Home » Cisco Manuals » Desktops » Cisco NAC3350-PROF-K9 » Manual Viewer

Cisco NAC3350-PROF-K9 Hardware Installation Guide - Page 134

Primary] Heartbeat IP Address on interface 3

View all Cisco NAC3350-PROF-K9 manuals

Add to My Manuals
Save this manual to your list of manuals

Page 134 highlights

Installing a Clean Access Manager High Availability Pair Chapter 4 Configuring High Availability (HA) Step 8 (Recommended) Specify parameters to enable failover based on eth0 link failure detection for the HA-Secondary CAM: a. Enter IP addresses for the interfaces the HA pair uses to failover from the primary to the secondary CAM in the Link-detect IP Address for eth0 field. b. Specify the duration (in seconds) the CAM continues to ping the Link-detect IP address before determining that the eth0 interface may have gone down, thus initiating a failover to the secondary CAM, in the Link-detect Timeout field. The minimum value for this setting is 10 seconds, but Cisco recommends at least a 25-second timeout interval. Note Link-detect settings on the CAM (Release 4.1(3) and later) are needed to allow the active CAM to failover to the standby CAM in case of a switch port failure or a link failure on the switch port connected to eth0 of the active CAM. In the event a failover must take place, the Link detect setting allows the standby CAM to ensure that the secondary CAM eth0 interface is up and able to take on the active role. Step 9 Step 10 Set the [Primary] Peer Host Name value to the HA-Primary CAM's host name. If you are using the default setting for the mandatory eth1 UDP heartbeat interface, leave the Auto eth1 Setup checkbox enabled (checked). If you want to specify a different [Primary] Heartbeat eth1 Address, uncheck the Auto eth1 Setup checkbox and enter the new IP address in the (peer IP on heartbeat udp interface on eth1) field. Note The Auto eth1 Setup option automatically assigns 192.168.0.254 as the primary CAM's eth1 (heartbeat) interface and assumes the IP address for the peer (secondary) eth1 interface is 192.168.0.253. Warning To specify redundant failover links as described in Step 12, you must first configure the appropriate Ethernet interfaces on the CAM before you try to set up HA. If you attempt to configure these interfaces, however, and the NICs on which the Ethernet interfaces reside are not configured correctly, the CAM will enter maintenance mode (will not boot properly) when you reboot. Step 11 Step 12 (Optional) If you enabled the HA-Primary CAM's Heartbeat UDP Interface 2 function that sets up a redundant failover heartbeat via the CAM eth0 interface on the HA-Primary CAM, enable the eth0 checkbox and specify the same peer IP address in the [Primary] Heartbeat IP Address on eth0 field as on the HA-Primary CAM. (Optional) If you enabled the HA-Primary CAM's Heartbeat UDP Interface 3 function on the HA-Primary CAM, select eth2 or eth3 from the dropdown menu and the same associated peer IP address in the [Primary] Heartbeat IP Address on interface 3 field as on the HA-Primary CAM. Note Cisco strongly recommends you do not use the serial interface on the NAC-3315/3355/3395 for the HA heartbeat function. Although this element still appears in the CAM web console, the Heartbeat Serial Interface feature is being deprecated in a future Cisco NAC Appliance release. (The associated Heartbeat Timeout value remains a valid configuration point, however, for deployments using optional Heartbeat UDP interfaces 2 and 3.) Step 13 Specify the Heartbeat Timeout value for the HA secondary CAM to set the duration the CAM should wait before declaring that it has lost communication with its HA peer, thus assuming the role of the active CAM in the HA pair. The default Heartbeat Timeout value is 30 seconds. 4-14 Cisco NAC Appliance Hardware Installation Guide OL-20326-01

Section	Page
Cisco NAC Appliance Hardware Installation Guide	1
Contents	3
About This Guide	9
Cisco NAC Appliance Hardware Platforms	15
About Cisco NAC Appliance	15
FIPS 140-2 Compliant and Non-FIPS Hardware Platforms	15
NAC-3315, NAC-3355, and NAC-3395	17
NAC-3315 Serial Number Location	19
Cisco NAC-3315 Front and Rear Panels	19
Front Panel Features	19
Rear Panel Features	20
NAC-3355 Serial Number Location	22
Cisco NAC-3355 Front and Rear Panels	22
Front Panel Features	22
Rear Panel Features	24
NAC-3395 Serial Number Location	26
Cisco NAC-3395 Front and Rear Panels	26
Front Panel Features	26
Rear Panel Features	28
NAC-3310, NAC-3350, and NAC-3390	30
Cisco NAC-3310 Front and Rear Panels	32
Front Panel Features	32
Rear Panel Features	34
Cisco NAC-3350 Front and Rear Panels	35
Front Panel Features	35
Rear Panel Features	37
Cisco NAC-3390 Front and Rear Panels	38
Front Panel Features	39
Rear Panel Features	40
Cisco Product Identification Tool	41
Preparing for Installation	43
Safety Guidelines	44
General Precautions	44
Safety with Equipment	45
Safety with Electricity	45
Preventing Electrostatic Discharge Damage	47
Lifting Guidelines	47
Preparing Your Site for Installation	48
Site Planning	48
Rack Installation Safety Guidelines	49
Four-Post (Partially-Enclosed) Rack	49
Four-Post (Open) Rack	49
Site Environment	50
Airflow Guidelines	51
Temperature and Humidity Guidelines	51
Power Considerations	51
Method of Procedure	52
Shipping Package Contents	52
Failover Bundles	53
Required Equipment	53
Configuration Worksheets	53
Clean Access Manager (CAM) Configuration Worksheet	54
Clean Access Server (CAS) Configuration Worksheet	54
CAS Mode IP Addressing Considerations	55
Rack-Mounting Your Cisco NAC Appliance CAM/CAS	56
Mounting the NAC-3315 Appliance in a 4-Post Rack	57
NAC-3315 4-Post Rack-Mount Hardware Kit	57
Installing the NAC-3315 Slide Rails into a Rack	58
Installing the NAC-3315 Appliance into the Slide Rails	61
Mounting the NAC-3355/3395 Appliance in a Four-Post Rack	63
NAC-3355/3395 4-Post Rack-Mount Hardware Kit	64
Installing the NAC-3355/3395 Slide Rails Into the 4-Post Rack	64
Installing the NAC-3355/3395 Appliance Into the Slide Rails	67
Cisco NAC Appliance Licensing	68
Upgrading Cisco NAC Appliance Software	69
Downloading Cisco NAC Appliance Software	70
Upgrading Firmware	70
Installing the Clean Access Manager and Clean Access Server	71
Overview	71
Important Release Information	72
Installing the Clean Access Manager	72
Overview	72
Summary of Steps For New Installation	73
Connect the Clean Access Manager	74
Install the Clean Access Manager (CAM) Software from CD-ROM	75
Perform the Initial CAM Configuration	76
Configuration Utility Script	76
Access the CAM Web Console	81
Install CAM License	83
Add Additional Licenses	85
Important Notes for SSL Certificates	87
Installing the Clean Access Server	88
Overview	88
Switch/Router Configuration	88
Virtual Gateway Mode Connection Requirements	89
Switch Support for CAS Virtual Gateway/VLAN Mapping (IB and OOB)	90
Determining VLANs For Virtual Gateway	90
Summary of Steps For New Installation	91
Connect the Clean Access Server	92
Install the Clean Access Server (CAS) Software from CD-ROM	92
Perform the Initial CAS Configuration	94
Configuration Utility Script	94
Important Notes for SSL Certificates	103
Cisco NAC Appliance Connectivity Across a Firewall	104
Configuring the CAS Behind a NAT Firewall	106
Connectivity Across a Wide Area Network	107
Configuring Additional NIC Cards	107
Serial Connection to the CAM and CAS	109
Configuring Boot Settings on the Cisco NAC Appliance CAM/CAS	110
Useful CLI Commands for the CAM/CAS	112
CAM CLI Commands	112
CAS CLI Commands	113
CAS CLI Commands for Cisco NAC Appliance	113
CAS CLI Commands for Cisco NAC Profiler	114
Manually Restarting the CAM/CAS Configuration Utility	116
Troubleshooting the Installation	117
Verify/Change Current Master Secret on CAM/CAS	118
Recover From Corrupted Master Secret	118
Network Interface Card (NIC) Driver Not Supported	119
Resetting and Restoring an Unreachable Clean Access Server	119
Enabling TLSv1 on Internet Explorer Version 6	119
Powering Down the NAC Appliance	120
Configuring High Availability (HA)	121
Adding High Availability Cisco NAC Appliance To Your Network	121
Installing a Clean Access Manager High Availability Pair	123
CAM High Availability Overview	124
Before Starting	127
Connect the Clean Access Manager Machines	128
Serial Connection	129
Configure the HA-Primary CAM	129
Configure the HA-Secondary CAM	132
Complete the Configuration	136
Upgrading an Existing Failover Pair	136
Failing Over an HA-CAM Pair	136
Accessing High Availability Pair CAM Web Consoles	137
Determining Active and Standby CAM	137
Determining Primary and Secondary CAM	137
Installing a Clean Access Server High Availability Pair	137
CAS High Availability Overview	138
Failover Events	141
Choosing External IPs for Link-Based Failover	142
CAS High Availability Requirements	142
Physical Connection	142
Switch Interfaces for OOB Deployment	143
Service IP Addresses	143
Host Names	143
DHCP Synchronization	143
SSL Certificates	143
Before Starting	144
Selecting and Configuring the Heartbeat UDP Interface	145
Serial Port High-Availability Connection	146
Configure High Availability	146
Configure the HA-Primary Clean Access Server	147
a. Access the HA-Primary CAS Directly	147
b. Configure the Host Information for the HA-Primary CAS	147
c. Configure HA-Primary Mode and Update	148
d. Configure the SSL Certificate	152
e. Reboot the HA-Primary CAS	153
f. Add the CAS to the CAM Using the Service IP	153
Configure the HA-Secondary Clean Access Server	154
a. Access the HA-Secondary CAS Directly	154
b. Configure the Host Information for the HA-Secondary CAS	154
c. Configure HA-Secondary Mode and Update	154
d. Configure the SSL Certificate	158
e. Reboot the HA-Secondary CAS	158
Connect the Clean Access Servers and Complete the Configuration	158
Failing Over an HA-CAS Pair	159
Modifying CAS High Availability Settings	160
To Change IP Settings for an HA-CAS	160
Upgrading an Existing Failover Pair	161
Configuring High Availability for Virtual Gateway Mode	162
Useful CLI Commands for HA	163
Clean Access Manager	163
Verifying Active/Standby Runtime Status on the HA CAM	163
Clean Access Server	164
HA CAS Configuration Status	164
Heartbeat/Link-Based Connections	164
Link-Detect Interfaces	165
Active/Standby Status	165
Accessing High Availability Pair CAS Web Consoles	166
Determining Active and Standby CAS	166
Determining Primary and Secondary CAS	166
Password Recovery	167
Recovering Root Password for CAM/CAS	167
Recovering Root Password for CAM/CAS (Release 3.5.x or Below)	167
Open Source License Acknowledgements	169
Notices	169
OpenSSL/Open SSL Project	169
License Issues	169

Match case Limit results 1 per page

4-14

Cisco NAC Appliance Hardware Installation Guide

OL-20326-01

Chapter 4

Configuring High Availability (HA)

Installing a Clean Access Manager High Availability Pair

Step 8

(Recommended) Specify parameters to enable failover based on eth0 link failure detection for the

HA-Secondary CAM:

Enter IP addresses for the interfaces the HA pair uses to failover from the primary to the secondary

CAM in the

Link-detect IP Address for eth0

field.

Specify the duration (in seconds) the CAM continues to ping the Link-detect IP address before

determining that the eth0 interface may have gone down, thus initiating a failover to the secondary

CAM, in the

Link-detect Timeout

field. The minimum value for this setting is 10 seconds, but

Cisco recommends at least a 25-second timeout interval.

Note

Link-detect settings on the CAM (Release 4.1(3) and later) are needed to allow the active

CAM to failover to the standby CAM in case of a switch port failure or a link failure on the

switch port connected to eth0 of the active CAM. In the event a failover must take place, the

Link detect setting allows the standby CAM to ensure that the secondary CAM eth0 interface

is up and able to take on the active role.

Step 9

Set the

[Primary] Peer Host Name

value to the HA-Primary CAM’s host name.

Step 10

If you are using the default setting for the mandatory eth1 UDP heartbeat interface, leave the

Auto eth1

Setup

checkbox enabled (checked). If you want to specify a different

[Primary] Heartbeat eth1

Address

, uncheck the

Auto eth1 Setup

checkbox and enter the new IP address in the

(peer IP on

heartbeat udp interface on eth1)

field.

Note

The

Auto eth1 Setup

option automatically assigns 192.168.0.254 as the primary CAM's eth1

(heartbeat) interface and assumes the IP address for the peer (secondary) eth1 interface is

192.168.0.253.

Warning

To specify redundant failover links as described in

Step 12

, you must first configure the appropriate

Ethernet interfaces on the CAM before you try to set up HA. If you attempt to configure these

interfaces, however, and the NICs on which the Ethernet interfaces reside are not configured

correctly, the CAM will enter maintenance mode (will not boot properly) when you reboot.

Step 11

(Optional) If you enabled the HA-Primary CAM’s

Heartbeat UDP Interface 2

function that sets up a

redundant failover heartbeat via the CAM eth0 interface on the HA-Primary CAM, enable the

eth0

checkbox and specify the same peer IP address in the

[Primary] Heartbeat IP Address on eth0

field

as on the HA-Primary CAM.

Step 12

(Optional) If you enabled the HA-Primary CAM’s

Heartbeat UDP Interface 3

function on the

HA-Primary CAM, select

eth2

eth3

from the dropdown menu and the same associated peer IP address

in the

[Primary] Heartbeat IP Address on interface 3

field as on the HA-Primary CAM.

Note

Cisco strongly recommends you do not use the serial interface on the NAC-3315/3355/3395 for the HA

heartbeat function. Although this element still appears in the CAM web console, the

Heartbeat Serial

Interface

feature is being deprecated in a future Cisco NAC Appliance release. (The associated

Heartbeat Timeout

value remains a valid configuration point, however, for deployments using optional

Heartbeat UDP interfaces 2 and 3.)

Step 13

Specify the

Heartbeat Timeout

value for the HA secondary CAM to set the duration the CAM should

wait before declaring that it has lost communication with its HA peer, thus assuming the role of the active

CAM in the HA pair. The default

Heartbeat Timeout

value is 30 seconds.