Chapter 7: High Availability Setup

Home Prev	cOS Core Getting Started Guide for KVM	Next

This section provides the extra information needed to correctly set up a high availability (HA) cOS Core cluster under KVM. An HA cluster consists of two firewalls. One is designated as the master node in the cluster and the other is designated as the slave node. Each of these firewalls will run in its own separate virtual machine. The interfaces of the two systems in a cluster need to be connected together in matching pairs through switches. It is the creation and connection of virtual switches for the cluster that is described in this section.

	Important: Interface pairs should have matching bus, slot, port
	In an HA cluster made up of two virtual firewall s, the bus, slot and port numbers of the two virtual interfaces in each HA interface pairing should be the same. If they are not, unexpected behavior could occur.

Open vSwitch Installation

HA setup with KVM requires that Open vSwitch is installed on the Linux system. Open vSwitch will be used to provide virtual switches so that matching interfaces of the master and slave in the cluster can be connected together. The installation of Open vSwitch itself will not be discussed further here. Refer to the software's own documentation for help with installation.

Open vSwitch is open source software that can be used in situations other than high availability to implement various networking solutions with KVM.

	Note: The bridge-utils package must be removed
	Before installing Open vSwitch, the package bridge-utils must be removed from the Linux system.

A Single Physical Server is Assumed

This section assumes that both the virtual firewall s in the HA cluster are installed on the same hardware server. In practice, two servers will probably be used for hardware redundancy and both will have KVM and Open vSwitch installed on them.

The configuration of the connections between two separate servers will not be discussed in this section and it is up to the administrator to choose the most appropriate way of doing this. One approach is to use VLAN tagging with Open vSwitch so internal bridge traffic can pass between the physical servers that make up the HA cluster.

Setup of cOS Core

The initial setup of the two separate virtual firewall s is done as normal so they are initially working as separate gateways. Before running the HA Setup Wizard on each unit to create the HA cluster, it is necessary to first correctly configure the virtual networking to emulate the hardware connections that would normally be present between the master and slave units.

Configuring Open vSwitch for HA

Assuming Open vSwitch has been installed, it is necessary to create KVM separate virtual switches so that the pairs of matching interfaces from the firewall s in the cluster are connected together on each switch.

This is done with the following steps:

A. Define an Open vSwitch bridge for each interface pair.
B. Configure the HA master and slave virtual machines to connect the cOS Core interfaces to the relevant bridge.

These two steps are described next.

A. Define an Open vSwitch bridge for each interface pair.

Assuming that all of the three default virtual interfaces (If1, If2 and If3) on each firewall are to be connected together, three Open vSwitch bridges must be created:

br1-internal - Connecting together the If1 interfaces. This is created using the Linux command:
```
[root@linux]# ovs-vsctl add-br br1-internal
```
br2-external - Connecting together the If2 interfaces and also connected to the public Internet via a physical interface called eth0 (this name will vary between configurations). This is created using the Linux commands:
```
[root@linux]# ovs-vsctl add-br br2-external
[root@linux]# ovs-vsctl add-port br2-external eth0
```
br3-internal - Connecting together the If3 interfaces. This is created using the Linux command:
```
[root@linux]# ovs-vsctl add-br br3-internal
```

B. Connect interface pairs to the relevant bridge.

It is assumed that virt-manager will be used to configure each of the two virtual machines in the HA cluster.

Assume that the interface If1 is to be associated with Open vSwitch bridge br1-internal on both master and slave gateways. The intuitive approach is to select the NIC entry in the navigation menu that corresponds to the If1 interface and enter the Bridge name:

However, if this is now applied and the virtual machine started, it will give an error message:

To get around this issue, allocate the Open vSwitch bridge using the following steps:

Open the properties of the HA cluster's master firewall in virt-manager. Change the Source device to be something using macvtap so that the Type of the Virtual port can be set:

Set the Type to be openvswitch.

Save this setting by selecting the Apply button.

Now, change the Source device setting back to Specify shared device name and set it to be the Open vSwitch bridge connected to the interface. In this case, br1-internal.

Now, press the Apply button and repeat the process with the remaining interfaces If2 and If3, connecting them to the bridges br2-external and br3-internal.

Repeat the process for the slave firewall.

The networking for an HA cluster on a single hardware server is now complete. When the firewalls are on different servers, the procedure is similar. However, the administrator should then decide how they want to connect the Open vSwitch bridges on each server together. VLAN tagging can be used to separate the internal bridges on each server. Each pair of cluster interfaces uses a different VLAN ID to separate its traffic from the other pairs of interfaces.