I have one SA 2500 that has been running for a while in stand alone mode. We have a second one we want to use and set these up in an Active/Passive cluster.
I've read through the documentation on how to configure the SA cluster, my confusion comes from a lack of knowledge in how the VIPs work. Our primary firewalls are in a cluster/HA setup but use a physical interface for heartbeats so we only deal with physical IPs.
Currently our active SA uses an internal IP address of 10.128.0.6. I want all of our traffic and DNS records to point to this IP address (basically so it seems as if nothing changed). Is this the internal VIP I should use? Should I then give both the units internal physical NICs two separate IPs on the same subnet? So, in a nutshel, I'm thinking I would re-IP the currently active unit, configure the standby with another IP, and configure the internal VIP with 10.128.0.6. Does that sound right?
How about the external VIP? Again, I want to use the same public IP I am currently using for our DNS records so we don't have to change that and it's as if nothing changed.
Any help would be appreciated. Thanks!
Solved! Go to Solution.
Yes, that is correct.
10.128.0.6 will be the internal VIP and the current external physical IP will be your external VIP so that the dns records stay the same.
Change the physical IP of the current SA2500 to a diffreent IP for example 10.128.0.5.
Thanks! So it sounds like I'll need three internal IPs. Two for physical and one for VIP. Will I need three externals as well?
Yes, you will need 3 external ip's as well as the external vip is the ip users will need to connect to the cluster.
Hold on... if you just want to map the internal VIP to the outside there is no need to have 3 external IPs as well - mapping the VIP is enough. It will be always the same. The physical internal IPs are for the clustering and to get access to the nodes individually (if neccassary), the VIP always belongs to the active leader in the cluster. And this is the guy you want to see on the outside. You don't want to access each Node selectiv from the outside - don't you?
Tell me if I misunderstand the initial issue.