From: Tom Daniel (twdaniel@xxxxxxxxxxxxx)
Date: Fri Oct 26 2001 - 21:01:42 GMT-3
The CSS and the Nokias are both running OSPF. I need to do some testing to
determine which ones should be the DR/BDR. Do you have any recommendations?
The Firewalls or the CSS switch. Evidently the Secondary CSS does not
activate the ethernet interfaces until the primary CSS fails. Therefore, it
takes 10 seconds to form the adjancies and learn the routes. In your
experience with the Foundary equipment, did you use a routing protocol or
static routes?? I would like to stay away from static routes but want the
failover to be seamless.
You are correct on the spanning tree. We have it disabled.
I really appreciate the help......
Tom
-----Original Message-----
From: Brant Stevens [mailto:branto@myrealbox.com]
Sent: Friday, October 26, 2001 6:38 PM
To: twdaniel@bellsouth.net; ccielab@groupstudy.com
Subject: Re: Cisco CSS Firewall LoadBalancing
I've done similar networks with Foundry ServerIrons, not the CSS switches.
In that configuration, the FSI was a layer 2/4 device, that was also
active/passive... The failover was undetectable, to both me and our load
testing software...
Are the CSS's blocking LSAs on the passive box, or are they acting as OSPF
routers themselves... What are the DR/BDRs on your network? The Nokias, or
the CSS, if they are in fact running OSPF natively...
Also, try turning off spanning tree on the redundant (failover)
interfaces... Depending ion your infrastructure, you may be able to disable
it completely...
HTH,
Brant
----- Original Message -----
From: <twdaniel@bellsouth.net>
To: <ccielab@groupstudy.com>
Sent: Friday, October 26, 2001 3:41 PM
Subject: OT: Cisco CSS Firewall LoadBalancing
> I have configured firewall loadbalancing using the Cisco CSS 11000 series
switches. Loadbalancing works perfectly with the CSS switches working in a
primary and backup mode using VRRP and static routes. I am trying use OSPF
throughout the backbone. This also works correctly with the primary/backup
CSS configuration as shown. However, the convergence time can be over 20
secs. The backup CSS does not intilize the Fastethernet Interfaces until it
sees that the primary CSS's interface has gone down. This delays the
building of OSPF adjancies and increase the convergence time. I would like
to decrease this time by having the CSS operate in an ACTIVE/ACTIVE mode
instead of an ACTIVE/PASSIVE mode. This would allow the both CSS switches to
learn the OSPF routes and eliminate convergence time all together. Is this
feasible??? Anyone else have any other ideas or comments. The firewalls are
Nokia IP600 running Checkpoint. Thanks for your assistance.
>
> http://www.cisco.com/warp/public/117/fw_load_balancing.html
This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 22:33:26 GMT-3