|
|
United States-English | |
|
|
 |
|
Designing Disaster Tolerant High Availability Clusters: > Chapter 4 Building
a Metropolitan Cluster Using MetroCluster/SRDF
Designing a Disaster Tolerant Architecture for use with MetroCluster/SRDF |
|
|
MetroCluster with Symmetrix SRDF is designed for use metropolitan cluster environment within the 100 km loop limit of the FDDI network. All nodes must be members of a single MC/ServiceGuard cluster. Two configurations are supported:
Following are the disaster tolerant architecture requirements:
A single data center architecture is supported, but it is not a true disaster tolerant architecture. If the entire data center fails, there will be no automated failover. This architecture is only valid for protecting data through data replication, and for protecting against multiple node failures. This is the recommended and supported disaster tolerant architecture for use with MetroCluster with Symmetrix SRDF. This architecture consists of two main data centers with an equal number of nodes and a third location with one or more arbitrator nodes; see Figure 4-1 “Two Data Centers and Third Location with Arbitrators”. The local EMC Symmetrix disk array is called the R1 disk for all nodes and packages in a given data center. The remote EMC Symmetrix disk array, where the data is replicated is called the R2 disk. In Figure 4-1 “Two Data Centers and Third Location with Arbitrators” the EMC Symmetrix disk array in data center A is the R1 disk for packages A and B, and the R2 disk for packages C and D in data center B. Likewise the EMC Symmetrix disk array in data center B is the R1 for packages C and D, and the R2 for packages A and B. Arbitrators provide similar functionality to the cluster lock disk, and act as tie-breakers for a cluster quorum in case all of the nodes in one data center go down at the same time. Cluster lock devices are not supported in MetroCluster configuration because cluster locks cannot be maintained across the SRDF link. Arbitrators are fully-functioning systems that are members of the cluster and are not usually physically connected to the Symmetrix units. Figure 4-1 “Two Data Centers and Third Location with Arbitrators” lists the allowable number of nodes at each main data center and the third location, assuming a 16-node maximum cluster size. Figure 4-1 “Two Data Centers and Third Location with Arbitrators” shows a two data center and third location configuration with two nodes at each site, and two arbitrator nodes Table 4-2 Possible Number of Nodes in a Three Data Center Configuration
* Configurations with two arbitrators are preferred because they provide a greater degree of availability, especially in cases when a node is down due to a failure or planned maintenance.
Although you can use one arbitrator, having two arbitrators provides greater flexibility in taking systems down for planned outages as well as providing better protection against multiple points of failure:
If you use a single arbitrator system, special procedures must be followed during planned downtime to remain protected. Systems must be taken down in pairs, one from each of the data centers, so that the MC/ServiceGuard quorum is maintained after a node failure. If the arbitrator itself must be taken down, disaster recovery capability is at risk if one of the other systems fails. Arbitrator systems can be used to perform important and useful work such as:
When a cluster initially forms, all systems must be available to form the cluster (100% Quorum requirement). A quorum is dynamic and is recomputed after each system failure. For instance, if you start out with an 8-node cluster and two systems fail, that leaves 6 out 8 surviving nodes, or a 75% quorum. The cluster size is reset to 6 nodes. If two more nodes fail, leaving 4 out of 6, quorum is 67%. Each time a cluster forms, there must be more than 50% quorum to reform the cluster. Cluster lock disks are normally used as the tie-breaker when quorum is exactly 50%. However, cluster lock disks are not supported with MetroCluster with Symmetrix SRDF. Therefore, a quorum of 50% or less will cause the remaining nodes to halt. Taking a node off-line for planned maintenance is treated the same as a node failure in these scenarios. Study these scenarios to make sure you do not put your cluster at risk during planned maintenance. The scenarios in Table 4-3 “Node Failure Scenarios with One Arbitrator” are based on Figure 4-2 “Failover Scenario with a Single Arbitrator” and illustrate possible results if one or more nodes fail in a configuration with a single arbitrator. Table 4-3 Node Failure Scenarios with One Arbitrator
* Cluster can be manually started with the remaining node. Table 4-4 “Data Center Failure Scenarios with One Arbitrator” illustrates possible results if a data center fails in a configuration with a single arbitrator. Table 4-4 Data Center Failure Scenarios with One Arbitrator
* Cluster can be manually started with the remaining node. With a single arbitrator node, the cluster is at risk each time a node fails or you take one node down for planned maintenance. Having two arbitrator nodes adds extra protection during nodes failures and allows you to do planned maintenance on arbitrator nodes without losing the cluster should a disaster occur. The scenarios in Table 4-5 “Data Center Failure Scenarios with Two Arbitrators” illustrate possible results if a data center or one or more nodes fail in a configuration with two arbitrators. Note that 3 of the 4 scenarios that caused a cluster halt with a single arbitrator, do not cause a cluster halt with two arbitrators. Table 4-5 Data Center Failure Scenarios with Two Arbitrators
* Cluster can be manually started with the remaining node. Use this checklist to make sure you have adhered to the disaster tolerant architecture guidelines for a two main data center and third location configuration. Use this cluster configuration worksheet either in place of, or in addition to the worksheet provided in the Managing MC/ServiceGuard manual. If you have already completed an MC/ServiceGuard cluster configuration worksheet, you only need to complete the first part of this worksheet. Use this package configuration worksheet either in place of, or in addition to the worksheet provided in the Managing MC/ServiceGuard manual. If you have already completed an MC/ServiceGuard cluster configuration worksheet, you only need to complete the first part of this worksheet.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 Printable version |
|
|
|
|
|
|||||||||||||||
|
|||||||||||||||
