VSG High Availability clusters, Promiscuous Mode

Frequently Asked Questions
Locked
Tomas
Posts: 34
Joined: 15 Sep 2008, 15:57
Location: Clavister HQ - Örnsköldsvik

VSG High Availability clusters, Promiscuous Mode

Post by Tomas » 01 Dec 2010, 14:58

This FAQ applies to:

Clavister CorePlus™ 9.x (VSG)
VMware ESX / ESXi / etc


Question:

My HA cluster does not synchronize properly in my virtual environment.
My HA cluster have problems: the active node does not work properly, but the inactive does.
My HA cluster have problems: The shared IP is not accessible.

Answer:

The virtual switch connecting the interfaces must be set in "Promiscuous Mode".
It's a setting for the entire switch's behaviour, not per port.


Follow-up Question:

Well, if I set the vSwitch to Promiscuous mode, it's a big security issue, as that turns it into a hub; all computers connected to the vSwitch can see all traffic passing through it.

Follow-up Answer:

You are right, but there is a way of solving this, at least in ESXi:

Create a the vSwitch which is supposed to connect e.g. the LAN ports of the Master and Slave and the Workstations on your LAN. It will automatically add a "Virtual Machine Port Group" which will inherit the settings from the vSwitch.

Set the vSwitch to Promiscuous Mode:
- Select the vSwitch, click Edit, go to the Security tab, set Promiscuous mode to Accept.

Connect the Clavister Master and Slave devices directly to the vSwitch.

Add one more Virtual Machine Port Group to the vSwitch:
- Give it a unique Network Label and finish the guide
- Select the new VM Port Group and click Edit...
- On the Security Tab, enable the Promiscuous mode checkbox and set it to Reject mode.

Connect all workstations to the newly added VM Port Group instead of directly to the switch.

The end result is that the HA members can work in Promiscuous mode and the workstations are working in switched mode. It will look something like this:
Edu1_CP = Master node, there is no slave node at this stage.
Edu1_XP and Edu2_XP are the workstations.
LAN1 is the VM Port Group leading to the HA node(s).
VM Network is the VM Port Group leading to the workstation(s).
04.png
vSwitch and two VM Port Groups
04.png (6.03 KiB) Viewed 3015 times
Of course it's equivalent if you enable Promiscuous mode on "LAN1" above and leave it off on the switch.

Locked