From: Brant Stevens (branto@xxxxxxxxxxxxx)
Date: Sat Oct 27 2001 - 14:19:25 GMT-3
The Foundry Boxes do not run OSPF... part of their FW feature set blocks the
LSAs on the secondary box, making the failover so quick.
I am saddled with CSSs right now, and I gotta tell you, I kinda hate them...
lol... Too much trouble with the Gigabit... anyway...
The only thing I can think of is to fiddle with the hello/dead timers to
shorten failover, short of taking the OSPF off of the CSS machines...
I had a sandwich of FSI and Nokias, with Cisco MSFCs and 7200s at the bottom
and top of the infrastructure. The Cisco Equipment was set as the DR/BDR.
I'm leaning towards having the Firewalls as the DR/BDRs... I think that
might help with the DR/BDR election process, and adjacency forming...
How about looking at the failover timeout?
HTH,
Brant
----- Original Message -----
From: "Tom Daniel" <twdaniel@bellsouth.net>
To: "Brant Stevens" <branto@myrealbox.com>; <ccielab@groupstudy.com>
Sent: Friday, October 26, 2001 8:01 PM
Subject: RE: Cisco CSS Firewall LoadBalancing
> The CSS and the Nokias are both running OSPF. I need to do some testing to
> determine which ones should be the DR/BDR. Do you have any
recommendations?
> The Firewalls or the CSS switch. Evidently the Secondary CSS does not
> activate the ethernet interfaces until the primary CSS fails. Therefore,
it
> takes 10 seconds to form the adjancies and learn the routes. In your
> experience with the Foundary equipment, did you use a routing protocol or
> static routes?? I would like to stay away from static routes but want the
> failover to be seamless.
>
> You are correct on the spanning tree. We have it disabled.
>
> I really appreciate the help......
>
> Tom
>
> -----Original Message-----
> From: Brant Stevens [mailto:branto@myrealbox.com]
> Sent: Friday, October 26, 2001 6:38 PM
> To: twdaniel@bellsouth.net; ccielab@groupstudy.com
> Subject: Re: Cisco CSS Firewall LoadBalancing
>
>
> I've done similar networks with Foundry ServerIrons, not the CSS switches.
> In that configuration, the FSI was a layer 2/4 device, that was also
> active/passive... The failover was undetectable, to both me and our load
> testing software...
>
> Are the CSS's blocking LSAs on the passive box, or are they acting as OSPF
> routers themselves... What are the DR/BDRs on your network? The Nokias,
or
> the CSS, if they are in fact running OSPF natively...
>
> Also, try turning off spanning tree on the redundant (failover)
> interfaces... Depending ion your infrastructure, you may be able to
disable
> it completely...
>
> HTH,
> Brant
>
>
> ----- Original Message -----
> From: <twdaniel@bellsouth.net>
> To: <ccielab@groupstudy.com>
> Sent: Friday, October 26, 2001 3:41 PM
> Subject: OT: Cisco CSS Firewall LoadBalancing
>
>
> > I have configured firewall loadbalancing using the Cisco CSS 11000
series
> switches. Loadbalancing works perfectly with the CSS switches working in a
> primary and backup mode using VRRP and static routes. I am trying use
OSPF
> throughout the backbone. This also works correctly with the primary/backup
> CSS configuration as shown. However, the convergence time can be over 20
> secs. The backup CSS does not intilize the Fastethernet Interfaces until
it
> sees that the primary CSS's interface has gone down. This delays the
> building of OSPF adjancies and increase the convergence time. I would like
> to decrease this time by having the CSS operate in an ACTIVE/ACTIVE mode
> instead of an ACTIVE/PASSIVE mode. This would allow the both CSS switches
to
> learn the OSPF routes and eliminate convergence time all together. Is this
> feasible??? Anyone else have any other ideas or comments. The firewalls
are
> Nokia IP600 running Checkpoint. Thanks for your assistance.
> >
> > http://www.cisco.com/warp/public/117/fw_load_balancing.html
This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 22:33:26 GMT-3