Manual 18119274

Manual 18119274
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m .
CH A P T E R
5
Cisco Virtual Security Gateway High Availability
This chapter describes how to configure high availability (HA) for the Cisco Virtual Security Gateway
(VSG).
This chapter includes the following sections:
•
Information About High Availability, page 5-1
•
System-Control Services, page 5-3
•
Cisco VSG HA Pairs, page 5-5
•
Cisco VSG HA Pair Failover, page 5-6
•
Cisco VSG HA Guidelines and Limitations, page 5-7
•
Changing the Cisco VSG Role, page 5-7
•
Configuring a Failover, page 5-9
•
Assigning IDs to HA Pairs, page 5-12
•
Pairing a Second Cisco VSG with an Active Cisco VSG, page 5-13
•
Replacing the Standby Cisco VSG in an HA Pair, page 5-16
•
Replacing the Active Cisco VSG in an HA Pair, page 5-16
•
Verifying the HA Status, page 5-17
Information About High Availability
Cisco VSG HA is a subset of the Cisco NX-OS HA. Redundancy or HA is provided by one active Cisco
VSG and one standby Cisco VSG. The active Cisco VSG runs and controls all the system applications.
Applications are started and initialized in standby mode on the standby Cisco VSG as they are
synchronized and updated on the active Cisco VSG. When a failover occurs, the standby Cisco VSG
takes over for the active Cisco VSG. The following HA features minimize or prevent traffic disruption
in the event of a failure:
•
Redundancy—HA pairing of devices
•
Isolation of processes—Software component isolation
•
Supervisor and Cisco VSG failover—HA pairing of the active/standby Cisco VSG
Cisco Virtual Security Gateway for Nexus 1000V Series Switch Configuration Guide, Release 4.2(1)VSG1(2)
OL-25095-01
5-1
Chapter 5
Cisco Virtual Security Gateway High Availability
Information About High Availability
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m .
Figure 5-1 shows the Cisco VSG HA model.
Cisco VSG High Availability
HA Secondary
(Mgmt VLAN)
VSG Active
HA Secondary
(Mgmt VLAN)
VSG Standby
VSM Active
VSM Standby
HA Primary
(Ctrl VLAN)
HA Primary
(Ctrl VLAN)
VEM
VEM
281447
Figure 5-1
Each VNIC associated
with a VSG pair
This section includes the following topics:
•
Redundancy, page 5-2
•
Isolation of Processes, page 5-2
•
Cisco VSG Failover, page 5-3
Redundancy
Cisco VSG redundancy is equivalent to HA pairing. The possible redundancy states are active and
standby. An active Cisco VSG is paired with a standby Cisco VSG. HA pairing is based on the Cisco
VSG ID. Two Cisco VSGs that are assigned the identical ID are automatically paired. All processes
running in the Cisco VSG are critical on the data path. If one process fails in an active Cisco VSG, a
failover to the standby Cisco VSG occurs instantly and automatically.
Isolation of Processes
The Cisco VSG software contains independent processes, known as services, that perform a function or
set of functions for a subsystem or feature set. Each service and service instance runs as an independent,
protected process. This way of operating provides a highly fault-tolerant software infrastructure and
fault isolation between services. A failure in a service instance does not affect any other services that are
running at that time. Additionally, each instance of a service can run as an independent process, which
means that two instances of a routing protocol can run as separate processes.
Cisco Virtual Security Gateway for Nexus 1000V Series Switch Configuration Guide, Release 4.2(1)VSG1(2)
5-2
OL-25095-01
Chapter 5
Cisco Virtual Security Gateway High Availability
System-Control Services
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m .
Cisco VSG Failover
When a failover occurs, the Cisco VSG HA pair configuration allows uninterrupted traffic forwarding
by using a stateful failover. For information about a Cisco VSG failover, see the “Cisco VSG HA Pair
Failover” section on page 5-6.
System-Control Services
The Cisco VSG allows stateful restarts of most processes and services. Back-end management of
processes, services, and applications is handled by the following high-level system-control services:
•
System Manager
•
Persistent Storage Service
•
Message and Transaction Service
•
HA Policies
Figure 5-2 shows the system-control services.
Figure 5-2
System-Control Services
Application
System
Manager
MTS
Redundancy
Driver
Persistent
Services
Active VSG
Standby VSG
AIPC Msgs
EOBC
HA Heartbeats
EOBC/Inband
MTS
Redundancy
Driver
Application
System
Manager
281446
Persistent
Services
This section includes the following topics:
•
System Manager, page 5-4
•
Persistent Storage Service, page 5-4
Cisco Virtual Security Gateway for Nexus 1000V Series Switch Configuration Guide, Release 4.2(1)VSG1(2)
OL-25095-01
5-3
Chapter 5
Cisco Virtual Security Gateway High Availability
System-Control Services
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m .
•
Message and Transaction Service, page 5-4
•
HA Policies, page 5-4
System Manager
The System Manager (SM) directs overall system function, service management, and system health
monitoring, and enforces high-availability policies. The SM is responsible for launching, stopping,
monitoring, and restarting service, and for initiating and managing the synchronization of service states
and supervisor states.
Persistent Storage Service
The Persistent Storage Service (PSS) stores and manages the operational run-time information and
configuration of platform services. The PSS component works with system services to recover states if
a service restart occurs. It functions as a database of state and run-time information, which allows
services to make a checkpoint of their state information whenever needed. A restarting service can
recover the last known operating state that preceded a failure.
Each service that uses PSS can define its stored information as private (it can be read only by that
service) or shared (the information can be read by other services). If the information is shared, the
service can specify that it is local (the information can be read only by services on the same supervisor)
or global (it can be read by services on either supervisor or on modules).
Message and Transaction Service
The message and transaction service (MTS) is an interprocess communications (IPC) message broker
that specializes in high-availability semantics. The MTS handles message routing and queuing between
services on and across modules and between supervisors. The MTS facilitates the exchange of messages,
such as event notification, synchronization, and message persistency, between system services and
system components. The MTS can maintain persistent messages and logged messages in queues for
access even after a service restart.
HA Policies
The Cisco NX-OS software usually allows each service to have an associated set of internal HA policies
that define how a failed service is restarted. When a process fails on a device, System Manager either
performs a stateful resart, a stateless restart, or a failover.
Note
Only processes that are borrowed by a Cisco VSG from a VSM restart. Processes that are native to a
Cisco VSG, such as policy engine or inspect, do not restart. A failed native Cisco VSG process causes
an automatic failover.
Cisco Virtual Security Gateway for Nexus 1000V Series Switch Configuration Guide, Release 4.2(1)VSG1(2)
5-4
OL-25095-01
Chapter 5
Cisco Virtual Security Gateway High Availability
Cisco VSG HA Pairs
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m .
Cisco VSG HA Pairs
Cisco VSG HA pairs have the following characteristics:
•
Redundancy is provided by one active Cisco VSG and one standby Cisco VSG.
•
The active Cisco VSG runs and controls all the system applications.
•
Applications are started and initialized in standby mode on the standby Cisco VSG.
•
Applications are synchronized and updated on the standby Cisco VSG.
•
When a failover occurs, the standby Cisco VSG takes over for the active Cisco VSG.
This section includes the following topics:
•
Cisco VSG Roles, page 5-5
•
HA Pair States, page 5-5
•
Cisco VSG HA Pair Synchronization, page 5-5
Cisco VSG Roles
The Cisco VSG roles are as follows:
•
Standalone—This role does not interact with other Cisco VSGs. You assign this role when there is
only one Cisco VSG in the system. This role is the default.
•
Primary—This role coordinates the active/standby state with the secondary Cisco VSG. It takes
precedence during bootup when negotiating the active/standby mode. That is, if the secondary Cisco
VSG does not have the active role at bootup, the primary Cisco VSG takes the active role. You assign
this role to the first Cisco VSG that you install in an HA Cisco VSG system.
•
Secondary—This role coordinates the active/standby state with the primary Cisco VSG. You assign
this role to the second Cisco VSG that you add to a Cisco VSG HA pair.
HA Pair States
The Cisco VSG HA pair states are as follows:
•
Active—This state indicates the Cisco VSG is active and controls the system. It is visible to the user
through the show system redundancy status command.
•
Standby—This state indicates that the Cisco VSG has synchronized its configuration with the active
Cisco VSG so that it is continuously ready to take over in case of a failure or manual switchover.
Cisco VSG HA Pair Synchronization
The active and standby Cisco VSGs automatically synchronize when the internal state of one is active
and the internal state of the other is standby.
If the output of the show system redundancy status command indicates that the operational redundancy
mode of the active Cisco VSG is none, the active and standby Cisco VSGs are not synchronized.
Cisco Virtual Security Gateway for Nexus 1000V Series Switch Configuration Guide, Release 4.2(1)VSG1(2)
OL-25095-01
5-5
Chapter 5
Cisco Virtual Security Gateway High Availability
Cisco VSG HA Pair Failover
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m .
This example shows the internal state of Cisco VSG HA pair when they are synchronized:
vsg# show system redundancy status
Redundancy role
--------------administrative:
primary
operational:
primary
Redundancy mode
--------------administrative:
operational:
HA
HA
This supervisor (sup-1)
----------------------Redundancy state:
Active
Supervisor state:
Active
Internal state:
Active with HA standby
Other supervisor (sup-2)
-----------------------Redundancy state:
Standby
Supervisor state: HA standby
Internal state: HA standby
vsg#
Cisco VSG HA Pair Failover
The Cisco VSG HA pair configuration allows uninterrupted traffic forwarding using a stateful failover
when a failure occurs. The pair operates in an active/standby capacity in which only one is active at any
given time, while the other acts as a standby backup. The two Cisco VSGs constantly synchronize the
state and configuration in order to provide a stateful failover of most services.
This section includes the following topics:
•
Failover Characteristics, page 5-6
•
Automatic Failover, page 5-6
•
Manual Failover, page 5-7
Failover Characteristics
A failover occurs when the active Cisco VSG fails and it has the following characteristics:
•
It is stateful, or nondisruptive, because control traffic is not affected.
•
It does not disrupt data traffic because the Virtual Ethernet Modules (VEMs) are not affected.
Automatic Failover
When a stable standby Cisco VSG detects that the active Cisco VSG has failed, it initiates a failover and
transitions to active. When a failover begins, another failover cannot be started until a stable standby
Cisco VSG is available. If a standby Cisco VSG that is not stable detects that an active Cisco VSG has
failed, then instead of initiating a failover, it tries to restart the pair.
Cisco Virtual Security Gateway for Nexus 1000V Series Switch Configuration Guide, Release 4.2(1)VSG1(2)
5-6
OL-25095-01
Chapter 5
Cisco Virtual Security Gateway High Availability
Cisco VSG HA Guidelines and Limitations
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m .
Manual Failover
Before you can initiate a manual failover from the active to the standby Cisco VSG, the standby Cisco
VSG must be stable. To find out if it is, see the “Verifying that a Cisco VSG Pair is Ready for a Failover”
section on page 5-9. Once you have verified that the standby Cisco VSG is stable, you can manually
initiate a failover. To find out if it is, see the “Manually Switching the Active Cisco VSG to Standby”
section on page 5-10. Once a failover process begins, another failover process cannot be started until a
stable standby Cisco VSG is available.
Cisco VSG HA Guidelines and Limitations
HA pairs have the following configuration guidelines and limitations:
•
Although primary and secondary Cisco VSGs can reside in the same host, to improve redundancy
install them in separate hosts and, if possible, connect them to different upstream switches.
•
The console for the standby Cisco VSG is available through the vSphere client or by using the attach
module [1 | 2] command depending on whether the primary is active or not, but configuration is not
allowed and many commands are restricted. The attach module [1 | 2] command must be executed
at the console of the active Cisco VSG.
Changing the Cisco VSG Role
You can change the role of a Cisco VSG to one of the following after it is already in service:
•
Standalone
•
Primary
•
Secondary
BEFORE YOU BEGIN
Before beginning this procedure, you must know or do the following:
Caution
Changing the role of a Cisco VSG can result in a conflict between the pair. If a primary and secondary
see each other as active at the same time, the system resolves this problem by resetting the primary Cisco
VSG. If you are changing a standalone Cisco VSG to a secondary Cisco VSG, be sure to first isolate it
from the other Cisco VSG in the pair to prevent any interaction with the primary Cisco VSG during the
change. Power the Cisco VSG off before reconnecting it as standby.
•
You are logged into the CLI in EXEC mode.
•
To activate a change from a primary to a secondary Cisco VSG, you must reload the primary Cisco
VSG by doing one of the following:
– Enter the reload command.
– Power the Cisco VSG off and then on from the vSphere Client.
•
A change from a standalone to a primary Cisco VSG takes effect immediately.
To change a standalone Cisco VSG to a secondary Cisco VSG, see the “Pairing a Second Cisco VSG
with an Active Cisco VSG” section on page 5-13.
Cisco Virtual Security Gateway for Nexus 1000V Series Switch Configuration Guide, Release 4.2(1)VSG1(2)
OL-25095-01
5-7
Chapter 5
Cisco Virtual Security Gateway High Availability
Changing the Cisco VSG Role
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m .
SUMMARY STEPS
1.
system redundancy role {standalone | primary | secondary}
2.
show system redundancy status
3.
(Optional) copy running-config startup-config
DETAILED STEPS
Step 1
Command
Purpose
system redundancy role {standalone |
primary | secondary}
Specifies the HA role of a Cisco VSG.
Example:
vsg# system redundancy role primary
Step 2
show system redundancy status
Example:
vsg# show system redundancy status
Step 3
copy running-config startup-config
Example:
vsg# copy running-config
startup-configure
(Optional) Displays the current redundancy status for
the Cisco VSG.
(Optional) Saves the running configuration
persistently through reboots and restarts by copying it
to the startup configuration.
EXAMPLES
This example shows how to specify the HA role of a Cisco VSG:
vsg# system redundancy role standalone
vsg#
This example shows how to display the system redundancy status of a standalone Cisco VSG:
vsg# show system redundancy status
Redundancy role
--------------administrative:
standalone
operational:
standalone
Redundancy mode
--------------administrative:
operational:
HA
None
This supervisor (sup-1)
----------------------Redundancy state: Active
Supervisor state: Active
Internal state: Active with no standby
Other supervisor (sup-2)
-----------------------Redundancy state:
Not present
vsg#
Cisco Virtual Security Gateway for Nexus 1000V Series Switch Configuration Guide, Release 4.2(1)VSG1(2)
5-8
OL-25095-01
Chapter 5
Cisco Virtual Security Gateway High Availability
Configuring a Failover
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m .
This example shows how to copy the running configuration to the startup configuration:
vsg# copy running-config startup-config
[########################################] 100%
vsg#
Configuring a Failover
This section includes the following topics:
•
Guidelines and Limitations, page 5-9
•
Verifying that a Cisco VSG Pair is Ready for a Failover, page 5-9
•
Manually Switching the Active Cisco VSG to Standby, page 5-10
Guidelines and Limitations
Failovers have the following configuration guidelines:
•
When you manually initiate a failover, system messages are generated that indicate the presence of
two Cisco VSGs and identify which one is becoming active.
•
A failover can only be done when both Cisco VSGs are functioning.
Verifying that a Cisco VSG Pair is Ready for a Failover
You can verify that both an active and standby Cisco VSG are in place and operational before proceeding
with a failover.
BEFORE YOU BEGIN
Before beginning this procedure, you must know or do the following:
•
You are logged into the CLI in EXEC mode.
•
If the standby Cisco VSG is not in a stable state (the state must be ha-standby), a manually initiated
failover cannot be done.
1.
show system redundancy status
SUMMARY STEPS
Cisco Virtual Security Gateway for Nexus 1000V Series Switch Configuration Guide, Release 4.2(1)VSG1(2)
OL-25095-01
5-9
Chapter 5
Cisco Virtual Security Gateway High Availability
Configuring a Failover
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m .
DETAILED STEPS
Step 1
Command
Purpose
show system redundancy status
Displays the current redundancy status for the Cisco
VSG(s).
Example:
vsg# show system redundancy status
If the output indicates the following, you can proceed
with a system failover, if needed:
•
The presence of an active Cisco VSG
•
The presence of a standby Cisco VSG in the HA
standby redundancy state
EXAMPLES
This example shows how to verify that a Cisco VSG pair is ready for a failover:
vsg# show system redundancy status
Redundancy role
--------------administrative:
primary
operational:
primary
Redundancy mode
--------------administrative:
operational:
HA
None
This supervisor (sup-1)
----------------------Redundancy state:
Active
Supervisor state:
Active
Internal state:
Active with no standby
Other supervisor (sup-2)
----------------------Redundancy state:
Active
Supervisor state:
Active
Internal state:
Active with no standby
Manually Switching the Active Cisco VSG to Standby
You can manually switch an active Cisco VSG to standby in an HA pair.
BEFORE YOU BEGIN
Before beginning this procedure, you must know or do the following:
•
You are logged in to the active Cisco VSG CLI in EXEC mode.
•
You have completed the steps in the “Verifying that a Cisco VSG Pair is Ready for a Failover”
section on page 5-9 and have found the system to be ready for a failover.
•
A failover can be performed only when two Cisco VSGs are functioning.
•
If the standby Cisco VSG is not in a stable state, you cannot initiate a manual failover and you see
the following error message:
Cisco Virtual Security Gateway for Nexus 1000V Series Switch Configuration Guide, Release 4.2(1)VSG1(2)
5-10
OL-25095-01
Chapter 5
Cisco Virtual Security Gateway High Availability
Configuring a Failover
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m .
Failed to switchover (standby not ready to takeover in vdc 1)
•
Once you enter the system switchover command, you cannot start another failover process on the
same system until a stable standby Cisco VSG is available.
•
Any unsaved running configuration that was available in the active Cisco VSG is still unsaved in the
new active Cisco VSG. You can verify this unsaved running configuration by using the show
running-config diff command. Save that configuration, if needed, as you would do in the other
Cisco VSG by entering the copy running-config startup-config command.
1.
system switchover
2.
(Optional) show running-config diff
3.
configure
4.
(Optional) copy running-config startup-config
SUMMARY STEPS
DETAILED STEPS
Step 1
Command
Purpose
system switchover
Initiates a manual failover from the active Cisco VSG
to the standby Cisco VSG.
Example:
vsg# system switchover
Step 2
show running-config diff
Example:
vsg# show running-config diff
Step 3
configure
Note
Once you enter this command, you cannot start
another failover process on the same system
until a stable standby Cisco VSG is available.
Note
Before proceeding, wait until the switchover
completes and the standby supervisor becomes
active.
(Optional) Verifies the difference between the running
and startup configurations.
Any unsaved running configuration in an active Cisco
VSG is also unsaved in the Cisco VSG that becomes
active after a failover. Save that configuration in the
startup if needed.
Places you in global configuration mode.
Example:
vsg# configure
Step 4
copy running-config startup-config
Example:
vsg# copy running-config startup-config
(Optional) Saves the running configuration
persistently through reboots and restarts by copying it
to the startup configuration.
EXAMPLES
This example shows how to switch an active Cisco VSG to the standby Cisco VSG and displays the
output that appears on the standby Cisco VSG as it becomes the active Cisco VSG:
vsg# system switchover
----------------------------
Cisco Virtual Security Gateway for Nexus 1000V Series Switch Configuration Guide, Release 4.2(1)VSG1(2)
OL-25095-01
5-11
Chapter 5
Cisco Virtual Security Gateway High Availability
Assigning IDs to HA Pairs
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m .
2011 Jan 18 04:21:56 n1000v
This supervisor is becoming
2011 Jan 18 04:21:56 n1000v
This supervisor is becoming
2011 Jan 18 04:21:57 n1000v
2011 Jan 18 04:22:03 n1000v
number )
%$ VDC-1 %$ %SYSMGR-2-HASWITCHOVER_PRE_START:
active (pre-start phase).
%$ VDC-1 %$ %SYSMGR-2-HASWITCHOVER_START:
active.
%$ VDC-1 %$ %SYSMGR-2-SWITCHOVER_OVER: Switchover completed.
%$ VDC-1 %$ %PLATFORM-2-MOD_REMOVE: Module 1 removed (Serial
This example shows how to display the difference between the running and startup configurations:
vsg# show running-config diff
*** Startup-config
--- Running-config
***************
*** 1,38 ****
version 4.0(4)SV1(1)
role feature-group name new
role name testrole
username admin password 5 $1$S7HvKc5G$aguYqHl0dPttBJAhEPwsy1
telnet server enable
ip domain-lookup
role network-admin
This example shows how to copy the running configuration to the startup configuration:
vsg# configure
vsg(config)# copy running-config startup-config
[########################################] 100%
vsg(config)#
Assigning IDs to HA Pairs
You can create Cisco VSG HA pairs. Each HA pair is uniquely identified by an identification (ID) called
an HA pair ID. The configuration state synchronization between the active and standby Cisco VSGs
occurs between those Cisco VSG pairs that share the same HA pair ID.
BEFORE YOU BEGIN
Before beginning this procedure, you must know or do the following:
•
You are logged in to the CLI in configuration mode.
1.
configure
2.
ha-pair id {number}
SUMMARY STEPS
DETAILED STEPS
Step 1
Command
Purpose
configure
Places you in global configuration mode.
Example:
vsg# configure
Cisco Virtual Security Gateway for Nexus 1000V Series Switch Configuration Guide, Release 4.2(1)VSG1(2)
5-12
OL-25095-01
Chapter 5
Cisco Virtual Security Gateway High Availability
Pairing a Second Cisco VSG with an Active Cisco VSG
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m .
Step 2
Command
Purpose
ha-pair id {number}
Assigns an ID to an HA pair.
Example:
vsg(config-svs-domain)# ha-pair id 10
EXAMPLES
This example shows how to assign an ID to an HA pair:
vsg# configure
vsg(config)# ha-pair id 10
vsg(config)#
Pairing a Second Cisco VSG with an Active Cisco VSG
You can change a standalone Cisco VSG into an HA pair by adding a second Cisco VSG.
This section includes the following topics:
•
Changing the Standalone Cisco VSG to a Primary Cisco VSG, page 5-13
•
Verifying the Change to a Cisco VSG HA Pair, page 5-15
BEFORE YOU BEGIN
Before adding a second Cisco VSG to a standalone system, you must know or do the following:
•
You are logged into the CLI in EXEC mode.
•
Although primary and secondary Cisco VSGs can reside in the same host, you can improve
redundancy by installing them in separate hosts and, if possible, connecting them to different
upstream switches.
•
When installing the second Cisco VSG, assign it with the secondary role.
•
Set up the port groups for the dual Cisco VSG VMs with the same parameters in both hosts.
•
After the secondary Cisco VSG is paired, the following occurs automatically:
– The secondary Cisco VSG is reloaded and added to the system.
– The secondary Cisco VSG negotiates with the primary Cisco VSG and becomes the standby
Cisco VSG.
– The standby Cisco VSG synchronizes its configuration and state with the primary Cisco VSG.
Changing the Standalone Cisco VSG to a Primary Cisco VSG
You can change the role of a Cisco VSG from standalone to primary in a Cisco VSG HA pair.
BEFORE YOU BEGIN
Before beginning this procedure, you must know or do the following:
•
You are logged into the CLI in EXEC mode.
•
A change from a standalone to a primary takes effect immediately.
Cisco Virtual Security Gateway for Nexus 1000V Series Switch Configuration Guide, Release 4.2(1)VSG1(2)
OL-25095-01
5-13
Chapter 5
Cisco Virtual Security Gateway High Availability
Pairing a Second Cisco VSG with an Active Cisco VSG
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m .
SUMMARY STEPS
1.
system redundancy role primary
2.
show system redundancy status
3.
configure
4.
(Optional) copy running-config startup-config
DETAILED STEPS
Step 1
Command
Purpose
system redundancy role primary
Changes the standalone Cisco VSG to a primary Cisco
VSG.
Example:
vsg# system redundancy role primary
Step 2
show system redundancy status
Example:
vsg# show system redundancy status
Step 3
The role change occurs immediately.
Displays the current redundancy state for the Cisco
VSG.
Places you in global configuration mode.
configure
Example:
vsg# configure
Step 4
copy running-config startup-config
Example:
vsg(config)# copy running-config
startup-config
(Optional) Saves the running configuration
persistently through reboots and restarts by copying it
to the startup configuration.
EXAMPLES
This example shows how to change the standalone Cisco VSG to a primary Cisco VSG:
vsg# system redundancy role primary
vsg#
This example shows how to display the current system redundancy status for a Cisco VSG:
vsg# show system redundancy status
Redundancy role
--------------administrative:
primary
operational:
primary
Redundancy mode
--------------administrative:
operational:
HA
None
This supervisor (sup-1)
----------------------Redundancy state:
Active
Supervisor state:
Active
Internal state:
Active with no standby
Other supervisor (sup-2)
-----------------------Redundancy state:
Not present
Cisco Virtual Security Gateway for Nexus 1000V Series Switch Configuration Guide, Release 4.2(1)VSG1(2)
5-14
OL-25095-01
Chapter 5
Cisco Virtual Security Gateway High Availability
Pairing a Second Cisco VSG with an Active Cisco VSG
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m .
This example shows how to copy the running configuration to the startup configuration:
vsg# configure
vsg(config)# copy running-config startup-config
[########################################] 100%
vsg(config)#
Verifying the Change to a Cisco VSG HA Pair
You can verify a change from a single Cisco VSG to a Cisco VSG HA pair.
BEFORE YOU BEGIN
Before beginning this procedure, you must know or do the following:
•
You are logged into the CLI in EXEC mode.
•
You have already changed the single Cisco VSG role from standalone to primary. See the “Changing
the Standalone Cisco VSG to a Primary Cisco VSG” section on page 5-13.
1.
show system redundancy status
SUMMARY STEPS
DETAILED STEPS
Step 1
Command
Purpose
show system redundancy status
Displays the current redundancy status for Cisco VSGs
in the system.
Example:
vsg# show system redundancy status
EXAMPLES
This example shows how to display the current redundancy status for Cisco VSGs in the system. In this
example, the primary and secondary Cisco VSGs are shown following a change from a single Cisco VSG
system to a dual Cisco VSG system.
vsg# show system redundancy status
Redundancy role
--------------administrative: primary
operational: primary
Redundancy mode
--------------administrative: HA
operational: HA
Cisco Virtual Security Gateway for Nexus 1000V Series Switch Configuration Guide, Release 4.2(1)VSG1(2)
OL-25095-01
5-15
Chapter 5
Cisco Virtual Security Gateway High Availability
Replacing the Standby Cisco VSG in an HA Pair
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m .
This supervisor (sup-1)
----------------------Redundancy state: Active
Supervisor state: Active
Internal state: Active with HA standby
Other supervisor (sup-2)
-----------------------Redundancy state: Standby
Supervisor state: HA standby
Internal state: HA standby
Replacing the Standby Cisco VSG in an HA Pair
You can replace a standby/secondary Cisco VSG in an HA pair.
Note
Equipment Outage—This procedure requires that you power down and reinstall a Cisco VSG. During
this time, your system will be operating with a single Cisco VSG.
PROCEDURE
Step 1
Power off the standby Cisco VSG.
Step 2
Install the new Cisco VSG as a standby, with the same domain ID as the existing Cisco VSG.
After the new Cisco VSG is added to the system, it synchronizes with the existing Cisco VSG.
Replacing the Active Cisco VSG in an HA Pair
You can replace an active/primary Cisco VSG in an HA pair.
BEFORE YOU BEGIN
Before beginning this procedure, you must know or do the following:
Note
•
You are logged into the CLI in EXEC mode.
•
You must configure the port groups so that the new primary Cisco VSG cannot communicate with
the secondary Cisco VSG or any of the VEMs during the setup. Cisco VSGs with a primary or
secondary redundancy role have built-in mechanisms for detecting and resolving the conflict
between two Cisco VSGs in the active state. In order to avoid these mechanisms during the
configuration of the new primary Cisco VSG, you must isolate the new primary Cisco VSG from the
secondary Cisco VSG.
Equipment Outage—This procedure requires powering down and reinstalling a Cisco VSG. During this
time, your system will be operating with a single Cisco VSG.
Cisco Virtual Security Gateway for Nexus 1000V Series Switch Configuration Guide, Release 4.2(1)VSG1(2)
5-16
OL-25095-01
Chapter 5
Cisco Virtual Security Gateway High Availability
Verifying the HA Status
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m .
PROCEDURE
Step 1
Power off the active Cisco VSG.
The secondary Cisco VSG becomes active.
Step 2
On a vSphere Client, change the port group configuration for the new primary Cisco VSG to prevent
communication with the secondary Cisco VSG and the VEMs during setup.
Step 3
Install the new Cisco VSG as the primary, with the same domain ID as the existing Cisco VSG.
Step 4
On the vSphere Client, change the port group configuration for the new primary Cisco VSG to permit
communication with the secondary Cisco VSG and the VEMs.
Step 5
Power up the new primary Cisco VSG.
The new primary Cisco VSG starts and automatically synchronizes all configuration data with the
secondary, which is currently the active Cisco VSG. Because the existing Cisco VSG is active, the new
primary Cisco VSG becomes the standby Cisco VSG and receives all configuration data from the
existing active Cisco VSG.
Verifying the HA Status
You can display and verify the HA status.
SUMMARY STEPS
1.
show system redundancy status
DETAILED STEPS
Step 1
Command
Purpose
show system redundancy status
Displays the HA status of the system.
Example:
vsg# show system redundancy
status
EXAMPLES
This example shows how to display the system redundancy status:
vsg# show system redundancy status
Redundancy role
--------------administrative: primary
operational: primary
Redundancy mode
--------------administrative: HA
operational: HA
Cisco Virtual Security Gateway for Nexus 1000V Series Switch Configuration Guide, Release 4.2(1)VSG1(2)
OL-25095-01
5-17
Chapter 5
Cisco Virtual Security Gateway High Availability
Verifying the HA Status
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m .
This supervisor (sup-1)
----------------------Redundancy state: Active
Supervisor state: Active
Internal state: Active with HA standby
Other supervisor (sup-2)
-----------------------Redundancy state: Standby
Supervisor state: HA standby
Internal state: HA standby
This example shows how to display the state and start count of all processes:
vsg# show processes
PID
State PC
----- ----- -------1
S b7f8a468
2
S
0
3
S
0
4
S
0
5
S
0
10
S
0
18
S
0
35
S
0
188
S
0
189
S
0
190
S
0
191
S
0
776
S
0
823
S
0
833
S
0
837
S
0
1175
S
0
1180
S
0
1740
S
0
1747
S
0
1979
S b7f6c18e
1992
S
0
1993
S
0
1994
S
0
1995
S
0
1996
S
0
1997
S
0
1998
S
0
1999
S
0
2000
S
0
2001
S
0
2006
S b7f6e468
2012
S b7f6e468
2039
S b7dd2468
2322
S
0
2323
S
0
2339
S
0
2340
S
0
2341
S
0
2376
S
0
2377
S
0
2516
S
0
2517
S b7f37468
2518
S b7f6e468
2519
S b79561b6
2520
S b7ecc468
2522
S b7da3468
2527
S
0
Start_cnt
----------1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
TTY
----
Process
------------init
ksoftirqd/0
desched/0
events/0
khelper
kthread
kblockd/0
khubd
pdflush
pdflush
kswapd0
aio/0
kseriod
kide/0
ata/0
scsi_eh_0
kjournald
kjournald
kjournald
kjournald
portmap
nfsd
nfsd
nfsd
nfsd
nfsd
nfsd
nfsd
nfsd
lockd
rpciod
rpc.mountd
rpc.statd
sysmgr
mping-thread
mping-thread
stun_kthread
stun_arp_mts_kt
stun_packets_re
redun_kthread
redun_timer_kth
sf_rdn_kthread
xinetd
tftpd
syslogd
sdwrapd
platform
ls-notify-mts-t
Cisco Virtual Security Gateway for Nexus 1000V Series Switch Configuration Guide, Release 4.2(1)VSG1(2)
5-18
OL-25095-01
Chapter 5
Cisco Virtual Security Gateway High Availability
Verifying the HA Status
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m .
2541
2549
2557
2558
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2576
2583
2586
2588
2589
2590
2591
2592
2593
2594
2596
2597
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
2609
2611
2612
2613
2615
2616
2617
2621
2628
2629
2646
2675
2676
2677
2755
2756
2757
2758
2759
2760
2761
2762
2765
2882
2883
2884
2885
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
R
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
b7eabbe4
b7f836be
b7c09be4
b7e4f468
b7b11f43
b7ea1468
b7cd1468
b7f75468
b7e6abe4
b7eb5468
b7e97468
b7e45468
b7ea9468
b7cd1468
b7f75468
b779f40d
b76e140d
b7d07468
b7e69497
b7e6e468
b7b9c468
b7e73468
b7edb5f5
b7d07468
b7e82468
b7e49468
b7bb9f43
b7e93468
b7e02468
b792c40d
b7e93468
b7e8d468
b7ec4468
b7e11468
b769140d
b7ce5be4
b77de40d
b7ce2468
b7b0bf43
b7afef43
b7afcf43
b7e05468
b7daa468
b7ea5468
b763340d
b7f02d39
b7c00468
b7b0ff43
b7b0bf43
b793b896
b79b2f43
b77ac40d
b7f3ebe4
b7f3ebe4
b78e540d
b7f3ebe4
b7f3ebe4
b784640d
b7b6440d
b7b8f40d
b7dde468
b799340d
b798640d
b795940d
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
-
pfm_dummy
klogd
vshd
stun
smm
session-mgr
psshelper
lmgrd
licmgr
fs-daemon
feature-mgr
confcheck
capability
psshelper_gsvc
cisco
clis
port-profile
xmlma
vnm_pa_intf
vmm
vdc_mgr
ttyd
sysinfo
sksd
res_mgr
plugin
npacl
mvsh
module
fwm
evms
evmc
core-dmon
bootvar
ascii-cfg
securityd
cert_enroll
aaa
l3vm
u6rib
urib
ExceptionLog
ifmgr
tcap
snmpd
PMon
aclmgr
adjmgr
arp
icmpv6
netstack
radius
ip_dummy
ipv6_dummy
ntp
pktmgr_dummy
tcpudp_dummy
cdp
dcos-xinetd
ntpd
vsim
ufdm
sal
pltfm_config
Cisco Virtual Security Gateway for Nexus 1000V Series Switch Configuration Guide, Release 4.2(1)VSG1(2)
OL-25095-01
5-19
Chapter 5
Cisco Virtual Security Gateway High Availability
Verifying the HA Status
Se n d d o c u m e n t c o m m e n t s t o v s g - d o c f e e d b a ck @ c i s c o . c o m .
2886
2887
2888
2889
2890
2891
2892
2895
2935
2938
2940
2941
2942
2943
2944
2945
2946
2952
2955
3001
3003
3004
3024
15497
15498
19217
19218
19559
19560
19561
19562
vsg#
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
R
R
R
NR
NR
NR
NR
NR
NR
NR
NR
b787640d
b7d71468
b7a4827b
b7a6640d
b7b7e468
b7ae940d
b7b0a468
b769540d
b7d3a468
b590240d
b7e8d468
b7cc0468
b7d57468
b7d25497
b7e6a497
b7d33468
b7d1c468
b7f1deee
b787040d
b7f836be
b7f806be
b7f1deee
b7f836be
b7a3840d
b793a468
b7a3840d
b7912eee
b7f5d468
b7f426be
b7939be4
b7f716be
-
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
0
0
0
0
0
0
0
0
1
S0
S1
20
21
21
21
-
monitor
ipqosmgr
igmp
eth-port-sec
copp
eth_port_channel
vlan_mgr
ethpm
msp
vms
vsn_service_mgr
vim
vem_mgr
policy_engine
inspect
aclcomp
sf_nf_srv
thttpd.sh
dcos-thttpd
getty
getty
gettylogin1
getty
in.dcos-telnetd
vsh
in.dcos-telnetd
vsh
sleep
more
vsh
ps
tacacs
dhcp_snoop
installer
ippool
nfm
private-vlan
scheduler
vbuilder
Cisco Virtual Security Gateway for Nexus 1000V Series Switch Configuration Guide, Release 4.2(1)VSG1(2)
5-20
OL-25095-01
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising