A cluster pair is two unit
A cluster multiunit is more than two which means 4.
Cluster can be an Active/Active or an Active/Passive.
Active Passive
Always uses VIP
they sync the state
The Active device sends ARP to the VIP.
When it fails the Passive device will send ARP to the VIP.
Active/Active
Can be done with a
1. Load Balancer
2. DNS round robin- the negative about this is that in case of failure you lose 50% of traffic.
This also gives you more throughput but the same licensing.
Must be the same LAN IP SUBNET in order for that to work.
State synchronization is done using the internal NIC
Must be the same hardware the same OS version
All of the resources must be accessible to all of the devices.
Alright.
When to use VIP Virtual IP.
If you have Pulse and Odyssey they download a list of cluster members and will switch to the next one.
Agentless must use the VIP.
This is another case of using VIP.
This time for the enforcer.
You can either use the VIP address for it.
Or create many instances of the MAG for it. Because they are all in sync it does not matter.
Synchronizing the information from device to device.
Information is synched using the internal interface.
There is a cluster password.
New member will send a message to the existing server asking for a synchronization.
After that you must reconfigure node-specific settings.
Transient information can be synched using.
Unicast, Brocadcast or Multicast
Session data and enforcer status
Nodes will have the service pack, so when you update one it will update the others.
Doing this
A cluster license is not required on the first node
Only on the nodes that join the cluster.
So
System > Clustering > Join Cluster then add a cluster name password and name of the member.
You can click PROPERTIES on the cluster and switch it from Active/Active to Active/Passive
You can also set up an EXTERNAL VIP and an INTERNAL VIP.
For ACTIVE/ACTIVE to have a VIP you must use a loadbalancer.
You can set up Synchronization.
{}Logs
{} user sessions
{} last time access time for the user sessions
You can change the number of ARP ping failures before the interface is disabled from 3
{} disable the external interface when the internal one fails.
{} advanced settings will change the number of timeouts for the underlying cluster.
OK.
Adding cluster members and checking the status.
You can add a load balancer from the
system > Network > Load Balancer.
You can go to the next device
System>Clustering > Join Cluster
on the
system > Status
you can see a member status window
or you can go to the CLUSTER Tab to see their status.
Configuring the Cluster on the Firewalls.
For the Firewalls you can have Active/Active or Active/Passive
Active/Active does not support IPSEC
In the INfranet Enforcer
You can add two serial numbers to the Platform.
In the Firewall you simply replace the AC1 with the VIP address
or you create a number of infranet-controller
Ok.
So Active / Active does NOT need a VIP it will use the Load balancer
Active/passive if you have an internal IP use the internal VIP
If you have an external IP too then you need to create an External VIP too.
Synchronize the users is an options
So is the synchronize the log messages.
{}disable external when internal fails, this is for the active/passive.
Clustering STATUS
will show you who is set.
_system > clustering > load balancer
is where you define the load balancer and if it is between endpoints or the Enforcer.
No comments:
Post a Comment