cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2177
Views
5
Helpful
5
Replies

Two internet breakouts on single MPLS VPN Service Provider

Hi All,

 

I would like advice from the community on how best to provide a redundant internet breakout for one of our VPN customers. The customer Has a VPN with one Internet breakout. But now the customer requires a redundant internet access at our second internet breakout point.

 

The customer has a number of hosted services in our data centre, so they want a redundant internet access for their users to browse the internet and they also want services like their web server to be reachable at the second internet breakout point.

 

My thoughts initially were that they need a second proxy server at the second internet breakout. The user PCs can be configured to look for more than one proxy, so when the first proxy is unavailable the browser will direct all request to the second proxy I'm happy with that. But my problem is when the ISP internet fails, the proxy would still be available even though the internet access is unavailable.

 

So i'm trying to come up with a solution on this but I cannot figure it out at the moment, can the community kindly assist please.

 

Kind Regards

Lungelo 

5 Replies 5

Dennis Mink
VIP Alumni
VIP Alumni

you would need to make internet redundant, using dynamic routing, in front of your proxies, so say if your network no longer has/advertises a 0.0.0.0/0 route through provider A, the 0.0.0.0/0 through provider B takes over. most times this is achieved by using BGP.  also, have you got different public IP address ranges through each provider?  have you got any internet facing content that needs to be made redundant as well?

Please remember to rate useful posts, by clicking on the stars below.

Thanks for the reply Dennis,

 

We already peer with the Internet SP on two breakout points using BGP for dynamic routing. That part i'm comfortable with. Also MPLS VPN users do not necessarily depend on the default-route for internet traffic but rather they use a Proxy-server. To advertise two default-routes within the MPLS VPN is quite straightforward. Each breakout point advertises a default-route and with the secondary breakout point advertising a worst route through AS-Path prepending.

 

My main concern is when users depend on a Proxy-server for internet access. What happens when the primary Proxy-server is available when the primary internet link is down? I have uploded three diagrams to depict what I'm talking about.

 

Once again thank you for your assistance

MPLS with two internet Breakout points (Normal conditions).jpgFailure scenario 2Failure scenario 2Normal conditionsNormal conditionsFailure Scenario 1Failure Scenario 1

 

Thanks for the reply Dennis,

 

 

 

We already peer with the Internet SP on two breakout points using BGP for dynamic routing. That part i'm comfortable with. Also MPLS VPN users do not necessarily depend on the default-route for internet traffic but rather they use a Proxy-server. To advertise two default-routes within the MPLS VPN is quite straightforward. Each breakout point advertises a default-route and with the secondary breakout point advertising a worst route through AS-Path prepending.

 

 

 

My main concern is when users depend on a Proxy-server for internet access. What happens when the primary Proxy-server is available when the primary internet link is down? I have uploded three diagrams to depict what I'm talking about.

 

 

 

Once again thank you for your assistance.Failure scenario 1Failure scenario 1Failure scenario 2Failure scenario 2Normal conditionsNormal conditions

>>>My main concern is when users depend on a Proxy-server for internet access. What happens when the primary Proxy-server is available when the primary internet link is down? I have uploded three diagrams to depict what I'm talking about.

It depens on Proxy-server itself. How can it detect such failure and react upon it.

Hi a.alekseev,

I agree with your 100% and the reason I posted this was to get a view of how most MPLS Service Providers implement redundant internet service especially for a centralized breakout point.

I have come to a conclusion that this cannot be automated since there are numerous components before you get to the internet like MPLS (Routing), Firewall, Proxy and the internet router. As you said the switchover would depend on the Proxy server itself.

 

If the proxy server was a Cisco router for example I would implement something like IP SLA to track the internet link, but unfortunately the proxy is under a different administrative domain and I doubt it has any of such features.

 

Anyway thanks for the engagement it means this can only be done with manual intervention by shutting the port that terminates the VPN in the Pretoria DC and also making sure that the public IP address range is no longer advertised through the primary internet breakout.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: