This document describes the prerequisties and requirements needed for configuring clustering on the Email Security Appliance (ESA).
What are the requirements for setting up a cluster?
- Valid Centralized Management feature key on each ESA that you wish to join into a cluster.
- Starting with AsyncOS 8.5.6, the feature key is no longer required to enable Centralized Management feature. By default, Centralized Management feature is enabled on your appliance.
The centralized management feature allows you to manage and configure multiple appliances at the same time, reducing administration time and ensuring a consistent configuration across your network. You do not need to purchase additional hardware for managing multiple appliances. The centralized management feature provides increased reliability, flexibility, and scalability within your network, allowing you to manage globally while complying with local policies.
A cluster is defined as a set of machines that share configuration information. Within the cluster, machines (Cisco appliances) are divided into groups; every cluster will contain at least one group. A given machine is a member of one and only one group. An administrator user can configure different elements of the system on a cluster-wide, group-wide, or per-machine basis, enabling the segmentation of Cisco appliances based on network, geography, business unit, or other logical relationships.
Note: Clustering is not used to load balance or route mail between ESAs. Clustering does not share queue or quarantines between ESAs.
Clusters are implemented as a peer-to-peer architecture; there is no master/slave relationship within a cluster. You may log into any machine to control and administer the cluster.
The user database is shared across all machines in the cluster. That is, there will be only one set of users and one administrator user (with the associated passwords) for an entire cluster. All machines that join a cluster will share a single administrator password which is referred to as the admin password of the cluster.
- Appliances in a cluster must have resolvable hostnames in DNS. Alternatively, you can use IP addresses instead, but you may not mix the two.
- All appliances in a cluster need to use the exact same IP interface names.
- A cluster must consist entirely of appliances running the same version of AsyncOS.
- Appliances can either join the cluster via SSH (typically on port 22) or via the Cluster Communication Service (CCS) (port 2222).
- Once appliances have joined the cluster, they can communicate via SSH or via Cluster Communication Service. The port used is configurable. SSH is typically enabled on port 22, and by default CCS is on port 2222, but you can configure either of these services on a different port.
- In addition to the normal firewall ports that must be opened for the appliance, clustered appliances communicating via CCS must be able to connect with each other via the CCS port.
- You must use the CLI command clusterconfig to create, join, or configure clusters of appliances. Once you have created a cluster, you can manage non-cluster configuration settings from either the GUI or the CLI.
Do you want to join or create a cluster?
1. No, configure as standalone.
2. Create a new cluster.
3. Join an existing cluster over SSH.
4. Join an existing cluster over CCS.
- Once the cluster is configured, you are presented the full clusterconfig menu:
This command is restricted to "cluster" mode. Would you like to switch to
"cluster" mode? [Y]>
Choose the operation you want to perform:
- ADDGROUP - Add a cluster group.
- SETGROUP - Set the group that machines are a member of.
- RENAMEGROUP - Rename a cluster group.
- DELETEGROUP - Remove a cluster group.
- REMOVEMACHINE - Remove a machine from the cluster.
- SETNAME - Set the cluster name.
- LIST - List the machines in the cluster.
- CONNSTATUS - Show the status of connections between machines in the cluster.
- COMMUNICATION - Configure how machines communicate within the cluster.
- DISCONNECT - Temporarily detach machines from the cluster.
- RECONNECT - Restore connections with machines that were previously detached.
- PREPJOIN - Prepare the addition of a new machine over CCS.