Support Portal

How To Integrate A HA Cluster Into A Network

This article is specifically about Highly Available (HA) clusters. If you are deploying a single server, please click here.

HA Cluster

A HA cluster consists of two servers, which are connected together by two network cables to form a Highly Available (HA) cluster. The two servers in a cluster share a single WAN IP address and share a single LAN IP address. However, each server needs a unique IP address for the iLo ports.

Both LAN ports need to patched into the same LAN network device. (typically a LAN switch)

Both WAN ports need to be patched into the same WAN network device. (typically a router, firewall or WAN switch)

 

Each server has the following network ports:

  • Wide Area Network (WAN) port which connects it to the Internet
    This needs a direct connection to the Internet, and can be a public or private IP address. If it’s a private IP because it’s behind a firewall, you need to ensure that there is full outbound access to the Internet (all ports open), and inbound you need port UDP 1194 open. If you are using a private IP address, it must be on a different subnet to the LAN IP address. The IP address is shared between the two servers in the cluster.
  • Local Area Network (LAN) port which connects it to the LAN 
    This needs a connection to the local area network, and needs a private IP address.  The IP address is shared between the two servers in the cluster.

  • an iLO (integrated Lights Out) port which connects it to the Internet and enables the Support Team to access the server in the event of a serious hardware failure (if the WAN connection is unusable). 
    This needs a direct connection to the Internet, and can be a public or private IP address. If it’s a private IP because it’s behind a firewall, you need to ensure that there is full outbound access to the Internet (all ports open), and inbound you need these ports open: TCP TCP 20022, TCP 20080, TCP 20443, TCP 20988, TCP 20990. You need a unique IP address for both servers in the cluster/

  • two cluster interconnect ports, (CL1 and CL2) which are used for connecting two servers together to create a cluster. (We recommend using a 0.25 metre cable to connect these ports together on each server)

You can view detailed information on the Network interface and IP address requirements in the article Network Interface And IP Address Requirements

It is important to note that the Virtual Machines on the server have their own unique subnet, which is different to the LAN and is allocated automatically. This means that all Virtual Machines will have an IP address in a different range to the devices on the LAN.

The virtual router inside the server will route traffic between the LAN and Virtual Machine ranges, and will route, and NAT, any traffic from the LAN and Virtual Machine ranges going to the WAN. For further information please read the article Network Internals.

 

Now let's consider the approaches available for network integration:

The most common arrangement of a customer’s LAN and its connection to the Internet before the introduction of the server is shown below.  The customer has a router (often supplied by their ISP) and they have one or more static public IPs available to them from their ISP. They have a firewall which has a private IP address of 192.168.1.1. Often the firewall and the router are combined into a single device. The firewall is the default gateway for all client devices on the LAN.  The firewall connects to the devices on the LAN through a switch.

The 3 most common options for integrating the server into your network are explained below:

Option 1. Behind existing firewall

Below is a diagram of a common network configuration with a router/firewall device with 1 WAN IP address, and a private IP range of 192.168.1.x. 

A new 'private WAN' subnet is created for the WAN and iLO ports (the WAN and iLO ports must be in a different subnet to the LAN port). You assign the server WAN port the IP 192.168.10.2, and the iLO port 192.168.10.3. The LAN (private) port of the existing firewall needs to change from 192.168.1.1 to 192.168.10.1.

The server LAN port IP address is given the address 192.168.1.1. This becomes the default gateway for all client devices, replacing the existing firewall that was previously on this IP. This way, the client LAN does not change and statically configured devices do not need their default gateway or other settings updated.

DHCP is running on the server and gives out the range 192.168.1.100 to .200 for the client devices.

With the above approach, you specify the following network details:

Local Network
     LAN IP address: 192.168.1.1 (this IP address is shared between the two servers)
     Subnet Mask: 255.255.255.0

     DHCP Enabled: yes
     DHCP Range Start: 192.168.1.100
     DHCP Range End: 192.168.1.200

iLO
     iLO 1 IP address: 192.168.10.4
     iLO 2 IP address: 192.168.10.3
     Subnet Mask: 255.255.255.0
     Gateway: 192.168.10.1

WAN

     WAN IP address: 192.168.10.2 (this IP address is shared between the two servers)
     Subnet Mask: 255.255.255.0
     Gateway: 192.168.10.1

Existing Firewall
On your existing firewall, you will need to create a new 'private WAN' subnet for the LAN (private) side of the firewall - the LAN of the existing firewall and the WAN of the server are in this new network. The LAN (private) port of the existing firewall needs to change from 192.168.1.1 to 192.168.10.1.

On the existing firewall, you will also need to configure it to allow some ports through to the server WAN IP of 192.168.10.2.

Please also view the article How to install your server behind a firewall.

 

Option 2. Remove existing firewall

With this approach, the server replaces the existing firewall and connects on the WAN side directly into the existing router, and on the LAN side into a LAN switch. Two additional static public IP addresses are required for this approach, one for the WAN port and one for the iLO port.

With the above approach, you specify the following network details:

Local Network
     LAN IP Address: 192.168.1.1
     Subnet Mask: 255.255.255.0

     DHCP Enabled: yes
     DHCP Range Start: 192.168.1.100
     DHCP Range End: 192.168.1.200

iLO
     iLO 1 IP Address: 54.229.16.180
     iLO 2 IP Address: 54.229.16.179
     Subnet Netmask: 255.255.255.248
     Gateway: 54.229.16.177

WAN

     WAN IP Address: 54.229.16.178
     Subnet Netmask: 255.255.255.248
     Gateway: 54.229.16.177

Existing Firewall
There are no changes to be made to the existing firewall as you are remove it and the server has been configured with matching LAN and WAN settings as a 'drop-in' replacement.   Any inbound port forwards on the existing firewall can also be replicated on the server, using the Gateway Control Console.

Option 3. Parallel to Existing Firewall

If you wish to retain an existing firewall, the server can be deployed parallel to it. Two additional public IP addresses are required for this approach. If the default gateway for clients will continue to be the existing firewall, then a static route needs to be added to the existing firewall to allow traffic destined for the Virtual Machines on the server to be correctly routed.

With the above approach, you specify the following network details:

Local Network
     LAN IP Address: 192.168.1.2
     Subnet Mask: 255.255.255.0

     DHCP Enabled: No
     DHCP Range Start: 192.168.1.100
     DHCP Range End: 192.168.1.200

iLO
     iLO 1 IP Address: 54.229.16.180
     iLO 2 IP Address: 54.229.16.181
     Subnet Mask: 255.255.255.248
     Gateway: 54.229.16.177

 

WAN

     WAN IP Address: 54.229.16.179
     Subnet Mask: 255.255.255.248
     Gateway: 54.229.16.177

 

Existing Firewall
On your existing firewall you will need to add a static route.

Assuming the Virtual Machine IP range (inside the server) is 10.10.0.128/25, then the LAN-side static route on the firewall would be:

route add 10.10.0.128 mask 255.255.255.128 192.168.1.2

The exact syntax will depend on your firewall, but this rule will ensure that traffic destined for the virtual machines (on 10.10.0.x) will be sent to 192.168.1.2 as the next hop (the LAN IP of the server) which will then route the traffic internally to reach the VMs (the return route already exists since the server has an IP on the local LAN).

After the initial deployment, it is possible to move the DHCP server to the server. The existing DHCP service on the existing firewall or DHCP server on the LAN would be disabled, and the DHCP service enabled on the server in authoritative mode with matching scope options.

 

Now please read the article Determine Approach To Deploying Active Directory

Was this article helpful? 0 out of 0 found this helpful
Have more questions? Submit a request
Powered by Zendesk