How Rapid Failover Is Accomplished; Shared Ip Addresses And Failover; Cluster Heartbeats - D-Link NetDefend DFL-210 User Manual

11.2. How rapid failover is accom-
plished

11.2. How rapid failover is accomplished

This section will detail the outward-visible characteristics of the failover mechanism, and how the
two firewalls work together to create a high availability cluster with very low failover times.
For each cluster interface, there are three IP addresses:
• Two "real" IP addresses; one for each firewall. These addresses are used to communicate with
the firewalls themselves, i.e. for remote control and monitoring. They should not be associated
in any way with traffic flowing through the cluster; if either firewall is inoperative, the associ-
ated IP address will simply be unreachable.
• One "virtual" IP address; shared between the firewalls. This is the IP address to use when con-
figuring default firewalls and other routing related matters. It is also the address used by dynam-
ic address translation, unless the configuration explicitly specifies another address.
There is not much to say about the real IP addresses; they will act just like firewall interfaces nor-
mally do. You can ping them or remote control the firewalls through them if your configuration al-
lows it. ARP queries for the respective addresses are answered by the firewall that owns the IP ad-
dress, using the normal hardware address, just like normal IP units do.

11.2.1. Shared IP addresses and Failover

Both firewalls in the cluster know about the shared IP address. ARP queries for the shared IP ad-
dress, or any other IP address published via the ARP configuration section or through Proxy ARP,
will be answered by the active firewall.
The hardware address of the shared IP address, and other published addresses for that matter, are not
related to the hardware addresses of the firewall interfaces. Rather, it is constructed from the cluster
ID, on the following form: 10-00-00-C1-4A-nn, where nn is the Cluster ID' configured in the Set-
tings section.
As the shared IP address always has the same hardware address, there will be no latency time in up-
dating ARP caches of units attached to the same LAN as the cluster when failover occurs.
When a firewall discovers that its peer is no longer operational, it will broadcast a number of ARP
queries, using the shared hardware address as sender address, on all interfaces. This causes switches
and bridges to re-learn where to send packets destined for the shared hardware address in a matter of
milliseconds.
Hence, the only real delay in the failover mechanism is detecting that a firewall is no longer opera-
tional.
The activation messages (ARP queries) described above are also broadcast periodically to ensure
that switches won't forget where to send packets destined for the shared hardware address.

11.2.2. Cluster heartbeats

NetDefendOS detects that the peer systen is no longer operational when it can no longer detect
"cluster heartbeats" from its peer.
Currently, NetDefendOS will send five cluster heartbeats per second.
Note
The shared IP address should not be used for remote management or monitoring pur-
poses. When using, for example, SNMP for remote management of the D-Link Fire-
walls in an HA configuration, the individual IP addresses of the firewalls should be
used.
231
Chapter 11. High Availability