Skip to content

Internet Redundancy

Introduction

About this Document

The AXS Guard Internet Redundancy How To serves as a reference source for technical personnel or system administrators. It explains the configuration of the AXS Guard Internet Redundancy Module.

Examples used in this Guide

All setups and configuration examples in this guide are executed as an advanced administrator. Some options are not available if you log in as a full administrator or a user with lower access privileges.

As software development and documentation are ongoing processes, the screenshots shown in this guide may slightly deviate from the current user interface.

Internet Redundancy Concepts

Overview

The major goals of Internet Redundancy are:

  • Load Balancing: Distributing data across two or more Internet interfaces to ensure that a single Internet interface does not get overloaded with network traffic.

  • Internet Failover: The capability to switch over automatically to a redundant or standby Internet interface, upon the failure of the previously active interface.

  • Directing Traffic: The capability to dedicate an Internet interface to a certain type of traffic.

What is Internet Redundancy?

Internet redundancy The Internet Redundancy Module has been designed for AXS Guard appliances with two or more Internet interfaces and allows administrators to assign and prioritize specific network traffic by designating the Internet interface which must be used for that traffic. This is done through the use of filters.

As the role of Internet driven businesses is constantly growing, the reliability of connections and the need for a constant availability of services is an absolute necessity for corporations. A corporate network can be subject to outages or disruptions if a network link, such as an ISP link, fails (in the case of a DoS attack or a temporary outage).

Internet Redundancy allows you to counter this via load balancing and the Internet failover, which are explained in the following sections.

Load Balancing

Load balancing In computer networking, load balancing is a technique to distribute the workload evenly across two or more computers, network links, CPUs, hard drives, or other resources, in order to get optimal resource utilization, maximize throughput, minimize response time, and to avoid overload.

From the Internet side, using multiple components with load balancing, instead of a single component, may increase reliability through redundancy. The load balancing service is usually provided by a dedicated program or hardware device, such as a multilayer switch or a DNS server. On the AXS Guard, load balancing for DNS is configured on the Public DNS module. For more information, see the AXS Guard Public DNS How To, which is accessible by clicking on the permanently available Documentation button in the Administrator Tool.

Example 1: Web server with load balancing

Suppose you have a web server which provides real-time information to your customers, such as tracking information about shipments. The server receives a lot of hits per second and has to deal with a lot of network traffic. To ease the burden and to avoid network traffic bottlenecks on a single Internet Interface, the load can be distributed evenly over the available Internet Interfaces, by assigning priorities for incoming traffic. Your server’s name should of course resolve to two or more public IP addresses. This technique is also known as round robin DNS (illustrated below).

Example of Internet Redundancy – Round Robin DNS

Example 2: Load balacing from the LAN

Assume that you have two Internet lines and you want all outgoing HTTP requests to be divided equally over both Internet lines. The AXS Guard Internet Redundancy Module allows you to assign equal priorities to all outgoing HTTP requests, so that the HTTP network load is automatically and evenly balanced over the two Internet Interfaces.

Internet Failover

Internet failover is the capability to switch over automatically to a redundant or standby Internet interface upon the failure of the primary Internet interface. This ensures the availability of Internet services to the users and servers in your network.

Example: Failover

Assume that you have an Active Directory server in your network, which is configured to automatically download and distribute system updates or anti-virus updates. The Active Directory server downloads these updates from the Internet. The AXS Guard Internet Redundancy Module allows you to configure a scheme, so that the continuity of these downloads is ensured, even if one of the Internet interfaces were to fail (see the illustration below).

Example of Internet Failover - AD Updates

Directing Traffic

The AXS Guard allows you to dedicate an Internet line to a certain type of network traffic.

Example: Internet radio

Assume that your company policy allows the use of Internet radio and you want all outgoing audiostreaming requests to be routed over your second Internet line. The AXS Guard Internet Redundancy Module allows you to assign filters so that these requests are routed over the desired Internet interface. The result is that the other Internet interfaces remain available for other (more crucial) traffic.

Example of Traffic Redirection

Internet Redundancy Configuration

Feature Activation

  1. Log in to the AXS Guard appliance.

  2. Navigate to System > Feature Activation.

  3. Expand the Internet Redundancy option.

  4. Check the Do you use Internet Redundancy? Option.

  5. Update your configuration.

    Feature Activation

Creating new Filters

  1. Log in to the AXS Guard appliance.

  2. Navigate to Network > Internet Redundancy.

  3. Click on + Add Filter.

  4. Enter the settings as explained in the table below.

  5. Save your configuration.

    Creating a new Filter

Parameter Description

Name

Enter a name for the filter (required).

Description

Provide a filter description (optional).

Enabled

Check to activate the filter.

Protocol

Select the desired protocol from the list. Leave empty to match any protocol.

Source

Enter the source IP address(es), using the CIDR notation, e.g. 192.168.1.0/24. Leave this field empty or enter 0.0.0.0/0 to match any IP address.

Source Ports

Enter the source ports (only if known and TCP or UDP traffic is being filtered). Leave empty to match any port.

Destination

Enter the destination IP address(es), using the CIDR notation, e.g. 192.168.1.0/24. Leave this field empty or enter 0.0.0.0/0 to match any IP address.

Destination Ports

Enter the destination ports (only if you have selected to filter TCP or UDP traffic). Leave empty to match any port.

Modifying Existing Filters

  1. Log in to the AXS Guard appliance.

  2. Navigate to Network > Internet Redundancy.

  3. Select the appropriate filter.

  4. Edit the settings as needed.

  5. Update your configuration.

Default Route for Unfiltered Traffic

This is the AXS Guard default Filter for any unspecified traffic. You can select through which Internet device that traffic is going to be routed first, then specify a second Interface, a third, etc. This default Filter cannot be modified. More information is provided in the next section.

Default Route for Unfiltered Traffic

Setting the Device Priorities

  1. Log in to the AXS Guard appliance.

  2. Navigate to Network > Internet Redundancy.

  3. Set the Internet device priority for each filter from the drop-down list.

  4. Save your configuration.

    Setting Internet Device Priorities

Important

If no priority is specified for an Internet device, it simply is not used (for that Filter). Filters can alsobe enabled or disabled via this screen. The table below shows some examples of possible priorities.

Type Internet Device 1 Internet Device 2 Internet Device 3

Load Balancing

1

1

1

Failover

1

2

3

Redirection

-

1

-

Load Balancing and Failover

1

1

2

Changing the Filter Order

In this section, we explain how to set or change the order of traffic filters. This is critical if you have created 2 or more filters for the same type of traffic; one filter contains specific options, while other filters are more generic. Specific filters must always precede generic filters.

Example 1: The order of Filters

Assume that you have created a traffic filter which routes all HTTP traffic over Internet line 2 (Filter 1) and another traffic filter which routes HTTP traffic to a specific server on the Internet via Internet line 1 (Filter 2). If filter 1 appears 1st in the list, filter 2 will be discarded, since filter 1 matches all HTTP traffic . Make sure that filter 2 precedes filter 1.

  1. Log in to the AXS Guard appliance.

  2. Navigate to Network > Internet Redundancy.

  3. Check the filter to be shifted.

  4. Click the up or down button to move the filter up or down by one position.

    Changing the Filter Order

Configuration Examples

Routing all outgoing DMZ Traffic through the Secondary Internet Device

In this example, we explain how to route all outgoing DMZ traffic through the secondary Internet device.

When using public IP addresses in your DMZ, make sure you assign the correct Internet interface (ISP) when creating a traffic filter. Traffic originating from these public IP addresses routed towards the wrong Internet interface (ISP) will be dropped by the ISP. Contact your ISP for more information.

  1. Log on to the AXS Guard Administrator Tool, as explained in the AXS Guard System Administration How To, which can be accessed by clicking on the permanently available on-screen Documentation button.

  2. Create a new filter.

  3. Enter the settings as displayed in the image below. (Use the IP range which applies to your DMZ).

  4. Click on Save when finished.

    Routing outgoing DMZ Traffic through Secondary Internet Device

  5. Set the device priorities.

  6. Set the priority of the first Internet device to -, as shown below.

  7. Set the priority of the second Internet device to 1, as shown below.

  8. Click on Save when finished.

    Assigning DMZ Filter Priorities

Routing all HTTP Traffic through the Primary Internet Device with a Failover

In this example, we explain how to route all outgoing HTTP traffic through the primary Internet device and to use the second Internet device as a fallback.

  1. Log on to the AXS Guard Administrator Tool, as explained in the AXS Guard System Administration How To, which can be accessed by clicking on the permanently available on-screen Documentation button.

  2. Create a new filter.

  3. Enter the settings as displayed in the image below.

  4. Click on Save when finished.

    Routing all HTTP Traffic via Primary Internet Device

  5. Set the device priorities.

  6. Set the priority of the first Internet device to 1, as shown below.

  7. Set the priority of the second Internet device to 2, as shown below.

  8. Click on Save when finished.

    Assigning HTTP Filter Priorities

Routing all Traffic for Audio through the Secondary Internet Device

In this example, we explain how to exclusively route all outgoing audio streaming traffic on TCP port 8000 via the secondary Internet device.

  1. Log on to the AXS Guard Administrator Tool, as explained in the AXS Guard System Administration How To, which can be accessed by clicking on the permanently available on-screen Documentation button.

  2. Create a new filter.

  3. Enter the settings as displayed in the image below.

  4. Click on Save when finished.

    Routing all Audio Streaming via the Secondary Internet Device

  5. Set the device priorities.

  6. Set the priority of the first Internet device to -, as shown below.

  7. Set the priority of the second Internet device to 1, as shown below.

  8. Click on Save when finished.

    Assigning Audio Streaming Filter Priorities

HTTP Load Balancing

In this example, we explain how to create a HTTP load balancing filter for all outgoing HTTP traffic. The aim is to optimize the AXS Guard load for all outgoing HTTP traffic. The AXS Guard will automatically decide which Internet interface is used, depending on the weight in its routing tables or its routing cache.

  1. Log on to the AXS Guard Administrator Tool, as explained in the AXS Guard System Administration How To, which can be accessed by clicking on the permanently available on-screen Documentation button.

  2. Create a new filter.

  3. Enter the settings as displayed in the image below.

  4. Click on Save when finished.

    HTTP Load Balancing

  5. Set the device priorities.

  6. Set the priority of the first Internet device to 1.

  7. Set the priority of the second Internet device also to 1.

  8. Click on Save when finished.

    Assigning Priorities for HTTP Load Balancing

Using Load Balancing and Failover

In this example, we explain how to create a filter which combines two features; HTTP load balancing and HTTP Failover (see Load Balancing and Internet Failover). This requires three Internet lines. The aim is to optimize the AXS Guard load for all outgoing HTTP traffic and to provide a failover system in case the two Internet devices that provide load balancing fail. The AXS Guard will automatically decide which Internet interface is used for load balancing, depending on the weight in its routing tables or its routing cache.

  1. Log on to the AXS Guard Administrator Tool, as explained in the AXS Guard System Administration How To, which can be accessed by clicking on the permanently available on-screen Documentation button.

  2. Create a new filter.

  3. Enter the settings as displayed in the image below.

  4. Click on Save when finished.

    HTTP Load Balancing and Failover

  5. Set the device priorities.

  6. Set the priority of the third Internet device to 1.

  7. Set the priority of the first Internet device also to 1.

  8. Set the priority of the second Internet device to 2.

  9. Click on Save when finished.

    Combining HTTP Load Balancing and Failover

Info

Use the Internet device permutations which apply to your situation and/or preferences.

Troubleshooting

Load balancing over two Internet devices: One of my Internet devices receives an IP address through DHCP.

In case one of your Internet devices has a dynamic IP address - assigned by a DHCP server - and load balancing if configured for the default gateway or DHCP traffic, you must make sure that all traffic towards the DHCP server is routed over the correct Internet device. Otherwise, DHCP problems may occur. Create a new Filter and enter the IP address of the DHCP server as the destination address. Assign the Internet device priority accordingly.

One of my Internet devices goes down undetected.

The AXS Guard verifies whether your Internet devices are up and running by periodically executing connectivity checks. The connectivity checks use the ICMP protocol (the protocol used by the ping command).

If an ICMP Filter is added without a destination IP address and assigned to the 1st Internet device, the Filter will precede any other routing rules. As a result subsequent entries are overruled. All ICMP traffic will be routed via the 1st Internet device. As a consequence, the 2nd (and any additional Internet devices) may go down undetected and the routing table cannot be updated (in other words, the connectivity check fails). If the 1st Internet device goes down, the 2nd will also be marked as down, even if it is still up. Administrators must always specify a destination IP address in ICMP Filters.

I cannot resolve any hostname with an Internet device (DNS problem).

If you decide to route all your DNS request over a specific Internet interface (ISP), you might run into DNS problems.

Some Internet Service Providers (ISP) do not allow the use of third-party DNS servers on their network. If you encounter DNS problems, use the DNS servers provided by your ISP to solve the problem.

I cannot send any traffic from my DMZ.

When using public IP addresses in your DMZ, make sure that you assign the correct Internet interface (ISP) when creating a traffic filter. Traffic originating from these public IP addresses routed towards the wrong Internet interface (ISP) will be dropped.

I cannot set equal priorities in a custom filter.

Equal priorities in custom filters are needed for load balancing. This option is only available as of AXS Guard Version 7.6.0, Revision 1.

Support

If you encounter a problem

If you encounter a problem with AXS Guard, follow the steps below:

  1. Check the troubleshooting section of the feature-specific manual.

  2. Check the knowledge base on this site for information about special configurations.

  3. If no solution is available in any of the above sources, contact your AXS Guard vendor.

Contact Information

(+32) 15-504-400
support@axsguard.com