Enabling Automatic Cluster Synchronization - D-Link NetDefendOS User Manual

Chapter 11: High Availability
HA Requires Similar Hardware
The master and slave in an HA cluster will normally have identical D-Link hardware
configurations and D-Link does not support clusters that use dissimilar hardware. An HA cluster
made up of two dissimilar hardware models is not supported by D-Link.
The Master and Active Units
When reading this section on HA, it should be kept in mind that the master unit in a cluster is not
always the same as the active unit in a cluster.
The active unit is the NetDefend Firewall that is actually processing all traffic at a given point in
time. This could be the slave unit if a failover has occurred because the master is no longer
operational.
Interconnection of Cluster Units
In a cluster, the master and slave units must be directly connected to each other by a
synchronization connection which is known to NetDefendOS as the sync interface. One of the
normal interfaces on the master and the slave are dedicated for this purpose and are connected
together with a crossover cable.
Special packets, known as heartbeats, are continually sent by NetDefendOS from one cluster unit
to the other across Ethernet interfaces which have been configured as sync interfaces. These are
also sent on all other Ethernet interfaces unless an interface is explicitly configured not to send
them. These special packets allow the health of both units to be monitored. Heartbeat packets
are sent in both directions so that the passive unit knows about the health of the active unit and
the active unit knows about the health of the passive.
The heartbeat mechanism is discussed below with more detail in Section 11.2, "HA Mechanisms".
Cluster Management
When managing the cluster through the Web Interface or CLI, the configuration on one cluster
unit can be changed and this will then be automatically copied to the other unit, provided that
automatic synchronization is enabled for both cluster units (by default, it is). Turning off
automatic synchronization and changing the cluster units separately is not recommended.
Automatic synchronization involves a process of one unit failing over to the other when a
configuration change is saved. For example, if a change is made to the inactive unit and saved,
the inactive unit will become the active unit so the other cluster unit can be updated. It does not
matter if the changes are made to the active or inactive unit although it is usual practice to
change the inactive unit.
When the active unit is changed, two failovers occur. The active unit first goes inactive so it can
update, then becomes active again as the other unit updates. This method leaves the active unit
as still the active unit and this can be desirable in some circumstances. For example,where a
feature does not support HA, such as L2TP, connections will not be lost
Example 11.1. Enabling Automatic Cluster Synchronization
This example enables automatic cluster synchronization on a NetDefend Firewall which is
already part of an HA cluster. This setting is enabled by default when HA is enabled but this
example is provided for completeness. This setting should always be set to the same value on
821