DataPower

  • 1.  Conditions for standby control

    Posted Thu April 29, 2021 09:12 AM
    Edited by Stephanie Wilkerson Fri June 25, 2021 09:41 AM
    A customer just asked me the following question: What are the conditions which IP addresses must meet to be able to be used in a common standby group? Do they have to belong to a common LAN or VLAN? Which layer of the OSI model (2 or 3) is necessary?
    Can you please help me?

    ------------------------------
    Patrick Marie
    ------------------------------


  • 2.  RE: Conditions for standby control

    Posted Thu April 29, 2021 10:18 AM
    The DP standby-control extends Hot Standby Routing Protocol(HSRP) which has a dependency on multicast address 224.0. 0.2.  All members of the DP front side cluster must be able to send/receive HSRP to/from each other.

    The self-balance, which you did not ask about and I include for completeness, has separate requirements.  All transactions enter the cluster through the "active" leader.  The active leader responds to arp requests, and send gratuitous arp for, for the VIP address.  The leader uses linux ip_vs to forward packets from the "active" cluster leader to the cluster members.  The cluster members send responses back to the requester directly from the cluster member, not routed back through active leader, using VIP source IP. 

    Hope this help, will watch for followup questions.

    ------------------------------
    Ivan Heninger
    ------------------------------



  • 3.  RE: Conditions for standby control

    Posted Tue May 04, 2021 05:20 AM
    Thanks for your detailed answer!

    ------------------------------
    Patrick Marie
    ------------------------------



  • 4.  RE: Conditions for standby control

    Posted Fri June 25, 2021 09:42 AM

    Hi Ivan,

    Thanks for this very clear answer.
    I am interested about this topic/answer, hope you don´t mind if I ask you to clarify the control standby mechanism for a specific configuration directly in this forum thread.

    One of my datapower customer need to understand the behavior of the standby control when DP devices are part of 2 standby groups.
    If we have 2 datapowers (DP1 : ETH0 -> Standby group 280 - ETH1 -> Standby group 281) and DP2 with the same standby configuration than D1 on the same interfaces.
    The interfaces ETH0 and ETH1 are connected to different switches on each DP.

    What happens if a link goes down on an active member of the standby group (Switch down connected to ETH0 on DP1)?
    Does a fail over take place and the VIP owned by ETH0 on DP1 move to the other device (ETH0 DP2) ?

    We have been told that with standby controller, only way to failover to the other device is when it is marked "Down".
    If the other standby configuration (on ETH1) does not have any issues, the multicast communication is not interrupted and no device is marked "Down".
    Customer does not expect this behavior.

    Is it really the case ? If yes, can you explain it with more details ?

    Thanks and regards

    Armand

    ------------------------------
    armand anglade
    IT splecialis
    ibm
    madrid
    699353930
    ------------------------------



  • 5.  RE: Conditions for standby control

    Posted Mon June 28, 2021 06:55 PM
    Hi Armand,

    although related to the original post, this probably should be a separate thread, which could give it a title that describes the question.

    Anyway, the datapower standby group capability operates at the network interface level, not for the entire appliance.

    If an interface goes down (eth0 on DP1 in your scenario) the other members of the standby group 280 will stop receiving multi-cast status packets from the leader. They will recognise this as a failure, demote the leader and elect a new leader, which then issues an unsolicited ARP request to notify all other stations that there is a new MAC address corresponding to the VIP. The new leader then starts receiving traffic for the VIP and sending multi-cast status packets to identify itself as the group leader.

    eth1 is not impacted on either DP1 or DP2 and whichever appliance currently hosts the interface which is the leader for the 281 standby group remains the leader.

    Note: this is based on the description of the feature in the knowledge center and my experience from many years ago. I haven't had time to set up an environment to check that the DataPower networking code is implementing this correctly, but I have no reason to think that it wouldn't. The DataPower networking stack has generally been very reliable in my experience.

    Regards,


    ------------------------------
    Neil Casey
    Senior Consultant
    Syntegrity Solutions
    Melbourne, Victoria
    IBM Champion (Cloud) 2019-21
    ------------------------------



  • 6.  RE: Conditions for standby control

    Posted Fri July 02, 2021 11:13 AM
    Hi Neil,
    Thank you so much for this very clear and detailed explanation.
    It really help! I don´t have further question regarding this topic.
    Best regards
    Armand

    ------------------------------
    armand anglade
    IT splecialis
    ibm
    madrid
    699353930
    ------------------------------



  • 7.  RE: Conditions for standby control

    Posted Sun July 04, 2021 07:44 PM
    Hi Armand

    you're very welcome. 

    Over the weekend I had a chance to set up a pair of virtual appliances and try out HSRP failover on two independent pairs network interfaces. Everything worked as expected and the virtual addresses failed over separately.

    All the best

    Neil

    ------------------------------
    Neil Casey
    Senior Consultant
    Syntegrity Solutions
    Melbourne, Victoria
    IBM Champion (Cloud) 2019-21
    ------------------------------