Figure 1-1 shows a configuration for a network of up to 500 employees. This network uses Catalyst 3560 Layer 3 switches with high-speed connections to two routers. For network reliability and load balancing, this network has HSRP enabled on the routers and on the switches. This ensures connectivity to the Internet, WAN, and mission-critical network resources in case one of the routers or switches fails. The switches are using routed uplinks for faster failover. They are also configured with equal-cost routing for load sharing and redundancy.

The switches are connected to workstations, local servers, and IEEE 802.3af compliant and noncompliant powered devices (such as Cisco IP Phones). The server farm includes a call-processing server running Cisco CallManager software. Cisco CallManager controls call processing, routing, and IP phone features and nfiguration. The switches are interconnected through Gigabit interfaces.

This network uses VLANs to logically segment the network into well-defined broadcast groups and for security management. Data and multimedia traffic are configured on the same VLAN. Voice traffic from the Cisco IP Phones are configured on separate VVIDs. If data, multimedia, and voice traffic are assigned to the same VLAN, only one VLAN can be configured per wiring closet.

When an end station in one VLAN needs to communicate with an end station in another VLAN, a router or Layer 3 switch routes the traffic to the appropriate destination VLAN. In this network, the switches are roviding inter-VLAN routing. VLAN access control lists (VLAN maps) on the switches provide
intra-VLAN security and prevent unauthorized users from accessing critical pieces of the network. In addition to inter-VLAN routing, the multilayer switches provide QoS mechanisms such as DSCP
priorities to prioritize the different types of network traffic and to deliver high-priority traffic in a predictable manner. If congestion occurs, QoS drops low-priority traffic to allow delivery of
high-priority traffic.

For pre-standard and IEEE 802.3af-compliant powered devices connected to Catalyst Power over Ethernet (PoE) switches, 802.1p/Q QoS gives voice traffic forwarding-priority over data traffic.
Catalyst PoE switch ports automatically detect any Cisco pre-standard and IEEE 802.3af-compliant powered devices that are connected. Each PoE switch port provides 15.4 W of power per port. The
powered device, such as an IP phone, can receive redundant power when it is also connected to an AC power source. Powered devices not connected to Catalyst PoE switches must be connected to AC power
sources to receive power.

Cisco CallManager controls call processing, routing, and IP phone features and configuration. Users with workstations running Cisco SoftPhone software can place, receive, and control calls from their PCs.
Using Cisco IP Phones, Cisco CallManager software, and Cisco SoftPhone software integrates telephony and IP networks, and the IP network supports both voice and data.
With the multilayer switches providing inter-VLAN routing and other network services, the routers focus on firewall services, Network Address Translation (NAT) services, voice-over-IP (VoIP) gateway
services, and WAN and Internet access.

Figure 1-1 Catalyst 3560 Switches in a Collapsed Backbone Configuration

Failover Overview

The failover feature lets you use a standby FWSM to take over the functionality of a failed FWSM. Failover is compatible with both routed and transparent firewall modes, and with single and
multiple context modes. When the active module fails, it changes to the standby state, while the standby module changes to the
active state.

The module that becomes active takes over the active module IP addresses (or, for transparent firewall, the management IP address) and MAC address, and it begins passing traffic. The FWSM has one MAC
address for all interfaces. The module that was active and is now in standby state takes over the standby IP addresses and MAC address.

Because network devices see no change in the MAC to IP address pairing, failover is unnoticed by the rest of the network. However, the host switch needs to reassociate the new active and standby chassis
slots with their corresponding MAC addresses. The FWSM helps this process by sending out gratuitous ARPs on all its VLAN interfaces.

The standby module can effectively take over as the active module because it has the same configuration, and it is assigned the same VLANs from the switch.

Regular and Stateful Failover

The FWSM supports two types of failover:

• Regular failover—When a failover occurs, all active connections are dropped and clients need to reestablish connections when the new active module takes over.
• Stateful failover—During normal operation, the active module continually passes per-connection stateful information (for each context) to the standby module. The interval between stateful
information updates is 10 seconds, but if you set the module polltime to be greater than 10 seconds, then that interval is used.

After a failover occurs, the same connection information is available at the new active module. Supported end-user applications are not required to reconnect to keep the same communication
session.

The state information passed to the standby module includes the following data:

– NAT translation table
– TCP connection states
– UDP connection states (for connections lasting at least 15 seconds)
– HTTP connection states (Optional)
– H.323, SIP, and MGCP UDP media connections
– ARP table
– (Transparent firewall mode only) MAC address table

Failover and State Links

This section describes the failover link and, for stateful failover, the state link, and it includes the following topics:

• Failover Link
• State Link

Failover Link

The two modules constantly communicate over a failover link to determine the operating status of each module. Communications over the failover link include the following data:

• The module state (active or standby).
• Hello messages (also sent on all other interfaces).
• Configuration synchronization between the two modules.

The failover link uses a special VLAN interface that you do not configure as a normal networking interface; rather, it exists only for failover communications. This VLAN should only be used for the
failover link (and optionally for the state link). For multiple context mode, the failover link resides in the system configuration. This interface (and the
state link, if used) is the only configurable interface in the system configuration.

State Link

To use stateful failover, configure a state link to pass all state information. This link can be the same as the failover link, but we recommend that you assign a separate VLAN and IP address for the state link.
The state traffic can be large, and performance is improved with separate links. In multiple context mode, the state link resides in the system configuration. This interface and the
failover interface are the only interfaces in the system configuration.

This entry was posted on Sunday, January 17th, 2010 at 10:27 pm and is filed under Cisco. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.