Applies to Platform: UTM 3.0, 4i Edge 3.0, UTM 5.0,
Last Updated: 9th of Febrauary 2016
Applies to Platform: UTM 2.4, UTM 2.5, 4i Edge >2.5
Last Updated: 23rd April 2014
This lesson will illustrate the necessary steps to configure a high availability cluster (active-standby) between two Endian appliances. This will allow a seamless failover transition to a secondary Endian appliance, in the event of a hardware failure on the primary appliance. This provides unparalleled hardware availability and redundancy for critical network operations and security.
The Endian high availability system is supported on both Endian hardware and software. Whether choosing hardware or software, the high availability module requires completely identical hardware platforms (e.g. 2 Minis, 2 Macros, 2 identical x86 systems, etc.). Something else important to note when deploying high availability is that you must provide a duplication method for each and every connection to the Endian appliance. Every connection the primary unit has (WAN, LAN, etc.) must be replicated across the standby unit to ensure complete replication capabilities exist (see example below).
In the scenario used as example, each network on the Master (WAN, LAN, etc.) is connected to an external managed switch, and the corresponding ports on the Slave must be able to communicate with those on the master, i.e., they must lay in the same network. Although not necessary, it is suggested to change the default GREEN IP Address from 192.168.0.15 to a different one, this would help in case of migration of a node.
Another option is to replace a single managed (VLAN capable) switch with smaller, separate switches for each Endian zone (WAN, LAN, etc.). This may not be cost-effective and could be less reliable since the failure of any switch could break failover partially or completely.
Configure HA Primary Unit
The first thing that needs to be done is to put the MAC address of the interface that is currently associated to the main uplink into the Advanced settings -> Use custom MAC address section (in the example above, you would need then to write the MAC address of eth0 interface into the custom MAC address field). If you have more than one uplink, you will need to do the same for all the other uplink, by filling the custom MAC address field with the MAC address of the related associated interface.
This is needed because, during the Endian HA failover, the RED interface MAC address does not automatically get replicated during failover onto the standby unit. Due to this, in order to maintain network connectivity there is the need for next hop ISP device to continue to see the same MAC address associated to the uplink IP in order to correctly send packets. This will ensure that when the HA is activated the MAC address will carry over to the standby unit and will not require manual intervention.
The next thing is to configure the HA settings on the primary HA unit which can be found under Services > High Availability. Here we'll configure this device to run as "Master" and then be sure to fill out all of the fields including the notification options so you know when / if you have an HA failure.
Note the default HA management network of 192.168.177.0 /24. This can be configured for any non-existing private network address space (RFC 1918).
The Spanning Tree Protocol (STP) is a dedicated solution for the configuration of High Availability in gateway mode. While choosing to enable the STP option, a port on the slave side will be closed when necessary, to avoid loops.
In order to configure the STP bridge priority, you will have to select 1 on the Master side, and 2 or higher on the Slave side.
Click on Save and Apply to continue.
Configure the HA Slave Unit
Next, we'll configure the HA settings on the slave HA unit. Here we'll configure the side as "Slave" and then just point it to the Master IP address we just previously configured and provide the root (SSH) password for the HA primary unit.
Click Save and Apply to continue and begin the HA active-standby process.
Once you have configured the service correctly and applied the change, you should see a confirmation dialog on the master unit (see above).
If you click on Go to Management GUI, you should see the GUI of the slave appliance, which has only a limited set of functions.
If this web interface cannot be visualized, it might be necessary that you add an iptables rule on tour local workstation, to allow you to reach the HA management network using the Master's GREEN IP as gateway.
The diagram is misleading because the direct cable is not needed any more and there is no need to set up VLANs on Endian.
If i need two zones (WAN and LAN) i need two NIC cards and 1 switch L3?
The network diagram isn't helpful so much, you should to upload a new diagram with better explanation.
Thanks from Chile.