advertisement
Chapter 14: High Availability Deployments
Chapter 14: High Availability Deployments
HA feature overview
This chapter includes the following topics: l l l l l l l l l
Updating firmware for an HA cluster
Deploying an active-passive cluster
Deploying an active-active cluster
Deploying an active-active-VRRP cluster
HA feature overview
FortiADC appliances can be deployed as standalone units or as high availability (HA) clusters.
A cluster is two or more nodes. A node is an instance of the appliance/system. In a cluster, one node is the
primary node, also called the master node. The other members of the cluster are secondary nodes, also called
slave nodes.
The primary node has a special role. It has a one-to-many relationship with member nodes. Both configuration updates and software updates are initiated by the primary node and pushed to member nodes.
The system selects the primary node based on the following criteria: l l l l l l l
Link health (if monitor ports links are down, the node is considered down)
Remote IP monitor health check results
Override setting (prefers priority to uptime)
Most available ports
Highest uptime value
Lowest device priority number (1 has greater priority than 2)
Highest-sorting serial number—Serial numbers are sorted by comparing each character from left to right, where 9 and z are the greatest values. The system gives preference to higher values over lower values.
HA solutions depend on two types of communication among cluster members: l l
Synchronization—During initialization, the primary node pushes its configuration (with noted exceptions) to member nodes. After initialization has completed, the nodes synchronize their session tables.
Heartbeats—A cluster node indicates to other nodes in the cluster that it is up and available. The absence of heartbeat traffic indicates the node is not up and is unavailable.
There are three types of HA clusters: l
Active-Passive—Only the primary node is active, so it is the only node that receives traffic from adjacent routers.
Typically, there is one other node that is in standby mode. It assumes active status if the primary node undergoes
335 FortiADC D-Series Handbook
Fortinet Technologies, Inc.
HA feature overview Chapter 14: High Availability Deployments l l maintenance or otherwise becomes unavailable.
Active-Active—All nodes receive traffic. Active-Active deployments support load balancing and failover among up to eight cluster members.
Active-Active-VRRP —FortiADC's Active-Active-VRRP mode uses a VRRP-like protocol, and can function in both
HA Active-Passive mode and HA Active-Active mode, depending on the number of traffic groups used in the configuration. When only one traffic group is used, it actually functions in Active-Passive mode; when two or more traffic groups are used, it works in Active-Active mode.
In an Active-Passive cluster, only the management IP address for the primary node is active. In an active-passive cluster, you can log into a node only when it has primary node status and its IP address is active. To access the user interface of an appliance in standby status (the active-passive slave), you must use a console port connection.
In an Active-Active cluster, the IP addresses for all interfaces are unique, including the management interface.
When the appliance is in standalone mode, the physical port IP address is active; when it is in HA mode, the address assigned to it in the HA node IP list address is active. You can log into any node using the active IP address for its management port.
In an Active-Active-VRRP cluster, FortiADC uses hbdev for members status communication. It also allows you to configure sync+session, persistence sync, and image sync functions via hbdev and dataport, which is essentially the same as the HA-AA/AP mode. Note that FortiADC is unable to communicate with third-party VRRP devices because it actually doesn't use the VRRP protocol at all.
Tip: You can use the execute ha manage command to log into the console of a member node. See the CLI reference.
shows an active-passive cluster in a single network path. In an active-passive cluster, the primary node is the active node that handles all traffic. In the event that the primary node experiences hardware failure or system maintenance, failover takes place. In failover, the standby node becomes the primary node and processes the traffic that is forwarded along the network path. The new primary node sends gratuitous ARP to notify the network to direct traffic for the virtual MAC addresses (vMAC) to its network interfaces. It takes the IP addresses of the unresponsive node.
FortiADC D-Series Handbook
Fortinet Technologies, Inc.
336
Chapter 14: High Availability Deployments
Figure 59: Basic active-passive cluster
HA feature overview
337
shows an active-passive cluster in a redundant path. A topology like this is a best practice because it is fully redundant, with no single point of failure. If the gateway, load balancer, or switch were to fail, the failover path is chosen.
FortiADC D-Series Handbook
Fortinet Technologies, Inc.
HA feature overview
Figure 60: Redundant path active-passive cluster
Chapter 14: High Availability Deployments
shows an active-active cluster. An active-active cluster supports load-balancing and failover among up to eight member nodes. The routers on either side of the cluster must be configured to use equal cost multipath
(ECMP) to distribute traffic to the FortiADC cluster nodes. All nodes actively receive and forward traffic.
The primary node has a special role. It handles all FTP and firewall traffic, and it acts as the failover node for all of the other nodes in the cluster.
The failover mechanism is the same as an active-passive deployment, with the primary node acting as the standby node for all other cluster members. If a member node fails, the primary node takes the IP addresses of the unresponsive node and notifies the network via ARP to redirect traffic for that vMAC to its own network interfaces. For example, in
Figure 61 , node1 is the primary node. If node2 were to fail, its traffic would failover to
node1. If node3 were to fail, its traffic would also failover to node1. If the primary node were to fail, a new primary node would be elected, and it would function as the master in all respects, including its role as the new standby node for failover from all other cluster members.
FortiADC D-Series Handbook
Fortinet Technologies, Inc.
338
advertisement
advertisement