Configuring Dedicated Trunks for the CSM
Did you catch the article on setting up fault tolerance on the CSM? In that article, I mentioned that Cisco recommends a dedicated trunk for the FT VLAN if you have two HA CSMs in two chassis. Discuss amongst yourselves while I drone on.
Why should you set up a dedicated trunk for this stuff? The most obvious reason is to be sure that normal traffic doesn’t step on the syncing traffic. Since we’re syncing state information as well as configuration, the frames need to arrive in a timely manner. Any errors could potentially disrupt the FT process, which is bad. You surely don’t want the primary to fail only to find out that the standby doesn’t have the complete or current config.
Another reason is to keep the syncing traffic from stepping on normal traffic. The CSM is a pretty robust box and can handle a pretty good chunk of data. If you had a 100Mbps trunk between your chassis, there is the potential for the link to get flooded if the CSM ever starts sending some real data. All things being equal, though, your trunks are probably sized properly for your network, and the addition of the syncing traffic probably won’t affect much.
Let’s review our configuration from the other article.
vlan 83 name CSM-Sync ! module csm 3 ft group 1 vlan 83 priority 100 alt 90 preempt
This snippet creates VLAN 83 and tells the CSM to use it for syncing, but how do we dedicate a trunk for that VLAN? We use the switchport trunk allowed vlan directive. We’ll assume that G1/1 on your primary switch is connected to G1/1 on your standby.
interface GigabitEthernet1/1 description CSM Syncing switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 83 switchport mode trunk
This sets G1/1 up to only allow VLAN 83 across it. If you do a show int G1/1 trunk, you’ll see that this VLAN is the only one allowed, the only one active, and the only one one forwarding on that link. Of course, you’ll need to do the same on the other side to keep traffic flow sane, but it’s fairly easy.
What if G1/1 goes down, though? You’d lose sync, so you probably want to look at a solution for that little problem. You could put in multiple links and let Spanning Tree do the work. You could even turn those links into an EtherChannel for redundancy and throughput. If you have more than two chassis, you could full mesh them with trunks dedicated to VLAN 83. There are a number of ways around the problem. Be creative.
Be sure to send turkey questions my way.
- Generating Network Diagrams from Netbox with Pynetbox - August 23, 2023
- Out-of-band Management – Useful Beyond Catastrophe - July 13, 2023
- Overlay Management - July 12, 2023
Hello. Thank you for this article, its brill.
My Question is, do you need to configure ip addresses for the active and standby CSM’s on the fault-tolerant vlan? Theres no reference to this in the article, or on the Cisco PDF’s….? If not, how do they communicate with each other on that Vlan please?
Hi, Mohammed. Thanks for the comment and compliment.
Actually, you don’t need an IP address on the FT VLAN. It uses multicasting to announce itself…just as HSRP, VRRP, and GLBP do. You can find more information on that at:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csm/3.2/configuration/guide/redun.html#wp1037240
Hope that helps. Let me know if you have any more questions.
[…] need to make sure you have only the proper VLANs running across this port (like we did with the CSM VLAN). If a box were to be compromised, the bad guy could simply start adding VLANs to the server and […]
Hi Aaron,
Excellent description. I have one question. You mention setting the priority above. If the priority is manually changed on the standby CSM to be higher, Will it become the active CSM immediately ?
Many thanks
Thanks for the comment, Steve.
If you have the preempt command configured and change the priority of the secondary unit higher than the primary, then the secondary should become active immediately. The same should hold true if you take the primary unit’s priority down.
Here’s where to look.
I hope that helps.
Hi Aaron,
Perfect answer. Thanks very much.
Hi Aaron ,good job with CSM.
I have a strange behavior with sync of 3 pair of csm :
2 of them works fine in two different chassis in same site
2 of them remain out-of-sync in the same chassis
2 of them remain out-sync in two different site ( DWDM 10G connection )
All of theme have the same supervisor and csm microcode
the failing CSM message are:
Nov 5 16:17:37.086: %CSM_SLB-6-REDUNDANCY_INFO: Module 5 FT info: Active: Bulk sync started
Nov 5 16:17:37.094: %CSM_SLB-6-REDUNDANCY_INFO: Module 5 FT info: Active: Sending configurations to Standby CSM, this may take several minutes!
Nov 5 16:17:37.098: %CSM_SLB-6-REDUNDANCY_INFO: Module 5 FT info: Active: Sending configuration to Standby CSM
Nov 5 16:18:37.142: %CSM_SLB-3-REDUNDANCY: Module 5 FT error: Active: Manual bulk sync timed out
Nov 5 16:18:37.142: %CSM_SLB-3-REDUNDANCY: Module 5 FT error:
FT CONFIG SYNC: Failed config sync entity send
but not timeout appear on local link and on DWDM link
Thanks for coop
Hey, Nicola. Thanks for stopping by the site.
Do both out-of-sync CSM pairs throw the same error? Are you using the same FT VLAN? Errors on interfaces?
Thanks for your coop…both out-of-sync with the same error..
if i add manually on standby CSM the CFG after 1 minute the config goes in synch !!!
if i add a new linee on active CSM cfg ..the CSM in stadby “sense” the action ..then i start the sync with command “HW…and soon” the routing immediatly start on secondary CSM but fail after 2-3 minute with the log you saw on previos comments.
The csm in active state works fine the show run on backup CSM was erased…
I tried to resync manualy the scenario ( copy and past on backup CSM the cfg lines ) and after 1 minute the CSM’s back in SYNC !!
I tied to swap the role ( by priority) and even the CSM backup (become active with new priority) fails with the same behavior !!
3 FT VL different for the 3 pair of CMS !! no eror on Phical Interface..seems to be a problem of late but CSM HW routine..What do you think about ??
Ciao from Italy
Nicola: Can you email me your configs? I’ll look over them and see what I can find. Make sure you remove any sensitive data. Send them to csmproblems at aconaway dot com.
i’m sending you the doc you ask me..please to be sure..repeat your mail
thank for big help
For posterity, Nicola found bug CSCtd09117 that seems to be causing his problem.