Resilient Netsight

  • 0
  • 2
  • Question
  • Updated 2 years ago
  • Answered
Hi,

Have a scenario where I need a resilient NetSight, but not sure how best or even if this is the right course of action.

The scenario is that wireless external captive portal Guest Registration has been configured with sponsorship. There is resilient wireless controllers and NAC configured, one in each location.

The problem arises should NeSight go down, you loose the means to send the sponsorship email - which seems like a lot of effort for such a small thing but it has the potential of grinding the whole process to a halt.

Believe its the only thing that you would loose in this scenario that would stop this working?

So wondering if anyone knows what can be done about it?

Many thanks in advance.
Photo of Martin Flammia

Martin Flammia

  • 5,744 Points 5k badge 2x thumb

Posted 2 years ago

  • 0
  • 2
Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 4,796 Points 4k badge 2x thumb
Hello Martin,

To my knowledge you should be able to get by any NetSight outage for captive portal by enabling survivable registration. NAC detects problem with the NetSight and puts them right through until NetSight comes back, then attempts to put them back through registration.

Thanks
-Ryan
Photo of Martin Flammia

Martin Flammia

  • 5,744 Points 5k badge 2x thumb
Thanks for the quick response Ryan.

Guess that is the answer but really did need something that is truly resilient, so there was no noticeable effect. Predominantly to give manoeuvre that should something physically break the visibility to the customer is nil and gives the time to fix it, say for example the hard disk's completely crash, corrupt or fall over - it could take some time to get back into full service.

Assume this is the only option that you are aware of?

The other conundrum is the resilient creation of the web redirect in the wireless controller and access to the sponsorship page, which I can only see function with the inclusion of load balancer, especially with EXOS not having the feature to do this inside the switch configuration - unless you know otherwise?

For example; you configure the web redirect in the wireless controller to go to ewcredirect.domain.com, which resolves to the first NAC 10.10.10.10. If the NAC fails you need ewcredirect.domain.com to resolve to the second NAC 10.10.10.20?

The other example is that the sponsorship email is sent with a URL for the sponsorship page, but if you have resilient NAC's in two different locations you need that URL to resolve to one or the other should the other go offline, again requiring a load balancer.

Could be approaching this wrong, so interested to hear any other options.

Cheers.
Photo of James A

James A, Embassador

  • 6,542 Points 5k badge 2x thumb
In the NetSight about window, I see "High Availability" as an unlicensed feature, so it is perhaps available. Short of that, using VMware HA would be pretty good solution in terms of hardware failure.

For resilient NACs, the URL for the sponsorship does go to the right NAC URL depending on which one the EWC is talking to.
Photo of Martin Flammia

Martin Flammia

  • 5,744 Points 5k badge 2x thumb
Hi James,

Thanks for posting. Will look into the high availability and post back if anything turns up. Unfortunately the VMware HA isn't an option in this case.

Regarding the sponsorship URL and web redirect.....

There is two sites A & B, each site has a wireless controller that is configured for high availability, at the moment just one NetSight and a NAC at each site.

The scenario is just from the perspective of site A:

1. Site A NAC goes down, both wireless controllers use ewcredirect.domain.com as their web redirect. If this resolves to NAC A it would no longer be able to display the Guest Registration page unless it is now able to resolve to site B NAC.
2. Sponsorship email is sent by NetSight. In the sponsorship email there is the link to the sponsorship page to ewcredirect.domain.com which resolves to NAC A, but if NAC A fails you need to resolve to NAC B.

Think the only way to resolve this is by means of the introduction of a load balancer, but interested to hear what the community says.

Many thanks.
Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 4,796 Points 4k badge 2x thumb
Hello,

We have seen customers have an Extreme Management server deployed as the primary, and then a backup separate server with the same IP address and kept up to date with database restore. In the case of a complete failure the primary would be shut down and the backup would be turned on, but this would result in a loss of data depending on how often the backup was kept up to date.

There is also a failover plan if using VMware EXS for the Extreme Management server. This utilizes VMware ESX high availability features.

In the NetSight help search for "High Availability" and it's the article titled "Extreme Management Center Failover with VMware ESX"

As far as wireless redirect goes you can configure a DNS name that resolves to two NACs and it should fail over if the primary NAC fails. I've tested this in the lab. 

The sponsorship email part I haven't tested, but it may work.

Thanks
-Ryan
Photo of Martin Flammia

Martin Flammia

  • 5,744 Points 5k badge 2x thumb
Thanks for posting again Ryan.

I'm interested in the DNS setup you mention but wondered how you may have set this up. As with a load balancer you have a means of testing the availability of the service that no longer is available, therefore send requests to the other NAC when the other one is down.

With DNS I'm only aware of a round robin approach, but that would mean 50% of the time the wrong IP address would be handed out.

The only other option that I've been told about is the use of an DNS SRV record that apparently hasn't been standardised probably yet, but would hand out a list of IP address for that one record with a priority order - is this what you used?

Many thanks.
Photo of Martin Flammia

Martin Flammia

  • 5,744 Points 5k badge 2x thumb
So it just popped into my head that with regards to the wireless redirect I could possibly use NAC's DNS proxy facility instead!

If my understanding is correct you would configure in the DHCP scope a primary, secondary and tertiary DNS address, with primary address being the DNS server itself and the secondary and tertiary being the 2 NAC's.

So when the end-system registers, access to the primary DNS server is blocked and the end-systems sends its DNS request to the DNS proxy on the NAC, which then gives itself as the IP address.

If the first NAC goes down then the other NAC does the same and responds with its IP address?

Could anyone collaborate that would work or how I could (as explained above) get DNS to resolve the same name to 2 NAC addresses and choose one or the other if its down and reliably work i.e. DNS is not configured to round robin, thereby only working 50% of the time?

Many thanks in advance.
Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 4,796 Points 4k badge 2x thumb
Hello Martin, 

I had set this up and tested it about 2 years ago now, but if I remember correctly all I needed to do was configure the URL in the EWC for External mode to a name and then have that name resolvable to two different addresses in DNS. 

If DNS returns two different addresses generally clients will attempt the first, and if no response will then attempt the second. I was able to unplug the primary NAC and clients would still see the page as they would attempt the 2nd resolved addresses. 

Your scenario with using a primary, secondary, and tertiary DNS address would work as a redundant captive portal configuration when in DNS proxy configuration. 

DNS proxy and External mode redirect on the EWC are two different redirect methods, you shouldn't have to use both at the same time. 

Also, I know it's not possible to configure a 3rd DNS server on a windows box, I'm not sure if you are able to configure a 3rd through DHCP services or not. 

Thanks
-Ryan
Photo of Martin Flammia

Martin Flammia

  • 5,744 Points 5k badge 2x thumb
Hi Ryan,

Thanks for posting. After a lot of thought here is my plan:

1. Configure DNS proxy on both the NAC's.
2. Configure DHCP to issue two different DNS server IP addresses, these will in fact be the first NAC and the second NAC IP's.
3. When the PC first boots, connects to wireless it will be get an IP address and DNS settings as per above on the non auth VLAN and resolve any web queries directly to the first NAC, this should return NAC's own address and redirect to portal.
4. If the first NAC goes down the PC will try its second DNS address, this resolves to the second NAC and follows the same process.
5. Once the PC is authenticated onto the network it will get its authenticated policy, which puts it onto another VLAN which has a scope that has the correct DNS in it, say 8.8.8.8.

This way I don't need a tertiary DNS address, internal load balancer or even worry about trying to get a DNS server to send two different IP addresses.

The other method is to use load balancers as per below, which I will probably not need on the internal side but will definitely need externally to redirect sponsor email. The plan is to use Kemps free 20mb/s cloud service for this, see image below.



Once I get this setup, which might be a little way in the future I'll post the results.

Thanks.