Saucepan

User Tools

Site Tools

Trace: sed
infoblox_nios:high_availability

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
infoblox_nios:high_availability [2024/09/10 21:41] – [High Availability] bstaffordinfoblox_nios:high_availability [2025/12/15 15:30] (current) bstafford
Line 4: Line 4:
 [[https://www.edge-cloud.net/2013/05/21/infoblox-vnios-ha-pair-vip-unreachable-when-deployed-on-vsphere|more data here]]. [[https://www.edge-cloud.net/2013/05/21/infoblox-vnios-ha-pair-vip-unreachable-when-deployed-on-vsphere|more data here]].
  
 +General blog article [[https://blogs.infoblox.com/company/power-of-three-for-low-cost-ha-business-continuity/|here]] on using a standalone appliance and a HA pair.
 +
 +===== Changing HA Pair Types =====
 +Cutting over from HA physical to HA virtual. When I cut the passive to vNIOS, it did not change the Member Type to Virtual NIOS. After I cut the second member of the HA pair, the Member Type changed to Virtual NIOS without intervention.
 +===== DFP =====
 +When using DFP, NIOS uses the LAN1 port to establish DoT on TCP-443 to Infoblox Anycast. This is true EVEN IF THE NIOS is HA. NIOS will not use the HA VIP for TCP-443. However, any plaintext queries will come from the HA VIP.
 ===== LACP ===== ===== LACP =====
 NIOS does not support LACP. In addition, for the bonding of LAN1/LAN2, NIOS only supports mode 1 (active-backup) bonding. Only one NIC will be "active" at a time.  No protocols are communicated for achieving this - NIOS just speaks on one interface and the CAM table gets updated on the switch to the active port. NIOS does not support LACP. In addition, for the bonding of LAN1/LAN2, NIOS only supports mode 1 (active-backup) bonding. Only one NIC will be "active" at a time.  No protocols are communicated for achieving this - NIOS just speaks on one interface and the CAM table gets updated on the switch to the active port.
Line 11: Line 17:
   * HA is not supported on only Azure TE-926 appliance because the underlying Azure VM doesn't have enough network interfaces.   * HA is not supported on only Azure TE-926 appliance because the underlying Azure VM doesn't have enough network interfaces.
   * HA is not supported on Azure/GCP TE-825 appliance because the underlying Azure/GCP VM doesn't have enough network interfaces.   * HA is not supported on Azure/GCP TE-825 appliance because the underlying Azure/GCP VM doesn't have enough network interfaces.
 +
 +Documentation on [[https://docs.infoblox.com/space/vniosazure/636026896/Deploying+the+vNIOS+Instance+with+High+Availability|Azure HA]].
 ===== Change IP Settings ===== ===== Change IP Settings =====
 If you edit the subnet mask or default gateway of the VIP or either of the HA ports or either of the LAN ports of a HA pair, both members will do a product restart (not full reboot) at the same time when you save your changes. If you edit the subnet mask or default gateway of the VIP or either of the HA ports or either of the LAN ports of a HA pair, both members will do a product restart (not full reboot) at the same time when you save your changes.
Line 20: Line 28:
  
 The other device will keep its LAN1 and MGMT IP address and also its DNS name and also its local admin accounts but will be made into a standalone device. The other device will keep its LAN1 and MGMT IP address and also its DNS name and also its local admin accounts but will be made into a standalone device.
 +
 +===== Proximity =====
 +NIOS HA pairs are designed to be deployed next to each other in adjacent racks. Deploying a HA pair over two separate sites (i.e. between two DC/data centers) connected with dark fibre is not supported. It may well work but it is bad practice because of the risk of split-brain should anything happen to the fibre.
 +
 +e.g. examples of fibre cuts.
 +  * 2025-09-21 [[https://www.nbcdfw.com/news/local/dfw-love-field-airport-delays-cancellations-cable-lines-friday-american-southwest/3921370/|Texas Airports Impacted]]
 +
 +As per [[https://docs.infoblox.com/space/nios90/1432819381/Planning+for+an+HA+Pair|Infoblox Documentation]] ... Infoblox uses VRRP advertisements for the active and passive HA design. Therefore, all HA pairs must be located **in the same location** connected to the highly available switching infrastructure. Any other deployment is not supported without a written agreement with Infoblox. Contact Infoblox Technical Support for more information about other deployment support.
 ===== HA Failover on DNS Nameservers ===== ===== HA Failover on DNS Nameservers =====
  
Line 33: Line 49:
  
 e.g. If LAN1 is for production and LAN2 is for OOB network, if LAN2 on the active node fails, there is no failover and the OOB network looses access to services on LAN2. e.g. If LAN1 is for production and LAN2 is for OOB network, if LAN2 on the active node fails, there is no failover and the OOB network looses access to services on LAN2.
 +===== NSX =====
 +The only time I saw a customer deploy NIOS HA on NSX, they had to bypass NSX and expose the VM to ESXi directly because they couldn't get "Forged Transmits" enabled on NSX 4.11.
 +  * port group is on NSX "Segment" and that doesn't have option for forgesd transits.
 +  * "MAC address changes" are allowed in NSX but called "MAC address learning"
 +  * "Forged transmits" not allowed on NSX so the customer had to get the VM's working directly with ESXi.
 +
 +Without "Forged Transmits", everything would work for a minute and then stop for four hours
 +
 ===== KB Article ===== ===== KB Article =====
   * When does an HA failover occur? [[https://support.infoblox.com/s/article/6589|KB Article]]   * When does an HA failover occur? [[https://support.infoblox.com/s/article/6589|KB Article]]
infoblox_nios/high_availability.1726004496.txt.gz · Last modified: by bstafford