10-2
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 10 Managing the Security Manager Server
Managing a Cluster of Security Manager Servers
To learn more about the things you can do with Common Services, browse the Common Services online
help.
Managing a Cluster of Security Manager Servers
A Security Manager server cluster is two or more Security Manager servers used to manage a network.
Typically, you want to maintain some relationship between the servers. Although there is no systematic
relationship between the servers in the cluster, there are some techniques that you can use to maintain a
cluster-like relationship. The topics in this section explain how you can manage a group of Security
Manager servers as a cluster.
This section contains the following topics:
Overview of Security Manager Server Cluster Management, page 10-2
Exporting the Device Inventory, page 10-5
Exporting Shared Policies, page 10-11
Importing Policies or Devices, page 10-13

Overview of Security Manager Server Cluster Management

You can manage a large number of devices with a single Security Manager server. There are, however,
a variety of reasons for managing your network with more than one Security Manager server. For
example:
If you have a very large network with thousands of devices to manage, you might find performance
to be unacceptable when trying to manage all devices from a single server.
For geographic reasons, you might find it better to have servers that are closer to managed devices.
For example, if you have major sites on different sides of the globe, having separate servers at each
major site might simplify management and improve performance. For example, when deploying
configurations to managed devices, a Security Manager server located in Bangalore should be able
to deploy configurations to a device in Bangalore much faster than a Security Manager server
located in San Francisco simply due to the much shorter physical network distance.
You might want to segment device management based on the technology managed. For example, you
might want to use one server to manage your site-to-site VPNs, another server to manage ASA
firewall and remote access VPN policies, and a third server to manage IPS.
Separate IT organizations might be managing different parts of your network. Although you can set
up ACS to fine-tune access control to the device level, you might instead find it simpler to have
distinct Security Manager servers for each IT organization.
If you decide to install more than one Security Manager server, the main challenges are the following:
Splitting a single server into two or more servers—You might currently have a single Security
Manager server, and decide that you need multiple servers. For information on how to split a
Security Manager server into two or more servers, see Splitting a Security Manager Server,
page 10-3.
Maintaining the same set of shared policies—If you use multiple servers to manage the same device
types, you might want to ensure that the shared policies assigned to the devices are identical. For
example, you might want to have the same set of mandatory and default access rules inherited by all
ASA devices.