Manual vCNS / vShield Edge HA Little Gem!

vCNS-HARecently, I have been doing lots with vCNS and manual creation / manipulation of vShield Edge devices (posts coming soon). One thing that drive me crazy is a tiny little thing that prompted me to write this quick Little Gem – ‘Edge HA’ sat on my to do list, and gloated at me…..

When creating a manual vShield Edge device in vCNS, there is the usual opportunity to create an pair of appliances for running the pair in High Availability mode. Trouble is, the options for deployment are limited and not very clear. (This might be clear / obvious to some, but weren’t to me!)

When creating an HA pair, in the vShield Manager console editing the Edge device in question under Settings – the HA Configuration gives few options. Essentially, ‘Enabled’ or ‘Disabled’, vNIC, Declared Dead Time and Management IPs. Here’s where my confusion was based. Management IPs. So many questions……!

The option for Management IPs is even outlined. 2 IP entry boxes, and note text: ‘You can specify pair of IPs (in DIDR format with /30 subnet. Management IPs must not overlap with any vnic subnets’.

OK, so I need Management IPs to manually create a HA pair. What /30 address range do I need to specify? Can the IP range share an existing vNIC, or does the Edge device need another interface or uplink. Where do I define the /30 addresses. Do they need their own vLANs? Must I create a whole new private address range specifically for HA heartbeat? Like I said – so many questions. Scour the documentation, Google ‘vShield Edge Management IPs’ produces no helpful results. So – to the LAB!

Turns out, you don’t need Management IPs at all. Simply change the HA Status to ‘Enable’, select a vNIC to support HA heartbeat, and add a second Edge appliance via the green plus symbol (it will prompt for the parameters) to deploy the HA pair! When both report as ‘Deployed’, HA is configured and your Edge device is protected.

Sigh. Like I said. This might seem obvious to some, but it wasn’t to me. ‘Edge HA’ is no longer on my to-do list!

Jeremy loves all things technology! Has been in IT for years, loves Macs (but doesn't preach to others about their virtues), loves virtualization (and does shout about it's virtues), and sometimes skis, bikes and directs amateur plays!

Comments

  1. Gabe@networkdojo.net says

    ” What /30 address range do I need to specify? ”
    – Like you mentioned, it’s not absolutely required that you specify. If you leave the field blank (which works perfectly fine, the system will automatically assign link-local RFC3927/APIPA address to it’s HA interface. You’re free to specific any IPs of your choice if you like to track your usage; particularly special use IP space mentioned in RFC5735 excluding RFC1918 space can be used to not eat into your internally assigned IP ranges.

    “Can the IP range share an existing vNIC, or does the Edge device need another interface or uplink?”
    – The gray text in your screenshot answers this question. You don’t want to overlap your selection with the vNic subnets.

    “Where do I define the /30 addresses. Do they need their own vLANs?”
    – Only need to define them in the HA feature configuration section (or via the REST API). They don’t require their own portgroup/vlan though it doesn’t hurt to add that extra layer of isolation, especially in a lab environment where VLAN consumption is cheap.

    “Must I create a whole new private address range specifically for HA heartbeat?”
    You have the option to, but this is not necessary. these will be link local; the arp mapping will prevent HA heartbeats from bleeding over from one Edge HA pair to the next.

Leave a Reply

Your email address will not be published. Required fields are marked *