You are on page 1of 6

SonicOS Enhanced

Active/Active Clustering Full-Mesh Deployment

Introduction
The SonicOS 5.6.5 feature release introduces the Active/Active Clustering feature. Active/Active Clustering allows you to group multiple firewalls or High Availability pairs into a cluster and pass traffic through them in parallel for load-sharing along with Stateful Failover support, thus providing very high levels of redundancy and performance. SonicOS 5.6.5 also introduces port redundancy. This feature enables redundancy at the port level, allowing a backup port to take over in case the primary port encounters a failure. With the introduction of Active/Active Clustering, the following High Availability (HA) configuration options are now supported by SonicOS: Active/Passive Hardware Failover (Stateless HA): In this basic configuration option, two units form an HA pair with one unit in the Active role and other unit in the Passive/Idle role. Only the Active unit processes the network traffic. When the Active unit encounters a fault condition, failover occurs as the Idle firewall takes over the Active role. Existing network connections need to be re-built after a failover. Active/Passive Stateful HA: In this configuration option, dynamic state is continuously synchronized between the Active and Idle units. When the Active unit encounters a fault condition, stateful failover occurs as the Passive/Idle firewall takes over the Active role with no interruptions to existing network connections. Active/Active DPI: The Active/Active Deep Packet Inspection (DPI) configuration option can be used along with Active/Passive Stateful HA. When it is enabled, the processor intensive DPI services, such as Intrusion Prevention (IPS), Gateway Anti-Virus (GAV), Anti-Spyware, are processed on the Idle firewall of an HA pair while the Active firewall concurrently processes firewall, NAT, and other traffic. Active/Active Clustering: In this configuration option, multiple firewalls can be grouped together as Cluster Nodes (CN), with multiple Active units processing traffic (as multiple gateways), doing DPI and sharing the network load. Each CN consists of two units acting as a Stateful HA pair. Active/Active Clustering provides Stateful Failover support in addition to load-sharing. Active/Active DPI can be enabled for additional performance gain, utilizing the Idle units in each CN. Optionally each CN can also consist of a single unit, in which case Stateful Failover and Active/Active DPI will not be available. Active/Active Clustering Full-Mesh: Active/Active Clustering Full-Mesh configuration is an enhancement to the Active/Active Clustering configuration option and prevents any single point of failure in the network. All firewall and other network devices are partnered for complete redundancy. Full-Mesh ensures that there is no single point of failure in your deployment, whether it is a device (firewall/switch/router) or a link. Every device is wired twice to the connected devices. Active/Active Clustering with Full-Mesh provides the highest level of availability possible with high performance. This document describes how to configure a typical Active/Active Clustering Full-Mesh deployment.

Supported Platforms
Active/Active Clustering Full-Mesh deployment is supported on SonicWALL E-Class NSA appliances: NSA E8500 NSA E7500 NSA E6500 NSA E5500

Key Benefits
The following are the key benefits of Active/Active Clustering: High Throughput: Multiple Active firewalls in the cluster acting as multiple gateways doing DPI enable very high throughput and performance. Stateful Failover Support: When one of the Active units in the cluster encounters a fault condition, the Idle unit will take over in a transparent manner with no interruption to existing network connections. Multiple Levels of Redundancy: In an Active/Active Cluster, each CN provides redundancy to all other CNs. This is in addition to the redundancy provided by the Idle unit within each CN. Thus, Active/Active Clustering provides multiple levels of redundancy. In a hypothetical situation where all the firewalls in the cluster go down except one, the traffic is still processed (up to the capacity of the single unit) which is an indication of the high level of redundancy available. Effective Resource Utilization: Active/Active Clustering utilizes multiple firewalls in the cluster for actively forwarding traffic. When Active/Active DPI is enabled with Active/Active Clustering, the Idle firewalls in the Cluster Nodes are also utilized for DPI processing. This combination allows all the firewalls in the cluster to be utilized for maximum performance gain. The following are the additional key benefits of the Active/Active Clustering Full-Mesh configuration option: No Single Point of Failure in the Core Network: In an Active/Active Clustering Full-Mesh deployment, there is no single point of failure in the entire core network, not just for the firewalls. An alternative path for a traffic flow is always available in case there are simultaneous failures of switch, router, firewall on a path, thus providing the highest levels of availability. Port Redundancy: Active/Active Clustering Full-Mesh utilizes port redundancy in addition to HA redundancy within each Cluster Node, and node level redundancy within the cluster. With port redundancy, a backup link will take over in a transparent manner if the primary port fails. This prevents the need for device level failover.

Deployment Prerequisites
All firewalls in the cluster must be of the same model and loaded with the same SonicOS 5.6.5 firmware. The routers in the firewalls upstream network should be pre-configured for Virtual Router Redundancy Protocol (VRRP).

Deployment Restrictions
When Active/Active Clustering is enabled, only static IPs can be used on the WAN. The following features are not supported with Active/Active Clustering: DHCP Server L2 Bridging / L2 Transparent Mode L3 Transparent Mode Please refer to the Active/Active Clustering Feature Module for information about additional feature dependencies.

Procedure
This section describes the procedure for setting up an Active/Active Cluster Full-Mesh deployment. It describes a 4 unit Active/Active Clustering Full-Mesh setup. We will go over the following aspects of the deployment: Cabling for Active/Active Full Mesh Configuring the Active/Active Cluster Firewalls Testing for No Single Point of Failure Note: The deployments described in this document are examples. Your actual deployment might differ based on the following factors: a) b) c) Topology/design of your network and the types of network devices you use (switches, routers, load balancers, etc) Level of availability desired Resource constraints

Active/Active Clustering Full-Mesh 4-Unit Deployment:

Cabling for Active/Active Full-Mesh


This procedure describes the cabling for the deployment illustrated in the above diagram. To physically connect your network devices for a full-mesh deployment, perform the following steps: 1. 2. Connect all the HA links of all the firewalls into a port-based-VLAN on Switch E. In the setup described above, X2 is the redundant port of X0. Connect the cables as follows for the X0, X2 ports: a. Connect CN1-Primary Firewalls X0 to Switch A and X2 to Switch B. b. Connect CN1-Backup Firewalls X0 to Switch A and X2 to Switch B. c. Connect CN2-Primary Firewalls X0 to Switch B and X2 to Switch A. d. Connect CN2-Backup Firewalls X0 to Switch B and X2 to Switch A. On Switch A and Switch B: a. Configure all the Switch ports connected to the X0,X2 interfaces to be in the same port-based VLAN. b. Enable Spanning Tree, but also enable Port Fast (or equivalent command) on the ports connected to the firewalls. In the setup described above, X3 is the redundant port of X1. Connect the cables as follows for the X1, X3 ports: a. Connect CN1-Primary Firewalls X1 to Switch C and X3 to Switch D. b. Connect CN1-Backup Firewalls X1 to Switch C and X3 to Switch D. c. Connect CN2-Primary Firewalls X1 to Switch D and X3 to Switch C. d. Connect CN2-Backup Firewalls X1 to Switch D and X3 to Switch C. On Switch C and Switch D: a. Configure all the Switch ports connected to the X1, X3 interfaces to be in the same port-based VLAN. b. Enable Spanning Tree, but also enable Port Fast (or equivalent command) on the ports connected to the firewalls. Cable Switch A and Switch B together. Cable Switch C and Switch D together. If the Router A and Router B have redundant port support, then connect the Routers to Switches in the same way as we connected the Firewall ports to Switches. That is, connect the primary port on Router A to Switch C and the backup port on Router A to Switch D. Connect the ports in the same way for Router B. If the Routers do not have redundant port support, but have switching support then you create two ports in the same VLAN on Router A and assign an IP address to the VLAN instead of the port. Then connect one port to Switch C and the other port to Switch D. Do a similar configuration for Router B. (This is the setup shown in the diagram).

3.

4.

5.

6. 7. 8.

9.

10. In the setup described above, we also use Active/Active DPI along with Active/Active Clustering. Ports X6 and X7 are the two HA data ports for redundancy and load-sharing of offloaded traffic from Active to Idle firewalls. Perform the following cabling (X6,X7 ports and cabling have not been shown in the above diagram for brevity): a. Connect X6 of CN1-Primary to X6 of CN1-Backup with a Cross-over cable. b. Connect X7 of CN1-Primary to X7 of CN1-Backup with a Cross-over cable. c. Connect X6 of CN2-Primary to X6 of CN2-Backup with a Cross-over cable. d. Connect X7 of CN2-Primary to X7 of CN2-Backup with a Cross-over cable.

Configuring the Active/Active Cluster Firewalls


This section describes the steps to configure the Active/Active Cluster firewalls. Refer to the Active/Active Clustering Feature module for details and screenshots for each of the following steps: 1. 2. Shut down all firewalls except the CN1-Primary unit. On the High Availability > Settings page: a. Choose Active/Active Clustering mode. b. Enter the Cluster Node serial numbers. c. Select CN1 as Owner for Virtual Group 1 and Standby for Virtual Group 2. d. Select CN2 as Owner for Virtual Group 2 and Standby for Virtual Group 1. e. Enable Stateful Synchronization. f. Enable Active/Active DPI with X6 and X7 as the two HA data ports. g. Click Submit.

3.

On the Network > Interfaces page: a. Add the Virtual Group (VG) IP addresses for both the X0 and X1 interfaces. b. Add the redundant port configuration (X2 as redundant port of X0, X3 as redundant port of X1). On the High Availability > Monitoring page, add the monitoring/management IP addresses either on X0 or X1 for each unit in the cluster. Turn on all the other firewalls. A complete synchronization of the configuration is made from the CN1-Primary to all other firewalls. Login to each firewall unit using the dedicated monitoring/management address and do the following: a. Register the firewall on MySonicWALL. b. Synchronize the licenses with MySonicWALL.

4. 5. 6.

Testing for No Single Point of Failure


After the above deployment is connected and configured, CN1 will own Virtual Group1 (VG1), and CN2 will own Virtual Group 2 (VG2). Configure the VG1 IP address on X0 as the gateway for a certain set of traffic flows and the VG2 IP address on X0 as the gateway for other sets of traffic flows. The network administrator can use different methods to accomplish this. One way is to use a smart DHCP server which distributes the gateway allocation to the PCs on the directly connected client network. Another method is by using policy based routes on a downstream router. When the traffic setup is done, both Cluster Nodes will actively process network traffic. Now we can test for no single point of failure on all devices and links with the following steps: 1. Device Failures: Traffic should continue to flow through both Cluster Nodes in each of the following device failures: a. Power down Switch A while Switch B is up and ready. b. Power down Switch B while Switch A is up and ready. c. Restart the Active unit in CN1 from the SonicOS management interface while the Idle unit in CN1 is up and ready (this scenario is similar to a software failure on the CN1-Active unit). Note that there will be a Stateful HA failover in this case. d. Shut down the CN1-Active unit while the CN1-Idle unit is up and ready (this scenario is similar to a hardware failure on the CN1-Active unit). Note that there will be a Stateful HA failover in this case. e. Repeat steps c) and d) for CN2. f. Shut down Router A while Router B is up and ready. g. Shut down Router B while Router A is up and ready. Link Failures: Traffic should continue to flow in each of the following link failures: a. b. c. d. On each of the Active firewalls in the Cluster Node, disconnect the X0 cable while X2 is connected. On each of the Active firewalls in the Cluster Node, disconnect the X1 cable while X3 is connected. Disconnect the primary link from upstream switches to the router which is the Active virtual router. Disconnect X6, the Active-Active DPI HA data interface.

2.

Active/Active Cluster Full-Mesh 2 Unit Deployment


In previous sections we discussed the Active/Active Cluster Full-Mesh with 4 firewall units. Optionally, you can deploy Active/Active Cluster Full-Mesh with 2 firewall units where each CN consists of only one firewall (no HA backup). However, such a setup has the following limitations: 1. Failover will not be stateful and existing connections will need to be re-built. 2. If the traffic on each unit is greater than 50% of the capacity of the single unit at the time of failover, then after the failover the traffic in excess of 50% will be dropped. The following diagram can be used as a reference for setting up the 2 unit Full-Mesh deployment. Active/Active Clustering Full-Mesh 2-Unit Deployment:

The procedure for the 2-unit Full-Mesh is similar to the procedure for the 4-unit Full-Mesh, with the following exceptions: 1. The steps involving the Backup unit in each node do not apply. 2. The steps for configuring Stateful Sync and Active-Active DPI do not apply. 3. There is no Switch required for connecting the HA ports (since there are only two, they can be directly connected with a cross over cable).

PN 232-001995-00 Rev B

You might also like