Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 Designing Disaster Tolerant High Availability Clusters: > Chapter 3 Building a Metropolitan Cluster Using MetroCluster/CA

Designing a Disaster Tolerant Architecture for use with MetroCluster/CA
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

MetroCluster/CA is designed for use in an extended distance cluster or metropolitan cluster environment within the 100 km limit of the FDDI network.

All nodes must be members of a single MC/ServiceGuard cluster. Two configurations are supported:

Following are the disaster tolerant architecture requirements:

  • In the disaster tolerant cluster architecture, it is expected that each data center is self-contained such that the loss of one data center does not cause the entire cluster to fail. It is important that all single points of failure (SPOF) be eliminated so that surviving systems continue to run in the event that one or more systems fail.

  • It is also expected that the networks between the data centers are redundant and routed in such a way that the loss of any one data center does not cause the network between surviving data centers to fail.

  • Exclusive volume group activation must be used for all VGs associated with packages that use the XP Series disk array. The design of the MetroCluster/CA script assumes that only one system in the cluster will have a VG activated at any time.

Single Data Center

A single data center architecture is supported, but it is not a true disaster tolerant architecture. If the entire data center fails, there will be no automated failover. This architecture is only valid for protecting data through data replication, and for protecting against multiple node failures.

Three Data Centers with Arbitrator(s)

This is the recommended and supported disaster tolerant architecture for use with MetroCluster/CA. The three data center architecture consists of two data centers with an equal number of nodes and a third data center with one or more arbitrator nodes; see Figure 3-1 “Three Data Centers with Arbitrators”.

Figure 3-1 Three Data Centers with Arbitrators

Three Data Centers with Arbitrators

The local XP Series disk array is called the Main Control Unit (MCU) for all nodes and packages in a given data center. The remote XP Series disk array, where the data is replicated, is called the Remote Control Unit (RCU). Note that main and remote are relative terms. An XP Series disk array can be the main disk array for one set of packages and the remote disk array for another. In Figure 3-1 “Three Data Centers with Arbitrators”, the XP disk array in data center A is the main or primary disk array for packages A and B, and the remote or secondary disk array for packages C and D in data center B. For packages A and B, data is written to PVOLs on the the array in Data Center A and replicated to SVOLs on the array in Data Center B. Likewise the XP disk array in Data Center B is the primary or main disk array for packages C and D, and the secondary or remote for packages A and B. For packages C and D, data is written to PVOLs on the disk array in Data Center B and replicated to SVOLs in Data Center A.

Arbitrators provide functionality like that of the cluster lock disk, and act as tie-breakers for a cluster quorum in case all of the nodes in one data center go down at the same time. Cluster lock devices are not used in the three-data-center architecture because cluster locks cannot be maintained across the CA link.

Arbitrators are fully functioning systems that are members of the cluster, and are not usually physically connected to the XP disk arrays. Table 3-2 “Supported System and Data Center Combinations” lists the allowable number of nodes at each data center in a three data center configuration, up to a 16-node maximum cluster size. (Note that the maximum cluster size for MC/ServiceGuard A.10.10 and A.10.11 is 8 nodes.)

Table 3-2 Supported System and Data Center Combinations

Data Center AData Center BData Center C (Arbitrators)
111
221
222*

2

1

2

331
332*

4

41

4

42*

5

51

5

52*

6

61

6

62*

7

71

7

72*

 

* Configurations with two arbitrators are preferred because they provide a greater degree of availability, especially in cases when a node is down due to a failure or planned maintenance.

NOTE: In the campus or metropolitan environment, the same number of systems must be present in each of the two data centers (Data Center A and Data Center B) whose systems are connected to the XP disk arrays. There must be either one or two arbitrators in Data Center C.

Arbitrator Node Configuration Rules

Although you can use one arbitrator, having two arbitrators provides greater flexibility in taking systems down for planned outages as well as providing better protection against multiple points of failure. Using two arbitrators:

  • Provides local failover capability to applications running on the arbitrator.

  • Protects against multiple points of failure (MPOF).

  • Provides for planned downtime on a single system anywhere in the cluster.

If you use a single arbitrator system, special procedures must be followed during planned downtime to remain protected. Systems must be taken down in pairs, one from each of the data centers, so that the MC/ServiceGuard quorum is maintained after a node failure. If the arbitrator itself must be taken down, disaster recovery capability is at risk if one of the other systems fails.

Arbitrator systems can be used to perform important and useful work such as:

  • Hosting mission-critical applications not protected by disaster recovery software

  • Running monitoring and management tools such as IT/Operations or Network Node Manager

  • Running backup applications such as Omniback

  • Acting as application servers

XP Series Disk Array Configuration Rules

Each XP Series disk array must be configured with redundant CA links, each of which is connected to a different LCP or RCP card. To prevent a single point of failure (SPOF), there must be at least two physical boards in each XP for the CA links. Each board usually has multiple ports. However, a redundant CA link must be connected to a port on a different physical board from the board that has the primary CA link. When using bi-directional configurations, where data center A backs up data center B and data center B backs up data center A, you must have at least four CA links, two in each direction. Four CA links are also required in uni-directional configurations in which you want to allow failback.

Calculating a Cluster Quorum

When a cluster initially forms, all systems must be available to form the cluster (100% Quorum requirement).

A quorum is dynamic and is recomputed after each system failure. For instance, if you start out with an 8-node cluster and two systems fail, that leaves 6 out 8 surviving nodes, or a 75% quorum. The cluster size is reset to 6 nodes. If two more nodes fail, leaving 4 out of 6, quorum is 67%.

Each time a cluster forms, there must be more than 50% quorum to reform the cluster. A cluster lock disk is normally used as the tie-breaker when quorum is exactly 50%. However, a cluster lock disk is not supported with MetroCluster with Continuous Access XP. Therefore, a quorum of 50% or less will cause the remaining nodes to halt.

Example Failover Scenarios with One Arbitrator

Taking a node off-line for planned maintenance is treated the same as a node failure in these scenarios. Study these scenarios to make sure you do not put your cluster at risk during planned maintenance.

Figure 3-2 Failover Scenario with a Single Arbitrator

Failover Scenario with a Single Arbitrator

The scenarios in Table 3-3 “Node Failure Scenarios with One Arbitrator Fm Variable:Table Continuation”, based on Figure 3-2 “Failover Scenario with a Single Arbitrator”, illustrate possible results if one or more nodes fail in a configuration with a single arbitrator.

Table 3-3 Node Failure Scenarios with One Arbitrator Fm Variable:Table Continuation

FailureQuorumResult
arbitrator 14 of 5 (80%)no change
node 14 of 5 (80%)pkg A switches
node 1, then node 23 of 4 (75%)pkg A and B switch
node 1, 2, then arbitrator 12 of 3 (67%)pkg A and B switch
nodes 1, 2, arbitrator 1, then node 31 of 2 (50%)cluster halts*
arbitrator 1, then node 13 of 4 (75%)pkg A switches

 

* Cluster can be manually started with the remaining node.

Table 3-4 “Data Center Failure Scenarios with One Arbitrator” illustrates possible results if a data center fails in a configuration with a single arbitrator.

Table 3-4 Data Center Failure Scenarios with One Arbitrator

FailureQuorumResult
data center A (nodes 1 and 2)3 of 5 (60%)pkg A and B switch to data center B
data center A, then arbitrator 12 of 3 (67%)pkg A and B switch, then no change
data center A and arbitrator 12 of 5 (40%)cluster halts*
data center A, then arbitrator 1, then node 31 of 2 (50%)cluster halts*
arbitrator 1, then data center A2 of 4 (50%)cluster halts*
node 3, then data center A2 of 4 (50%)cluster halts*
data center B3 of 5 (60%)pkg C and D switch to data center A
data center C4 of 5 (80%)no change

 

* Cluster can be manually started with the remaining node.

With a single arbitrator node, the cluster is at risk each time a node fails or comes down for planned maintenance.

Example Failover Scenarios with Two Arbitrators

Having two arbitrator nodes adds extra protection during node failures and allows you to do planned maintenance on arbitrator nodes without losing the cluster should a disaster occur.

Figure 3-3 Failover Scenario with Two Arbitrators

Failover Scenario with Two Arbitrators

The scenarios in Table 3-5 “Failure Scenarios with Two Arbitrators” illustrate possible results if a data center or one or more nodes fail in a configuration with two arbitrators. Note that 3 of the 4 scenarios that caused a cluster halt with a single arbitrator, do not cause a cluster halt with two arbitrators.

Table 3-5 Failure Scenarios with Two Arbitrators

FailureQuorumResult
data center A (nodes 1 and 2)4 of 6 (67%)pkg A and B switch to data center B
data center A, then arbitrator 13 of 4 (75%)pkg A and B switch, then no change
data center A and arbitrator 13 of 6 (50%)cluster halts*
data center A, then arbitrator 1, then node 32 of 3 (67%)pkg A, B, and C switch
arbitrator 1, then data center A3 of 5 (60%)pkg A and B switch to data center B
node 3, then data center A3 of 5 (60%)pkg A and B switch to data center B
data center B4 of 6 (67%)pkg C and D switch to data center A
data center C4 of 6 (67%)no change

 

* Cluster can be manually started with the remaining node.

Disaster Tolerant Checklist

Use the this checklist to make sure you have adhered to the disaster tolerant architecture guidelines for a three-data-center configuration.

Figure 3-4  Disaster Tolerant Checklist

Disaster Tolerant Checklist

Cluster Configuration Worksheet

Use this cluster configuration worksheet either in place of, or in addition to the worksheet provided in the Managing MC/ServiceGuard manual. If you have already completed an MC/ServiceGuard cluster configuration worksheet, you only need to complete the first part of this worksheet.

Figure 3-5  Cluster Configuration Worksheet

Cluster Configuration Worksheet

Package Configuration Worksheet

Use this package configuration worksheet either in place of, or in addition to the worksheet provided in the Managing MC/ServiceGuard manual. If you have already completed an MC/ServiceGuard package configuration worksheet, you only need to complete the first part of this worksheet.

Figure 3-6  Package Configuration Worksheet

Package Configuration Worksheet

Figure 3-7  Package Control Script Worksheet

Package Control Script Worksheet


Overview of MetroCluster/CA
  		 


Preparing an MC/ServiceGuard Cluster for MetroCluster /CA  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© Hewlett-Packard Development Company, L.P.