Reply

Lack of port redundancy for the HA VIP

Expert
Posts: 292
3325     1

Hi, I'm just wondering something...

 

In an HA pair, the HA VIP is bound to the HA port of the active node in the pair, so the HA MAC/IP address will appear on whatever switch port it's plugged into.

 

If I use port redundancy, I can connect LAN1 into the primary switch and LAN2 into the secondary switch for both appliances in the pair.... but I can't do this for the HA port, I can only connect that to a single switch.

 

So I'm thinking that if I connect the HA port to the primary switch then I don't really have any port resilience, if the primary switch fails then an HA failover will occur... assuming I have the HA port of the passive node connected to the secondary switch.... if that is also connected to the primary switch then I will lose both nodes. Well, technically they will still both be connected to the grid via the LAN2 port to the secondary switch, but I will have lost connectivity to the HA VIP and will now have a service outage.

 

So, I do recommend to customers that the passive node HA port is connected to the secondary switch precisely to avoid this scenario, but it seems that there is a flaw with the Infoblox product as a switch failure can cause an HA failover when in an ideal world all that should happen is the connection to the secondary switch should take over without the need for an HA failover to occur.

 

 

It feels like configuring port redundancy doesn't really offer me any protection from switch failure if I am using HA.

 

Maybe Infoblox need to add an extra port so that the HA port can be dual connected?

 

It's a concern that has been bugging me lately, does it concern anyone else, or have I missed something?

 

 

Cheers,

 

Paul

 

 

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE

Re: Lack of port redundancy for the HA VIP

Community Manager
Community Manager
Posts: 356
3326     1

The Infoblox HA feature is designed to provide easy to configure resiliancy under multiple scenarios. The intention behind HA is that you have two appliances that are connected to two different switches so in the event of a localized failure, the alternate node can take over and because a virtual interface is used for the VIP, managing that through multiple physical interfaces while maintaining state between two different appliances would make things overly complex without providing any extra real benefit.

 

Regards,

Tony

Re: Lack of port redundancy for the HA VIP

Expert
Posts: 292
3326     1

Hmmm, I wonder if it's actually necessary to have a separate HA port, you could put the VIP on LAN1 (which is dual connected) and run all the HA traffic through that, and not actually have a separate HA port - it seems a bit overkill to me. I guess the requirement for the HA port was decided a long time ago back in DDI pre-history, so not a lot we can do about it now.

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE

Re: Lack of port redundancy for the HA VIP

Member
Posts: 4
3326     1

It's an artifact of the hardware used at the time, is my understanding.  The hardware didn't support multiple MAC/IP combinations at the same time on a single interface.

Showing results for 
Search instead for 
Did you mean: 

Recommended for You