.0.0.0 0.0.0.0 172.25.91.1
allocate-interface vlan 400
allocate-interface vlan 500
allocate-interface vlan 1000
username admin password 5 $1$JwBOOUEt$jihXQiAjF9igwDay1qAvK. role Admin domain
username www password 5 $1$xmYMkFnt$n1YUgNOo76hAhg.JqtymF/ role Admin domain
default-domain
Where to Go Next
In this chapter, you have configured redundancy on the ACE. In the next chapter, you will learn how to configure bridged mode.
Feedback
