High Availability Checklist
Switch Ports, Server Rack Space and UPS
Switch Ports
Ensure you have enough free network ports for the intended setup. You will need at least one additional switch port or more if you decide to configure dedicated network interfaces for heartbeat or DRBD in case you can’t connect the two appliances directly with network cables.
Server Rack Space
A 1U rackmount is required for each physical appliance. If you go from one to two physical appliances, ensure that at least 1U rackmount is available.
UPS
It is strongly recommended to connect all AXS Guard appliances and critical servers to a UPS, including hypervisors hosting virtual AXS Guard.
Network Interfaces
Number of Reserved Network Interfaces
High Availability relies on two services: heartbeat and DRBD. Both services can make use of a secure network connection that is also used for data transfers between different network segments. This setup has some serious disadvantages, which is why we strongly recommend using dedicated interfaces for heartbeat and DRBD if possible.
Heartbeat
Each node in a HA cluster uses heartbeat to verify whether the other node is still up and running. If the HA nodes are within close proximity of each other, i.e. in the same server rack, a serial cable can be used to connect both AXS Guard appliances to facilitate heartbeat communications between them.
If the distance between the HA nodes is too large, a dedicated network interface is recommended for heartbeat communications. To qualify as a dedicated network interface, the switch, fiber link or fiber convertors connected to a dedicated interface should not be shared with any of the other AXS Guard interfaces.
Sharing heartbeat communications over a secure LAN network interface is supported, but this is not the best option.
At least 2 or 3 fully separate Heartbeat channels should be available, e.g. primary secure LAN + serial connection + DRBD.
DRBD
AXS Guard HA nodes use DRBD to send data from the running master unit to the slave unit to keep it up-to-date.
If possible, we recommended the use of a dedicated network interface for DRBD communications. If this is not possible, you should consider sharing the heartbeat network interface to allow DRBD.
Important
Only transmit DRBD communications over a secure LAN interface as a last resort!
The Primary Secure Device configured under Network > General is used for the synchronization of appliances in a High Availability configuration.
Configuration Examples
Possible configurations by order of preference:
Scenario |
Secure LAN |
Heartbeat |
DRBD |
Preference |
|---|---|---|---|---|
1 |
Eth0 |
Eth0 + Eth3 + PSTN |
Eth3 |
Highly recommended |
2 |
Eth0 |
Eth0 + PSTN |
Eth0 |
OK |
3 |
Eth0 |
Eth0 + Eth2 |
Eth2 |
OK. Eth2 over dedicated link, not over the same switch. |
4 |
Eth0 |
Eth0 |
Eth0 |
Supported, but not recommended |
Public IP Addresses
Number of IP Addresses
The next step in setting up a high availability cluster is determining how you are going to configure the Internet interface(s) of the nodes. Depending on how many public IP addresses your ISP has assigned to you, there are several options.
One or Two Public IP Addresses
If you have only one or two public IP addresses, the configuration is pretty straightforward. The public IP address(es) is (are) to be used as the virtual IP address (and aliases) of the HA cluster. In this setup only the running master will be directly accessible from the Internet. The Internet interfaces of each HA node are assigned private IP addresses that cannot be linked to any existing LAN subnet.
System |
Master Node |
Slave Node |
HA Cluster |
HA Cluster Aliases |
|---|---|---|---|---|
INT IP Address |
10.10.10.10 |
10.10.10.11 |
81.82.83.84 |
81.82.83.85 |
Three or More Public IP Addresses
When you have three or more pubic IP addresses, there are two possibilities.
Option 1
Either you use the same configuration as in the previous scenario: you assign private IP addresses to the master and the slave node and you use all public IP addresses for the HA cluster and its IP aliases. Reserve enough IP addresses necessary to build the cluster. This means 3 IP addresses for each redundant device; one for the slave node, one for the master node and one for the HA cluster (Virtual IP).
System |
Master Node |
Slave Node |
HA Cluster |
HA Cluster Aliases |
|---|---|---|---|---|
INT IP Address |
10.10.10.10 |
10.10.10.11 |
81.82.83.84 |
81.82.83.85, 81.82.83.86 |
Option 2
You can use one IP address for the master node, one for the slave node and one or more for the HA cluster.
System |
Master Node |
Slave Node |
HA Cluster |
HA Cluster Aliases |
|---|---|---|---|---|
INT IP Address |
81.82.83.84 |
81.82.83.85 |
81.82.83.86 |
81.82.83.87 |
Private IP Addresses
Secure Interfaces
Since the HA cluster needs to be accessible via a single IP address, you need to use the same methods as explained in the previous section. The difference with IP addresses in a private range is that you are in complete control of the IP address space you will be using. At least one IP address needs to be assigned to the HA cluster since that is the IP address that will be used by any AXS Guard service in your network, e.g. the DNS server, gateway, proxy, MTA, etc.
System |
Master Node |
Slave Node |
HA Cluster |
HA Cluster Aliases |
|---|---|---|---|---|
SEC IP Address |
192.168.1.2 |
192.168.1.3 |
192.168.1.1 |
192.168.1.4 |
Other Recommendations
-
It is recommended to disable automated software updates on both nodes and automatic system reboots on the master node.
-
If you upgrade or replace an HA cluster, ensure to create a backup of all system logs and local mailboxes (if applicable). Log files can be copied with SFTP or backed up on a network share. Mailboxes can only be backed up on a network share.
-
Make sure you have a KVM with VGA and USB support or a VGA monitor and USB keyboard for troubleshooting and monitoring.
Pre-installation Checklist
Ports and Rack Space
Enough network ports on core switch |
Yes / No |
Enough rack space available |
Yes / No |
Heartbeat and DRBD
Heartbeat via interface |
Eth ….. |
Hearbeat via serial link (PSTN) |
Yes / No |
DRBD via interface |
Eth ….. |
Network Configuration
Interface |
Description |
Master Node |
Slave Node |
HA Cluster IP |
HA Cluster Alias |
Eth0 |
Primary secure LAN device | ||||
Eth1 |
|||||
Eth2 |
|||||
Eth3 |
DRBD | ||||
Eth4 |
|||||
Eth5 |
|||||
Eth6 |
|||||
Eth7 |
System Update and Reboot Settings
Automatic updates on nodes |
On / Off |
Automatic reboots on nodes |
On / Off |
Important
It is recommended to disable automated system updates and reboots.
System Backup Settings
Migration of log files necessary? |
Yes / No |
Migration of emails necessary? |
Yes / No |
Backup of spam database required? |
Yes / No |
Troubleshooting and Monitoring
KVM with VGA support or VGA monitor present? |
Yes / No |
KVM with USB or USB keyboard present? |
Yes / No |