Clovertech

HA routing with firewalls

Clovertech Forums Read Only Archives Cloverleaf Cloverleaf HA routing with firewalls

  • Creator
    Topic
  • June 28, 2007 at 7:37 pm #49378
    John Hamilton
    Participant

      I’m running AIX 5.3.  with cloverleaf  5.5.Rev1.

      The remote vendor restricts accss based on address.  

      In HA we have multiple cards, each up and running with some tcp/ip association.  You have one persistent address, and a failed to address.  

      How do I tell the system to route all outbound traffic over the failed to address.  In the case of this host file it would be the clfit1 address.

      I know I’m not using all the right words but I hope you understand what I’m asking.

      10.99.4.6 clfit1

      10.99.4.7 clft1

      10.99.4.8 clft2

      172.17.41.11 clft1boota

      172.17.41.12 clft2boota

    • Creator
      Topic
    Viewing 2 reply threads
    • Author
      Replies
      • June 28, 2007 at 9:24 pm #61709
        Kevan Riley
        Participant

          We have the same issue here at AHS.  What we do is, we use the “LOCAL_IP” setting in the NetConfig (I am not sure what it is called in the GUI, and I don’t have access to one right now to check).  Here is how it works.  We have a virtual IP (probably not the right name) that is part of the HA resource group that “moves” with the resource group move (ie. fail over).  This address is the one we specify in the LOCAL_IP field.  This is also the IP out vendor would point to.  For TCP/IP clients they will always have that at there source IP address.  Since the IP address goes with the resource group, which physical hardware it is running on matters not.  This allows us to have the one IP address/port combination that will work no matter which box is running the Prod sites.  This feature was not availible until 5.4.1 though.  

          Hope this helps a little.

        • June 29, 2007 at 12:29 pm #61710
          John Hamilton
          Participant

            Now it all makes sense. Some time ago I have posted question about the second Host name IP address. I got some vague answers. Even pointed to the documentation this was less the helpful.   But now I know more important I understand it.

            The second setting in “Thread_properties -> Protocol -> tcp/ip -> Host name or IP address” is used to tell the engine when communicating use this address as the source for this connection.   This allows you to force communication out of one address to allow for proper security.

          • June 29, 2007 at 12:31 pm #61711
            Kevan Riley
            Participant

              Correct!

          • Author
            Replies
          Viewing 2 reply threads
          • The forum ‘Cloverleaf’ is closed to new topics and replies.