Professional Documents
Culture Documents
Introduction
The SonicOS 5.6.5 feature release introduces the Active/Active Clustering feature. Active/Active Clustering allows you to group multiple firewalls or High Availability pairs into a cluster and pass traffic through them in parallel for load-sharing along with Stateful Failover support, thus providing very high levels of redundancy and performance. SonicOS 5.6.5 also introduces port redundancy. This feature enables redundancy at the port level, allowing a backup port to take over in case the primary port encounters a failure. With the introduction of Active/Active Clustering, the following High Availability (HA) configuration options are now supported by SonicOS: Active/Passive Hardware Failover (Stateless HA): In this basic configuration option, two units form an HA pair with one unit in the Active role and other unit in the Passive/Idle role. Only the Active unit processes the network traffic. When the Active unit encounters a fault condition, failover occurs as the Idle firewall takes over the Active role. Existing network connections need to be re-built after a failover. Active/Passive Stateful HA: In this configuration option, dynamic state is continuously synchronized between the Active and Idle units. When the Active unit encounters a fault condition, stateful failover occurs as the Passive/Idle firewall takes over the Active role with no interruptions to existing network connections. Active/Active DPI: The Active/Active Deep Packet Inspection (DPI) configuration option can be used along with Active/Passive Stateful HA. When it is enabled, the processor intensive DPI services, such as Intrusion Prevention (IPS), Gateway Anti-Virus (GAV), Anti-Spyware, are processed on the Idle firewall of an HA pair while the Active firewall concurrently processes firewall, NAT, and other traffic. Active/Active Clustering: In this configuration option, multiple firewalls can be grouped together as Cluster Nodes (CN), with multiple Active units processing traffic (as multiple gateways), doing DPI and sharing the network load. Each CN consists of two units acting as a Stateful HA pair. Active/Active Clustering provides Stateful Failover support in addition to load-sharing. Active/Active DPI can be enabled for additional performance gain, utilizing the Idle units in each CN. Optionally each CN can also consist of a single unit, in which case Stateful Failover and Active/Active DPI will not be available. Active/Active Clustering Full-Mesh: Active/Active Clustering Full-Mesh configuration is an enhancement to the Active/Active Clustering configuration option and prevents any single point of failure in the network. All firewall and other network devices are partnered for complete redundancy. Full-Mesh ensures that there is no single point of failure in your deployment, whether it is a device (firewall/switch/router) or a link. Every device is wired twice to the connected devices. Active/Active Clustering with Full-Mesh provides the highest level of availability possible with high performance. This document describes how to configure a typical Active/Active Clustering Full-Mesh deployment.
Supported Platforms
Active/Active Clustering Full-Mesh deployment is supported on SonicWALL E-Class NSA appliances: NSA E8500 NSA E7500 NSA E6500 NSA E5500
Key Benefits
The following are the key benefits of Active/Active Clustering: High Throughput: Multiple Active firewalls in the cluster acting as multiple gateways doing DPI enable very high throughput and performance. Stateful Failover Support: When one of the Active units in the cluster encounters a fault condition, the Idle unit will take over in a transparent manner with no interruption to existing network connections. Multiple Levels of Redundancy: In an Active/Active Cluster, each CN provides redundancy to all other CNs. This is in addition to the redundancy provided by the Idle unit within each CN. Thus, Active/Active Clustering provides multiple levels of redundancy. In a hypothetical situation where all the firewalls in the cluster go down except one, the traffic is still processed (up to the capacity of the single unit) which is an indication of the high level of redundancy available. Effective Resource Utilization: Active/Active Clustering utilizes multiple firewalls in the cluster for actively forwarding traffic. When Active/Active DPI is enabled with Active/Active Clustering, the Idle firewalls in the Cluster Nodes are also utilized for DPI processing. This combination allows all the firewalls in the cluster to be utilized for maximum performance gain. The following are the additional key benefits of the Active/Active Clustering Full-Mesh configuration option: No Single Point of Failure in the Core Network: In an Active/Active Clustering Full-Mesh deployment, there is no single point of failure in the entire core network, not just for the firewalls. An alternative path for a traffic flow is always available in case there are simultaneous failures of switch, router, firewall on a path, thus providing the highest levels of availability. Port Redundancy: Active/Active Clustering Full-Mesh utilizes port redundancy in addition to HA redundancy within each Cluster Node, and node level redundancy within the cluster. With port redundancy, a backup link will take over in a transparent manner if the primary port fails. This prevents the need for device level failover.
Deployment Prerequisites
All firewalls in the cluster must be of the same model and loaded with the same SonicOS 5.6.5 firmware. The routers in the firewalls upstream network should be pre-configured for Virtual Router Redundancy Protocol (VRRP).
Deployment Restrictions
When Active/Active Clustering is enabled, only static IPs can be used on the WAN. The following features are not supported with Active/Active Clustering: DHCP Server L2 Bridging / L2 Transparent Mode L3 Transparent Mode Please refer to the Active/Active Clustering Feature Module for information about additional feature dependencies.
Procedure
This section describes the procedure for setting up an Active/Active Cluster Full-Mesh deployment. It describes a 4 unit Active/Active Clustering Full-Mesh setup. We will go over the following aspects of the deployment: Cabling for Active/Active Full Mesh Configuring the Active/Active Cluster Firewalls Testing for No Single Point of Failure Note: The deployments described in this document are examples. Your actual deployment might differ based on the following factors: a) b) c) Topology/design of your network and the types of network devices you use (switches, routers, load balancers, etc) Level of availability desired Resource constraints
3.
4.
5.
6. 7. 8.
9.
10. In the setup described above, we also use Active/Active DPI along with Active/Active Clustering. Ports X6 and X7 are the two HA data ports for redundancy and load-sharing of offloaded traffic from Active to Idle firewalls. Perform the following cabling (X6,X7 ports and cabling have not been shown in the above diagram for brevity): a. Connect X6 of CN1-Primary to X6 of CN1-Backup with a Cross-over cable. b. Connect X7 of CN1-Primary to X7 of CN1-Backup with a Cross-over cable. c. Connect X6 of CN2-Primary to X6 of CN2-Backup with a Cross-over cable. d. Connect X7 of CN2-Primary to X7 of CN2-Backup with a Cross-over cable.
3.
On the Network > Interfaces page: a. Add the Virtual Group (VG) IP addresses for both the X0 and X1 interfaces. b. Add the redundant port configuration (X2 as redundant port of X0, X3 as redundant port of X1). On the High Availability > Monitoring page, add the monitoring/management IP addresses either on X0 or X1 for each unit in the cluster. Turn on all the other firewalls. A complete synchronization of the configuration is made from the CN1-Primary to all other firewalls. Login to each firewall unit using the dedicated monitoring/management address and do the following: a. Register the firewall on MySonicWALL. b. Synchronize the licenses with MySonicWALL.
4. 5. 6.
2.
The procedure for the 2-unit Full-Mesh is similar to the procedure for the 4-unit Full-Mesh, with the following exceptions: 1. The steps involving the Backup unit in each node do not apply. 2. The steps for configuring Stateful Sync and Active-Active DPI do not apply. 3. There is no Switch required for connecting the HA ports (since there are only two, they can be directly connected with a cross over cable).
PN 232-001995-00 Rev B