Pulse Secure’s PSA7000 appliance provides link redundancy in both the copper (PSA7000c) and fiber (PSA7000f) appliance models. While these models have four physical interfaces, they are divided into two sets:
- two (2) interfaces for internal
- two (2) interfaces for external
For Pulse Connect Secure 8.2 and above / Pulse Policy Secure 5.3 and above:
- One interface per set will be in active mode while the other interface will be in backup mode
For Pulse Connect Secure 8.1 and below / Pulse Policy Secure 5.2 and below:
- Only the left ports are operational. Fail-over functionality is not supported.
Figure: PSA7000c (Copper) shown.
The admin console will present a single internal and external interface. The redundancy does not need to be configured and is enabled automatically.
How does link redundancy work?
Link redundancy on the PSA7000 appliance is based on Linux network bonding (mode 1 active-backup). The backup becomes active if, the active interface fails. The bonded set of interfaces will present the switch with a single MAC address which provide fault tolerance and minimizes traffic lose and eliminates confusion on the switch.
When the active interface fails, bonding will issue one or more gratuitous ARPs on the newly active slave. One gratuitous ARP is issued for the bonding master interface and each VLAN interfaces configured above it, provided that the interface has at least one IP address configured. Gratuitous ARPs issued for VLAN interfaces are tagged with the appropriate VLAN id.
No specific switch configuration is needed other than ensuring that interfaces which connect to interfaces in a bonded set are configured the same. Multiple switch topologies with the active and backup connections going to different switches is preferred. The switches should have an inter-switch link (ISL).
