CSS Redundancy Design

Unanswered Question
Jan 7th, 2009

I am currently writing LLD for a Data Center project and planning for the CSS redundancy design. The BoQ of CSS is given below:

Content Switches/Load Balancers: CSS11503 2

Cisco 11503 Content Services Switch SCM-2GE HD AC 2

WebNS 8.1X Enhanced Feature Set for CSS 11500 Platforms 2

WebNS Secure Management License: Enables Strong Encryption 2

CSS11500 SSL Module w/ Compression 2

WebNS License Claim Certificate: for V8.XX or higher 2

CSS11500 System Control Module 2GE HD, Order 0-2 CSS5-GBIC 2

CSS11500 Gigabit Ethernet IOM: 2 Port, Order 0-2 SFP 2

GE SFP, LC connector SX transceiver 12

Customer does not have given any specific requirement, but looking at BoQ is seems that two CSS are populated with SSL Module s/ Compression, so they might need SSL and Compression to be configured in future.

The best scenario is to configure these two CSS in Load Balance with Stateful failover. Since we have three Redundancy options in CSS:

1. VIP and Virtual Interface Redundancy - Can be configured in Load Balanced but no stateful failover.

2. ASR Redundancy - Can be configured in load balanced with stateful failover. It sounds ok, but the main disadvantage is that ASR & an SSL Module, and ASR & HTTP Compression cannot be configured on same Service.

3. Box-to-Box Redundancy - Cannot configured in load balanced, but I have no idea either it support stateful or stateless failover.

There are only two options left; one is VIP and Virtual Interface Redundancy and second is Box-to-Box Redundancy. What do you recommend in such scenario? Please note that I have two extra Gig ports available in CSS.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.3 (3 ratings)
Gilles Dufour Wed, 01/07/2009 - 03:51

ASR only work with vip/interface redundancy.

Vip/Interface redundancy is the preferred choice if you are looking for fast failover/recovery.

Box-2-box is slower to detect the failure and failover.

But this solution is easier to implement so some people prefer to go this way.


Ahmed Shahzad Wed, 01/07/2009 - 04:35

Dear Gillies,

Thank you for your reply. May I know the answer of following queries:

1. Box-2-Box failover is stateful or stateless.

2. Does there any limitation on SSL or Compression configuration configuration in case of Box-2-Box failover.

3. ASR Redundancy support ASR & an SSL Module, and ASR & HTTP Compression on same Service.

Gilles Dufour Wed, 01/07/2009 - 07:42

ASR is the stateful side of vip/interface redundancy.

You can't use ASR alone.

You first need vip/interface redundancy and then you can add ASR if you need stateful redundancy.

Box-to-Box is therefore not stateful.

There is no stateful failover for SSL traffic - this is true for every type of loadbalancers.

This is just not possible as of today.

Not just a Cisco limitation.

So, if you have this module, the traffic going through the module can't be replicated.

The rest of the traffic still can be replicated to the standby.


Ahmed Shahzad Wed, 01/07/2009 - 08:02

Thanks Gilles for your quick reply.

May I have two more queries:

1. Does Box-2-Box Redundancy support ASR & an SSL Module, and ASR & HTTP Compression on same Service?

2. Both Box-2-Box Redundancy and VIP/Interface are not stateful. But we are using an extra cable for Box-2-Box redundancy, so what extra advantage we get in Box-2-Box redundancy over VIP/Interface Redundancy.



Gilles Dufour Wed, 01/07/2009 - 08:34

1/ Bob-to-Box redundancy does not support ASR.

2/ The only advantage of box-to-box redundancy is that the config is easier to implement. You don't need to configure 'redundant-index' for every content rule, group, serverfarm, ...


Ahmed Shahzad Wed, 01/07/2009 - 10:07

I am sorry there was some typo mistake in question 1. Does Box-2-Box Redundancy support SSL Module, and HTTP Compression?

It is very difficult to belive the answer of question 2, that the only difference is the configuration easiness.....

Looking at the BoQ, I am concluding to use VIP/Interface Redundancy. Please comments in case you dis-agree...

k.abillama Wed, 04/15/2009 - 22:19

Hi Guys,

I was reading your post and understood that in my case where I have ACE being used as an SSL offloader in a HA setup, the ssl sessions will not be statefully replicated, is it right?


This Discussion