Infoblox’s global team of threat hunters uncovers a DNS operation with the ability to bypass traditional security measures and control the Great Firewall of China. Read about “Muddling Meerkat” and the many other threat actors discovered by Infoblox Threat Intel here.

Trending KB Articles


Support Central: KB #4469: How to Configure DDI HA Pair

We've seen a number of calls recently regarding configuring DDI HA pair. Let us know what questions you may have and we'll look into the "vault" and publish answers to your questions.


Problem Summary

How to configure Infoblox DDI (Secure DNS, DHCP, and IPAM) High Availability(HA) Pairs.

Customer Environment

Infoblox Grid with HA


NIOS 6.x and NIOS 7.x


Step 1: Planning for your DDI HA Pair

  • You will need 5 IP addresses, to configure your HA pair
  • All 5 IP addresses must be in the 'same' subnet
  • Node 1 will be considered the 'active' node
  • Node 2 will be considered the 'passive' node

VIP: Once the HA pair is active, use this IP to manage both devices

Node 1 HA: Source IP for the VIP and the VRRP advertisements

Node 2 HA: Listens for VRRP advertisements

Node 1: LAN 1: SSH management of Node 1(also used to listen for VRRP advertisements from the HA port)

Node 2: LAN 1: Source IP for SSL VPN to the VIP of the 'active' node (also receives bloxSYNC from the VIP)



Step 2: Select HA

  • Grid > Grid Manager > Member and select Member > Edit Grid Member Properties > Network > Basic
  • Select High Availability Pair
  • Provide a VRID (Virtual Router ID) for the HA pair (this number must be between 1 and 255)

Reminder: DDI HA pair utilizes VRRP for the peering relationship

Step 3: Ports and IP Addresses

  • By default, the LAN1 address of the 'active' node will become the VIP
  • This is not required and is configurable, however in an existing deployment, the reason the node 1: LAN1 IP is moved to the VIP is to accommodate instances where the customer's end host population is pointing to a specific IP address for functions such as DHCP.

Node 1 HA

Node 2 HA

Node 1: LAN 1

NOTE: As mentioned above, by default, the LAN1 address of the active node will become the VIP.  It is necessary to select a new address for the Node 1: 1 LAN 1 port.

 Node 2: LAN 1

Assuming you already have Node 2 up and running, with an IP, enter that data here.

IMPORTANT:  Remember all IPs must be in the same subnet

Port Settings: From the drop-down list, choose the speed and duplex settings. Select automatic to instruct the NIOS appliance to negotiate the optimum speed and duplex with the connecting switch. Automatic is the default setting.

NOTE: You cannot configure port settings for vNIOS appliances.

Save and Close your Grid Member Property Editor

NOTE:  If you encounter a Duplicate IP error message, be sure that your NODE 2 device is NOT already joined to the GRID where it is to become an HA member

Step 4: Join Passive Node 2 to the Grid

From the CLI of Node 2:

set membership


From the UI of Node 2

Grid > Grid Manager > Select your member > Toolbar > Join Grid

From the Join Grid menu enter:

  • VIP of the Grid Master
  • Grid Name: Infoblox
  • Grid Shared Secret: test



  • The key exchange is done over port 2114 and that is NOT configurable
  • The VPN tunnel uses a default port of 1194 and IS configurable
  • For information about VRRP, refer to RFC3768, Virtual Router Redundancy Protocol (VRRP) and VRRP Advertisements in the NIOS Admin Guide.

Showing results for 
Search instead for 
Did you mean: