Print Download PDF Send Feedback

Previous

Next

Implementing Planning Considerations

High Availability or Load Sharing

Whether to choose a Load Sharing (Active / Active) or a High Availability (Active / Standby) mode depends on the need and requirements of the organization.

A High Availability cluster mode ensures fail-safe connectivity for the organization.

A Load Sharing cluster mode provides the additional benefit of increased performance.

See Mode Comparison Table.

Choosing the Load Sharing Mode

Load Sharing Multicast mode is an efficient way to handle a high traffic load, because the load is distributed optimally between all Active Cluster Members.

However, not all switches can be used for Load Sharing Multicast mode. Load Sharing Multicast mode associates a multicast Cluster MAC addresses with a unicast Cluster Virtual IP addresses. This ensures that traffic destined for the cluster is received by all Cluster Members.

In response to ARP Request packets for Cluster Virtual IP address, Cluster Members send ARP Replies that contain a unicast Cluster Virtual IP address and a multicast MAC address. Some switches do not accept such ARP Replies. For some switches, adding a static ARP entry for the unicast Cluster Virtual IP address and the multicast MAC address will solve the issue. Other switches do not accept this type of static ARP entry.

Another consideration is whether your deployment includes networking devices with interfaces operating in a promiscuous mode. If on the same network segment there exist two such networking devices, and a ClusterXL in Load Sharing Multicast mode, traffic destined for the cluster that is generated by one of the networking device could also be processed by the other networking device.

For these cases, use Load Sharing Unicast mode, which does not require the use of multicast MAC address for the Cluster Virtual IP addresses.

IP Address Migration

If you wish to provide High Availability or Load Sharing to an existing Security Gateways configuration, we recommend taking the existing IP addresses from the Active Security Gateway, and make these the Cluster Virtual IP addresses, when feasible. Doing so will avoid altering current IPsec endpoint identities, as well keep Hide NAT configurations the same in many cases.