Solved: ESAv can do 4 clustering

jewfcb001 · ‎02-21-2022

Hi All ,

I try to find document about ESAv clustering but cannot find . I'm not sure Can I do 4 Clustering for ESAv ?

Thank you .

Ken Stieers · ‎02-21-2022

As in have 4 vms in a cluster? Yes. The limit is 20.

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117921-technote-esa-00.html

View solution in original post

SriramV · ‎02-21-2022

you can join ESA in Cluster without SMA

View solution in original post

Ken Stieers · ‎02-21-2022

As in have 4 vms in a cluster? Yes. The limit is 20.

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117921-technote-esa-00.html

jewfcb001 · ‎02-21-2022

@Ken Stieers

Thank you the answer. Do I want purchase Cisco SMA Centralized Email Management ? Or I can directly join cluster without centralized management.

SriramV · ‎02-21-2022

you can join ESA in Cluster without SMA

jewfcb001 · ‎02-21-2022

@SriramV

Thank you for help. Your answer help me a lot .

Ken Stieers · ‎02-21-2022

Yes, as Sriram said, you don't have to have an SMA to cluster ESAs.

There are a couple things to keep in mind. Esa clustering is really "multi level configuration replication". Any failover/high availability features actually happen outside of the ESAs.

Without an SMA, you'll have 4 spam quarantines and 4 sets of logs, so when you're troubleshooting things it can become more difficult.

jewfcb001 · ‎02-21-2022

@Ken Stieers

Thank you for more information. I don't have the experience for implement ESA. You can more explain "multi level configuration replication". You mean If I join 4 ESA to 1 Cluster . If I want manage and configure the device. Can I access to only 1 primary node it can replicate to all node in cluster am i correct ?

Ken Stieers · ‎02-23-2022

Multi-level in that there is machine specific configuration, group level configuration and cluster level configuration.
All settings can be set at the machine level (eg. not replicated). Other than a few, all others can be set at the group level or cluster level.
Group settings are replicated within a group of ESAs, cluster level are set across the whole cluster.
Things you might set for the group might be mail routes, if you have data centers the US and Europe, with mail servers on each continent, you might set the ones in Europe to send mail into the European mail servers, and the US ones to the US mail servers, but the Spam/anti-virus/content filtering would be at the cluster level... so they all use the same rules.
You can connect to any box in the cluster to manage the cluster... you can also pick the group or machine for most settings, from the box you're currently connected to.

jewfcb001 · ‎02-23-2022

@Ken Stieers

Thank you for information . My Understand if I would like to implement the new 4 nodes and would like to join cluster all . I can configure policy .... etc. at the first one machine If I done the the first one machine I will configure other node to join cluster with the first one . Am I correct ? If I correct . In the future If I would like to modify some configuration. Can I configure only 1 node for change something?

If my understand wrong. Please suggest me.

Ken Stieers · ‎02-24-2022

You are correct...

You can join machines to the cluster before or after, and the config will come over.

You can make the change on one box, and it will replicate.

There are a few settings that are always per machine, and most of them will force you to be in machine mode, things like IP config, routing config, SAML, etc.

The two that I remember that that don't are:

Security Services/File Reputation and Analysis connecting the box to AMP

Security Services/Cisco IronPort Email Encryption provisioning is per box

jewfcb001 · ‎02-24-2022

@Ken Stieers

Thank you so much for information . I think information from you will be help me in the future if I have implement project .