HA SYNC Question
xlameee last edited by xlameee
I've wondering how to configure dedicated link for HA SYNC
I have a few 10G and 1G adapters and I also have 2 more expatiation slots available What if I put 2 adapters 1 to each server and direct attach them to dedicate this link for HA SYNC only
any suggestions how to configure it or just plug them and give that link a static IP with the same subnet
My HA SYNC is currently on the VLAN there is not much traffic yet because is still in the LAB environment, but when I plug it into production it might consume some traffic witch I thing won't be much of problem because I have 2x40G in LACP but still for security dedicated link to HA can be useful
dotdash last edited by
I agree, a dedicated physical link is best for HA. The traffic is minimal, just put matching adapters in each box, put them on the same subnet (you could use a /30), and add rules to allow traffic.
teamits last edited by teamits
We just plug them together with a patch cable also.
Plus that way if the switch in the middle fails the backup router won't try to become masterHaving a switch in the middle is an unnecessary point of failure.
Plus that way if the switch in the middle fails the backup router won't try to become master.
The SYNC interface has no bearing on who is master and who isn't. There aren't CARP VIPs on it so it doesn't factor into that decision.
See the sticky I wrote on all of this up there in the category ^.
teamits last edited by
he SYNC interface has no bearing on who is master
d'oh! of course not sure what I was thinking. Still, we just use a patch cable as it is still one less thing to fail. :)
So do I. ;)
xlameee last edited by
@derelict it is not about failing it more about security Of what I know HA is syncing with none encrypted traffic and all of that traffic flowing around my core switch it is not a good idea
teamits last edited by
@xlameee In general even an unmanaged switch should only be sending traffic to the correct ports so unless someone's spoofing IPs (while guessing your sync subnet) or spoofing the routers' MAC addresses I'm not sure it's really much of an issue...and if they are doing that then there are other issues on your network . A direct patch cable connection would remove any concern.
I might be foolish but I trust VLANs.
The states that are represented by the pfsync traffic are running around in your switch already.