D-Link DFL-2500 User Guide - Page 323
The shared IP address and the failover, mechanism
View all D-Link DFL-2500 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 323 highlights
304 Chapter 29. High Availability This section will detail the outward-visible characteristics of the failover mechanism, and how the two firewalls work together to create a high availability cluster with very low failover times. For each cluster interface, there are three IP addresses: • Two "real" IP addresses; one for each firewall. These addresses are used to communicate with the firewalls themselves, i.e. for remote control and monitoring. They should not be associated in any way with traffic flowing through the cluster; if either firewall is inoperative, the associated IP address will simply be unreachable. • One "virtual" IP address; shared between the firewalls. This is the IP address to use when configuring default gateways and other routing related matters. It is also the address used by dynamic address translation, unless the configuration explicitly specifies another address. There is not much to say about the real IP addresses; they will act just like firewall interfaces normally do. You can ping them or remote control the firewalls through them if your configuration allows it. ARP queries for the respective addresses are answered by the firewall that owns the IP address, using the normal hardware address, just like normal IP units do. 29.2.1 The shared IP address and the failover mechanism Both firewalls in the cluster know about the shared IP address. ARP queries for the shared IP address, or any other IP address published via the ARP configuration section or through Proxy ARP, will be answered by the active firewall. The hardware address of the shared IP address, and other published addresses for that matter, is not related to the hardware addresses of the firewall interfaces. Rather, it is constructed from the cluster ID, on the following form: 10-00-00-C1-4A-nn, where nn is the Cluster ID configured in the Settings section. As the shared IP address always has the same hardware address, there will be no latency time in updating ARP caches of units attached to the same LAN as the cluster when failover occurs. D-Link Firewalls User's Guide