cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
39
Views
0
Helpful
3
Replies
Highlighted
Cisco Employee

NSO Clustering support for SL1 -> Sl2 -> DL1-n

Hi Team,

NSO Clustering can support SL to DL NSO deployment is known, but can we make this hierarchy deeper than these two levels and make it 3 levels?

Something like SL1 -> Sl2 -> DL1-n ?

If yes, What would be the limitations to worry about? Transaction commit queues? Notifications?

If no, I thought maybe leverage the HA capabilities and make the SL1 and SL2 as HA nodes (Active/Active), is that a working design?

The idea for this is to meet customer security regulation and achieve separation between multi customer environment, so for each customer/DMZ we would have dedicated DL, all DLs would be controlled by SL2 and SL2 would be connected to the wider SL1 NSO

Btw another option to consider as option is to have SL1 and SL2 as separate deployments and integrate between them (out of the clustering/HA scope)

Thanks

Noam

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: NSO Clustering support for SL1 -> Sl2 -> DL1-n

Noam,

NSO Clustering can support SL to DL NSO deployment is known, but can we make this hierarchy deeper than these two levels and make it 3 levels?

Something like SL1 -> Sl2 -> DL1-n ?

No, this is not currently supported, unfortunately. We would like something like this one day, but it's not there now. Multiple levels of DL nodes could work, but in most use cases I don't think that would bring any benefits.

If no, I thought maybe leverage the HA capabilities and make the SL1 and SL2 as HA nodes (Active/Active), is that a working design?

Only one node in a HA cluster may be active in that sense that it accepts writes. All HA nodes would be active/active in the sense that applications can run there, operators can log in, actions may be invoked. Only configuration changes must always come from the HA master.

There's no current plan to change that, as that would imply either an eventual-consistency system (suboptimal), a design where there would still be a particular node that would become a bottleneck (no point), or something very complicated.

The idea for this is to meet customer security regulation and achieve separation between multi customer environment, so for each customer/DMZ we would have dedicated DL, all DLs would be controlled by SL2 and SL2 would be connected to the wider SL1 NSO

Btw another option to consider as option is to have SL1 and SL2 as separate deployments and integrate between them (out of the clustering/HA scope)

Yes, this is in principle possible. There might be a couple snags that we'd have to fix for this.

Best Regards,

/jan

3 REPLIES 3
Cisco Employee

Re: NSO Clustering support for SL1 -> Sl2 -> DL1-n

Adding simple drawing of what is required and questioning if such can be supported with Clustering capabilities:


NSO Clustering.PNG
   
 
 
 
 
 
 
 
 
 
 
 




Cisco Employee

Re: NSO Clustering support for SL1 -> Sl2 -> DL1-n

Noam,

NSO Clustering can support SL to DL NSO deployment is known, but can we make this hierarchy deeper than these two levels and make it 3 levels?

Something like SL1 -> Sl2 -> DL1-n ?

No, this is not currently supported, unfortunately. We would like something like this one day, but it's not there now. Multiple levels of DL nodes could work, but in most use cases I don't think that would bring any benefits.

If no, I thought maybe leverage the HA capabilities and make the SL1 and SL2 as HA nodes (Active/Active), is that a working design?

Only one node in a HA cluster may be active in that sense that it accepts writes. All HA nodes would be active/active in the sense that applications can run there, operators can log in, actions may be invoked. Only configuration changes must always come from the HA master.

There's no current plan to change that, as that would imply either an eventual-consistency system (suboptimal), a design where there would still be a particular node that would become a bottleneck (no point), or something very complicated.

The idea for this is to meet customer security regulation and achieve separation between multi customer environment, so for each customer/DMZ we would have dedicated DL, all DLs would be controlled by SL2 and SL2 would be connected to the wider SL1 NSO

Btw another option to consider as option is to have SL1 and SL2 as separate deployments and integrate between them (out of the clustering/HA scope)

Yes, this is in principle possible. There might be a couple snags that we'd have to fix for this.

Best Regards,

/jan

Cisco Employee

Re: NSO Clustering support for SL1 -> Sl2 -> DL1-n

Jan, as always thanks for your notes, very helpful

Noam

Content for Community-Ad
August's Community Spotlight Awards