functionality the operations can be shifted to the third site and continue unaffected by the disaster.

Allows for additional staff at the remote data center outside the disaster area. A wide-area disaster affects people located within the disaster area, both professionally and personally. By moving operations out of the main data centers to a remotely located recovery data center, operational responsibilities shift to people not directly affected by the disaster.

3DC DR Solution Configuration

A Three Data Center configuration uses a disaster tolerant architecture made up of two sites which are located locally in a Metrocluster and a third site located remotely. These form separate Serviceguard clusters, which are configured in a Continentalclusters configuration. This solution is designed to only work with the HP StorageWorks P9000 Disk Array family or HP StorageWorks XP Disk Array series.

The first site (Site 1) contains one or more HP-UX servers that are connected to one P9000 or XP Disk Array located in the primary site. The second site (Site 2) contains an equal number of HP-UX servers connected to a second P9000 or XP Disk Array. Continuous Access Synchronous or Continuous Access Journal data replication must be established to replicate data between Site1 and Site2. The distance between Site1 and Site2 is limited by:

Serviceguard heartbeat latency requirements or

Continuous Access Synchronous or Continuous Access Journal distance requirements, whichever is configured between Site1 and Site2

When Site 1 and Site 2 form a Metrocluster a third location is required where Quorum server needs to be kept. In a Continentalclusters environment, the Metrocluster would be the source disk site for packages configured in a 3DC DR solution.

The third site, which is normally located at a long distance from the Metrocluster sites, contains one or more HP-UX servers connected to a third P9000 or XP Disk Array. These HP-UX servers form a separate Serviceguard cluster and require a quorum server or cluster lock disk. In a Continentalclusters environment, Site 3 is the recovery cluster for packages configured in a 3DC DR solution. It is recommended to maintain a consistent copy of the volume at the Site 3, using HP StorageWorks Business Copy XP or P9000 (BC-XP). This is particularly useful in case of a rolling disaster, which is a disaster that occurs before the cluster is able to recover from a non-disastrous failure.

An example is a data replication link that fails, then, as it is being restored and data is being resynchronized, a disaster causes the primary data center to fail resulting in an incomplete resynchronization and inconsistent data at the remote data center. In case of a rolling disaster, Metrocluster with Continuous Access for P9000 and XP and P9000/XP Continuous Access software are able to detect the data is inconsistent and do not allow the application package to start. A good copy of the data must be restored before restarting the application.

The following are additional disaster tolerant architecture requirements for a 3DC DR solution:

In the disaster tolerant cluster architecture, it is expected that each Metrocluster data center is self-contained such that the loss of one data center does not cause the entire cluster to fail. It is important that all single points of failure (SPOF) be eliminated so that surviving systems continue to run in the event that one or more systems fail.

It is also expected that the IP network and SAN equipment between and within the data centers are redundant and routed in such a way that the loss of any one component does not cause the IP network or SAN to fail.

Figure 75 (page 425) shows a typical configuration of Three Data Center Disaster recovery architecture when all there links are configured.

424 Designing a Three Data Center Disaster Recovery Solution