Ironport clustering allows one to configure a single IronPort and automatically replicate the configuration in realtime to the remaining IronPort’s. In terms of IronPort fail-over, in absence of a load balancer, one should review their internet DNS MX records, setting the MX to a lower preference value for the primary ironport and additional MX records with higher preference values for secondary IronPorts.
Setting up clustering:
Whichever Ironport has the cluster created on it becomes the master and its standalone mode settings are migrated to cluster settings. Any subsequent ironports that join the cluster inherit their settings from the cluster, replacing any standalone settings. Settings like IP address are retained.
– A machine can create or join a cluster only via the clusterconfig command line command.
– Be sure to enable your centralized management feature key before you attempt to create a cluster (feature keys under system administration).
-When a new cluster is created, all of that cluster’s initial settings will be inherited from the machine that creates the cluster. If a machine was previously configured in “standalone” mode, its standalone settings are used when creating the cluster.
-When a machine joins an existing cluster, all of that machine’s clusterable settings will be inherited from the cluster level. In other words, everything except certain machine‑specific settings (IP addresses, etc) will be lost and will be replaced with the settings from the cluster and/or the group selected for that machine to join.
If the current machine is not already part of a cluster, issuing the clusterconfig command presents the option to join an existing cluster or create a new one.
Creating a new cluster:
Connect to your primary IronPort using telnet or SSH
newyork.example.com> clusterconfig
Do you want to join or create a cluster?
1. No, configure as standalone.
2. Create a new cluster.
3. Join an existing cluster over SSH.
4. Join an existing cluster over CCS.
[1]> 2
Enter the name of the new cluster.
[]> americas
Should all machines in the cluster communicate with each other by hostname or by IP address?
1. Communicate by IP address.
2. Communicate by hostname.
[2]> 2
You can change this by using the COMMUNICATION
subcommand of the clusterconfig command
New cluster committed: Tue Dec 18 21:57:43 2012 PST
Creating a cluster takes effect immediately, there is no need to commit.
Cluster americas
Choose the operation you want to perform:
– ADDGROUP – Add a cluster group.
– SETGROUP – Set the group that machines are a member of.
– RENAMEGROUP – Rename a cluster group.
– DELETEGROUP – Remove a cluster group.
– REMOVEMACHINE – Remove a machine from the cluster.
– SETNAME – Set the cluster name.
– LIST – List the machines in the cluster.
– CONNSTATUS – Show the status of connections between machines in the cluster.
– COMMUNICATION – Configure how machines communicate within the cluster.
– DISCONNECT – Temporarily detach machines from the cluster.
– RECONNECT – Restore connections with machines that were previously detached.
– PREPJOIN – Prepare the addition of a new machine over CCS.
[]>
At this point you can add machines to the new cluster. Those machines can communicate via SSH or CCS.
Notes regarding Joining an Existing Cluster
From the host you want to add to the cluster, issue the clusterconfig command to join the existing cluster. You can choose to join the cluster over SSH or over CCS (cluster communication service).
In order to join a host to an existing cluster, you must:
-be able to validate the SSH host key of a machine in the cluster
-know the IP address of a machine in the cluster and be able to connect to this machine in the cluster (for example, via SSH or CCS)
-know the administrator password for the admin user on a machine belonging to the cluster
Note: All machines you intend to add to the cluster must have the centralized management feature key installed on them before they can be added to the cluster. It is also possible to join an existing cluster within the systemsetup command if the feature key for centralized management has been installed on the system prior to running the CLI system setup wizard and if a cluster exists. After changing the administrator password, setting the hostname of the appliance, and configuring network interfaces and IP addresses, the systemsetup will prompt you to create or join a cluster.
Joining an Existing Cluster over SSH:
The following table demonstrates adding the machine losangeles.example.com to the cluster using the SSH option.
losangeles.example.com> clusterconfig
Do you want to join or create a cluster?
1. No, configure as standalone.
2. Create a new cluster.
3. Join an existing cluster over SSH.
4. Join an existing cluster over CCS.
[1]> 3
Alternatively you can join the Cluster via CCS (Cluster Communication Service port 2222), see instructions further below.
While joining a cluster, you will need to validate the SSH host key of the remote machine to which you are joining. To get the public host key
fingerprint of the remote host, connect to the cluster and run:
logconfig -> hostkeyconfig -> fingerprint.
WARNING: All non-network settings will be lost. System will inherit the values set at the group or cluster mode for the non-network settings. Ensure that the cluster settings are compatible with your network settings (e.g. dnsconfig settings)
Do you want to enable the Cluster Communication Service on
losangeles.example.com? [N]> n
Enter the IP address of a machine in the cluster.
[]> Enter IP address of the first ironport where the cluster was created
Enter the remote port to connect to. The must be the normal admin ssh
port, not the CCS port.
[22]> 22
Enter the name of an administrator present on the remote machine
[admin]> admin
Enter the admin password for the cluster.
The administrator password for the clustered machine is entered
Please verify the SSH host key for IP address:
Public host key fingerprint: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
Is this a valid key for this host? [Y]> y
Joining cluster group Main_Group. –NOTE: this may take awhile
Joining a cluster takes effect immediately, there is no need to commit.
Cluster americas
Joining an Existing Cluster over CCS (Port 2222) rather than SSH (Port 22)
Use CCS instead of SSH if you cannot use SSH. The only advantage of CCS is that only cluster communication happens over that port (no user logins, SCP, etc). To add another machine to an existing cluster via CCS, use the prepjoin subcommand of clusterconfig to prepare the machine to be added to the cluster. In this example, the prepjoin command is issued on the cluster machine newyork to prepare the machine losangeles to be added to the cluster.
The prepjoin command involves obtaining the user key of the host you want to add to the cluster by typing clusterconfig prepjoin print in the CLI of that host, and then copying the key into the command line of the host that is currently in the cluster.
From the clusterconfig command line menu:
[]> prepjoin
Prepare Cluster Join Over CCS
No host entries waiting to be added to the cluster.
Choose the operation you want to perform:
– NEW – Add a new host that will join the cluster.
[]> new
Enter the hostname of the system you want to add.
[]> losangeles.example.com
Enter the serial number of the host losangeles.example.com (needs to be full serial not partial).
[]> {unique serial number is added}
Enter the user key of the host losangeles.example.com.
This can be obtained by typing “clusterconfig prepjoin print” in the CLI on losangeles.example.com. Note: you will have to copy the user key from the console into notepad to cleanup the line breaks and get it all in a single line.
unique user key from output of prepjoin print is pasted
Once you paste the user key in press enter on a blank line to finish.  
Host losangeles.example.com added.
Prepare Cluster Join Over CCS
1. losangeles.example.com (serial-number)
Choose the operation you want to perform:
– NEW – Add a new host that will join the cluster.
– DELETE – Remove a host from the pending join list.
[]>
(Cluster americas)> commit
Once a machine is already part of a cluster, the clusterconfig command allows you to configure various settings for the cluster.
(Cluster Americas)> clusterconfig
Cluster americas
Now go on losangeles.example.com and join it to the cluster using ClusterConfig
Conclusion: At this point you have created a cluster, and joined a secondary Ironport to your new cluster via either CCS or SSH.
Resources:
List of all cluster config commands:
Choose the operation you want to perform:
– ADDGROUP – Add a cluster group.
– SETGROUP – Set the group that machines are a member of.
– RENAMEGROUP – Rename a cluster group.
– DELETEGROUP – Remove a cluster group.
– REMOVEMACHINE – Remove a machine from the cluster.
– SETNAME – Set the cluster name.
– LIST – List the machines in the cluster.
– LISTDETAIL – List the machines in the cluster with detail.
– DISCONNECT – Temporarily detach machines from the cluster.
– RECONNECT – Restore connections with machines that were previously detached.
– PREPJOIN – Prepare the addition of a new machine over CCS.
See my other helpful Ironport related posts: