Skip to content

High Availability Checklist

Switch Ports, Server Rack Space and UPS

Switch Ports

Ensure you have enough free network ports for the intended setup. You will need at least one additional switch port or more if you decide to configure dedicated network interfaces for heartbeat or DRBD in case you can’t connect the two appliances directly with network cables.

Server Rack Space

A 1U rackmount is required for each physical appliance. If you go from one to two physical appliances, ensure that at least 1U rackmount is available.

UPS

It is strongly recommended to connect all AXS Guard appliances and critical servers to a UPS, including hypervisors hosting virtual AXS Guard.

Network Interfaces

Number of Reserved Network Interfaces

High Availability relies on two services: heartbeat and DRBD. Both services can make use of a secure network connection that is also used for data transfers between different network segments. This setup has some serious disadvantages, which is why we strongly recommend using dedicated interfaces for heartbeat and DRBD if possible.

Heartbeat

Each node in a HA cluster uses heartbeat to verify whether the other node is still up and running. If the HA nodes are within close proximity of each other, e.g. 3 feet, a serial cable can be used to connect both AXS Guard appliances to facilitate heartbeat communications between them.

If the distance between the HA nodes is too large, a dedicated network interface is recommended for heartbeat communications. Sharing heartbeat communications over a secure LAN network interface is possible, but not recommended.

DRBD

AXS Guard HA nodes use DRBD to send data from the running master unit to the slave unit to keep it up-to-date.

If possible, we recommended the use of a dedicated network interface for DRBD communications. If this is not possible, you should consider sharing the heartbeat network interface to allow DRBD.

Important

Only transmit DRBD communications over a secure LAN interface as a last resort!

Configuration Examples

Possible configurations in order of preference:

Scenario

Secure LAN

Heartbeat

DRBD

Preference

1

Eth0

Eth2+PSTN

Eth3

Highly recommended

2

Eth0

Eth2+PSTN

Eth2

Recommended

3

Eth0

Eth2

Eth2

OK

4

Eth0

Eth0

Eth0

To be avoided!

Public IP Addresses

Number of IP Addresses

The next step in setting up a high availability cluster is determining how you are going to configure the Internet interface(s) of the nodes. Depending on how many public IP addresses your ISP has assigned to you, there are several options.

One or Two Public IP Addresses

If you have only one or two public IP addresses, the configuration is pretty straightforward. The public IP address(es) is (are) to be used as the virtual IP address (and aliases) of the HA cluster. In this setup only the running master will be directly accessible from the Internet. The Internet interfaces of each HA node are assigned private IP addresses that cannot be linked to any existing LAN subnet.

System

Master Node

Slave Node

HA Cluster

HA Cluster Aliases

INT IP Address

10.10.10.10

10.10.10.11

81.82.83.84

81.82.83.85

Three or More Public IP Addresses

When you have three or more pubic IP addresses, there are two possibilities.

Option 1

Either you use the same configuration as in the previous scenario: you assign private IP addresses to the master and the slave node and you use all public IP addresses for the HA cluster and its IP aliases. Reserve enough IP addresses necessary to build the cluster. This means 3 IP addresses for each redundant device; one for the slave node, one for the master node and one for the HA cluster (Virtual IP).

System

Master Node

Slave Node

HA Cluster

HA Cluster Aliases

INT IP Address

10.10.10.10

10.10.10.11

81.82.83.84

81.82.83.85, 81.82.83.86

Option 2

You can use one IP address for the master node, one for the slave node and one or more for the HA cluster.

System

Master Node

Slave Node

HA Cluster

HA Cluster Aliases

INT IP Address

81.82.83.84

81.82.83.85

81.82.83.86

81.82.83.87

Private IP Addresses

Secure Interfaces

Since the HA cluster needs to be accessible via a single IP address, you need to use the same methods as explained in the previous section. The difference with IP addresses in a private range is that you are in complete control of the IP address space you will be using. At least one IP address needs to be assigned to the HA cluster since that is the IP address that will be used by any AXS Guard service in your network, e.g. the DNS server, gateway, proxy, MTA, etc.

System

Master Node

Slave Node

HA Cluster

HA Cluster Aliases

SEC IP Address

192.168.1.2

192.168.1.3

192.168.1.1

192.168.1.4

Other Recommendations

  • It is recommended to disable automated software updates on both nodes and automatic system reboots on the master node.

  • If you upgrade or replace an HA cluster, ensure to create a backup of all system logs and local mailboxes (if applicable). Log files can be copied with SFTP or backed up on a network share. Mailboxes can only be backed up on a network share.

  • Make sure you have a KVM with VGA and USB support or a VGA monitor and USB keyboard for troubleshooting and monitoring.

Pre-installation Checklist

Ports and Rack Space

Enough network ports on core switch

Yes / No

Enough rack space available

Yes / No

Heartbeat and DRBD

Heartbeat via interface

Eth …..

Hearbeat via serial cable

Yes / No

DRBD via interface

Eth …..

Network Configuration

Interface

Master Node

Slave Node

HA Primary

HA Secondary

Eth0

Eth1

Eth2

Eth3

Eth4

Eth5

Eth6

Eth7

System Update and Reboot Settings

Automatic updates on nodes

On / Off

Automatic reboots on nodes

On / Off

System Backup Settings

Migration of log files necessary?

Yes / No

Migration of emails necessary?

Yes / No

Backup of spam database required?

Yes / No

Troubleshooting and Monitoring

KVM with VGA support or VGA monitor present?

Yes / No

KVM with USB or USB keyboard present?

Yes / No

Back to top