Limitations of Cluster Addresses on Different Subnets

This new feature does not yet support all the capabilities of ClusterXL.

Some features require additional configuration to work properly, while others are not supported.

Connectivity Between Cluster Members

Since ARP requests issued by Cluster Members are hidden behind the cluster IP and MAC addresses, requests sent by one Cluster Member to the other may be ignored by the destination computer.

To allow Cluster Members to communicate with each other, a static ARP should be configured for each Cluster Member, stating the MAC addresses of all other Cluster Members. IP packets sent between Cluster Members are not altered, and therefore no changes should be made to the routing table.

Note - Static ARP is not required in order for the Cluster Members to work properly as a cluster, since the cluster synchronization protocol does not rely on ARP.

Load Sharing Multicast Mode with "Semi-Supporting" Hardware

Although not all types of network hardware work with multicast MAC addresses, some routers can pass such packets, even though they are unable to handle ARP Replies containing a multicast MAC address. Where a router semi-supports Load Sharing Multicast mode, it is possible to configure the cluster MAC address as a static ARP entry in the router internal tables, and thus allow it to communicate with the cluster.

When different subnets are used for the cluster IP addresses, static ARP entries containing the router MAC address need to be configured on each Cluster Member. This is done because this kind of router will not respond to ARP Requests containing a multicast source MAC address. These special procedures are not required when using routers that fully support multicast MAC addresses.

Manual Proxy ARP

When using Static NAT, the cluster can be configured to automatically recognize the hosts hidden behind it, and issue ARP replies with the cluster MAC address, on their behalf. This process is known as Automatic Proxy ARP.

However, if you use the ClusterXL VMAC mode or different subnets for the cluster IP addresses, this mechanism will not work, and you must configure the proxy ARP manually. To do so, in SmartConsole, click Menu > Global properties > NAT Network Address Translation, and disable Automatic ARP Configuration. Then create the $FWDIR/conf/local.arp file.

For instructions, see sk30197.

Connecting to the Cluster Members from the Cluster Network

Because the unique IP addresses may be chosen arbitrarily, there is no guarantee that these addresses are accessible from the subnet of the cluster IP address.

To access the Cluster Members through their unique IP addresses, you must configure routes on the accessing Cluster Member, such that the cluster IP is the Default Gateway for the subnet of the unique IP addresses.

Configuring Anti-Spoofing

  1. Connect with SmartConsole to the Management Server.

  2. From the left navigation panel, click Gateways & Servers.

  3. Create a Group object, which contains the objects of both the external network and the internal network.

    In the Example of Cluster IP Addresses on Different Subnets, suppose Side "A" is the external network, and Side "B" is the internal network.

    You must configure the Group object to contain both the network / 24 and the network / 24.

  4. Open the cluster object.

  5. From the left tree, click Network Management.

  6. Select the cluster interface and click Edit.

  7. On the General page, in the Topology section, click Modify.

  8. Select Override.

  9. Select This Network (Internal).

  10. Select Specific

  11. Select the Group object that contains the objects of both the external network and the internal network.

  12. Click OK.

  13. Install the Access Control Policy on this cluster object.