11-12-2015 11:27 AM
So I was building a grid today and tried to add the passive node into an HA pair and it all went a bit FUBAR. Using 'show interface' I could see the counters on the HA port were at 0, so I started quizzing the network guys and they told me they had cabled the HA ports together with a direct connection, no switches involved.
"Okaaaaaaaay", I said, "we don't work like that, I need them to be cabled up to a port in the same VLAN as LAN1 etc." Then they start grilling me about why? Every other product they use where HA is involved uses a heartbeat over a separate unrouted VLAN, and I must admit I have also seen this with other products.
I explained that the VIP is presented by the HA interfaces, so if they are not connected into the network then we won't be able to get to the VIP, but even that is unusual as normally the VIP would be on one of the main service interfaces and the HA port is used purely for the heartbeat.
So it made me wonder why Infoblox do things this way, did someone get the design wrong back in the early days and we have been stuck with it ever since, or is there a valid reason why Infoblox takes this approach (which seems to be different to most other vendors, even Alcatel-Lucent and Bluecat use heartbeat VLANs).
Just curious and will give me something to go back to the customer with.
PCN (UK) Ltd
All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE
11-14-2015 01:38 AM - edited 11-14-2015 01:54 AM
Here is my 2 cents.
Actualy I think this way of doing things offers much more flexibility over the usual unrouted vlan / direct link.
The Infoblox HA is using the VRRP protocol. The virtual IP is tight to a virtual MAC which never changes. Meaning, you don't have to bother with "stall" arp resolutions from crashed appliances. Usually, when a fail over occurs, the newly activated device wil start sending gratuitous ARPs to update router's ARP table with the nec MAC. Some router can be configured to ignore this, breaking up the failover.
Since VRRP uses multicast for heartbeat announcement you can span your HA clusters over remote sites as long as you have some L3 connectivity (i.e. GRE). A nice use case for this is to provide DRP between your local datacenter and an EC2 vNIOS instance now that this is supported.
If you really feel adventurous, you could do this HA over entirely different networks with some multicast and anycast routing :-)
One last point, you could also have more than 2 appliances clustered using this technique, although this is not supported I think.