Designing Disaster Tolerant High Availability Clusters, 10th Edition, March 2003 (B7660-90013)
Disaster Tolerance and Recovery in an MC/ServiceGuard Cluster
Disaster Tolerant Architecture Guidelines
Chapter 1 37
Each data center that houses part of a disaster tolerant cluster should be
supplied with power from a different circuit. In addition to a standard
UPS (uninterrupted power supply), each node in a disaster tolerant
cluster should be on a separate power circuit; see Figure 1-9.
Figure 1-9 Alternative Power Sources
Housing remote nodes in another building often implies they are
powered by a different circuit, so it is especially important to make sure
all nodes are powered from a different source if the disaster tolerant
cluster is located in two data centers in the same building. Some disaster
tolerant designs go as far as making sure that their redundant power
source is supplied by a different power substation on the grid. This adds
protection against large-scale power failures, such as brown-outs,
sabotage, or electrical storms.
Creating Highly Available Networking
Standard high-availability guidelines require redundant networks.
Redundant networks may be highly available, but they are not disaster
tolerant if a single accident can interrupt both network connections. For
example, if you use the same trench to lay cables for both networks, you
do not have a disaster tolerant architecture because a single accident,
such as a backhoe digging in the wrong place, can sever both cables at
once, making automated failover during a disaster impossible.
In a disaster tolerant architecture, the reliability of the network is
paramount. To reduce the likelihood of a single accident causing both
networks to fail, redundant network cables should be installed so that
Data Center A
node 1
node 2
Power Circuit 1
Power Circuit 2
Data Center B
node 3
node 4
Power Circuit 3
Power Circuit 4