Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 34

Thread: Hot-Standyby?

  1. #21
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,553

    Default

    You'd have to use the Cisco's for VPN termination on the cluster side, Untangle would only be providing egress filtering. Else if Untangle goes down, your VPNs go with it.

    I haven't a clue how to do this Cisco stuff either, that's not my thing. The project I mentioned the customer provided their own Cisco expert, I just did the Untangle side.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  2. #22
    Master Untangler dmor's Avatar
    Join Date
    Jun 2009
    Posts
    687

    Default

    Quote Originally Posted by sky-knight View Post
    Storage Replication isn't a feature of Hyper-V but a feature of Server 2012
    True. Storage Replication isn't a Hyper-V feature. I was actually referring to "Hyper-V Replica", which indeed is a feature of Hyper-V. And according to various sources, it definitely is agnostic to the storage environment of the replica VM's host server. Here's one such answer on the topic from an MVP (see the comments below, or just search for the term "totally different"):
    http://www.aidanfinn.com/?p=12147

  3. #23
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,553

    Default

    Yeah, but it's not automatic on the flip over. Again, shadow protect does the same thing, but in a more visible way.

    Still, handy arrow for the quiver.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #24
    Untanglit
    Join Date
    Jan 2014
    Posts
    17

    Default

    Sorry for the intrusion, but I just couldn't keep away from what seems to be an interesting discussion about an interesting solution.

    Here's a bit on my experience with a somewhat similar requirement/setup.

    Since Untangle doesn't do standby/redundancy very well (as you may have noticed), I'm placing them in a classical "sandwich", or "behind-the-router" position, where there's a fast converging routing protocol running between the WAN router(s) and the distribution/collapsed core multiplayer switch(es). Two links, each featuring an Untangle appliance in bridging mode in between. You can run this using two WAN/ISP routers (if there are two WAN/ISP links - someone mentioned full redundancy?), but two routers using the same WAN/ISP link is also not unheard of (HSRP comes very handy... or even GLBP for the really brave souls).

    Lame diagram (let me know if you need a more elaborate one, I'll chalk it up):

    ISP ----------- ROUTER --------- UNTANGLE --------- DISTRIBUTION/CORE SWITCH ------ ACCESS SWITCHES ---- CLIENTS/VMs
    | |||| X
    ISP2 ---------- ROUTER 2 -------- UNTANGLE 2 ------ DISTRIBUTION/CORE SWITCH 2 ---- ACCESS SWITCHES ---- CLIENTS/VMs

    Couldn't "draw" the connection between ROUTER 2 and UNTANGLE, as well as ROUTER <-> UNTANGLE 2. There are a few more redundancy options that can be put in place (switches in front of the routers, and routers running HSRP, etc.). Other topologies are also feasible, but all depends on the specific needs.

    Untangle terminates VPNs, and if you need these to be mapped to VLANs, brctl utils (a.k.a. Linux uml-tools) can bridge TAP VPN interfaces traffic to specific VLAN subinterfaces, with the interface running in 802.1q trunk mode.

    Have implemented #1 and works great (except when the standby Untangle unit gets hit by 15,000+ sessions following the outage of the primary, so the stateful engine has no clue of what was the state of the connection, but this is still way better than having a serious outage). Convergence times are usually sub-second, but that depends on the selected routing protocol more than anything.

    Have implemented #2 on a separate Linux OpenVPN server, but not on an Untangle appliance, so your mileage may vary in terms of ingress policies/filtering/scanning/DPI you can apply to bridged VPN/VLAN traffic.

    I hope this gives you some ideas or tips :-)

  5. #25
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,762

    Default

    With the newly release 10.1 with VRRP feature, Two Untangles could replace all the equipment.

    http://wiki.untangle.com/index.php/N..._Basic_Example

    VrrpDouble.png
    Last edited by jcoffin; 01-29-2014 at 06:41 PM.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #26
    Untanglit
    Join Date
    Jan 2014
    Posts
    17

    Default

    That's awesome, thanks for sharing. Didn't see it in the release notes.
    So now you only need to do the VPN<->VLAN bridge + trunking :-)

  7. #27
    Master Untangler dmor's Avatar
    Join Date
    Jun 2009
    Posts
    687

    Default

    @Milen - Thanks for the great contribution to the discussion. I have seen Untangle 10.1 will bring HA, and am holding off until then. :-)

    -
    Doug

  8. #28
    Untanglit
    Join Date
    Jan 2014
    Posts
    17

    Default

    Yeah, it's a big thumbs up, a giant leap in the right direction (even though some would say it's not proper high availability in the modern sense of session tracking, etc). Still, it is a must-have feature, especially since it's been available on Linux for a while, so the team at Untangle could step on the shoulders of giants, and have added a proper front-end to it. :-)

  9. #29
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    Just for clarity: VRRP essentially provides hot-standby. Traffic is not load balanced.

    Additionally no state is shared.
    http://wiki.untangle.com/index.php/N...n_Untangles.3F

    If you want load balancing you need to do something like what milen has done.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  10. #30
    Newbie
    Join Date
    Mar 2013
    Posts
    1

    Default

    Very excited about this, but I have one quick licensing question. To do this, would we need two Untangle licenses? Based on what I read in the wiki, it would appear so, but since the other box is just a failover (not doing anything actively until the failover hits), perhaps it wouldn't require a second license?

Page 3 of 4 FirstFirst 1234 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2