Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Community Member

Proxying on P2 Interface

Hi,

To acheive some level of network layer redundancy, we would like to have at least two nics that are used to proxy on our s650 (other than the management port). Therefore, it would be logical to just patch another nic into P2 (however I am aware that the Ironport system does not recognise this configuration, as P2 is currently only used as an outbound port for passthrough proxying, I beleive.)

I've just noticed this post on the thread announcing GA of 5.6.0;

To enhance the security of the WSA, we explicitly prevent the WSA from proxying requests on the P2 interface. Customers who need this functionality may want to wait for the 5.6.2 release, which will support this configuration. 


So, I take it then that under 5.6.2 (when it is released) I'll be able to set up the dual nic situation as I mentioned above; with both P1 and P2 patched in, so that if one nic / cable / etc dies, it will continue to run merrily on the other port?

Here's hoping ... :)

Cheers,

Shane

7 REPLIES
Community Member

Re: Proxying on P2 Interface

Shane,

It sounds like what you're looking for is dual homing. This is not what the functionality of 5.6 calls for.

Let me clarify what it is that you're asking for, before I file an enhancement. :D

Which are you looking to do:

1. Both P1 and P2 are plugged into your . Only one IP address is assigned to BOTH interfaces. P1 one will be used unless it goes down, in which P2 will take over.

or

2. Both P1 and P2 are plugged in and assigned their own IPs on their own respective subnets. Each able to accept client HTTP requests to proxy.

Community Member

Re: Proxying on P2 Interface

Hi Josh,

Thanks for the response. Yes, we are after option 1. I should've just mentioned dual-homing, and saved the confusion.

For us, it seems a bit of a waste to have the P2 port sitting there unused. We have already had an instance where a contractor knocked the cable that plugs into P1, and it disconnected. Obiviously, this resulted in an outage of our internet. Had the P2 port been provisioned with dual homing, this would not have occured.

It seems to be a logical step to me ... we do it with all our other servers in our environment. Any service that is even remotely important is setup with teamed nics, quite often with each nic patched into a different switch (but on the same subnet, with the same ip). This also prevents outages of the service if one switch fails. With all of the other redundancy in the s650 (power supplies, raid etc), the single proxying nic is the obvious possible point of failure for us.

Cheers ....

Shane

Community Member

Re: Proxying on P2 Interface

Shane,

I have filed the following enhancement request for proper dual homing: 45270.

It is in our database and will be tracked. Please communicate with your sales representative and inform them of your desire for this feature.

Community Member

Re: Proxying on P2 Interface

Shane, 

It sounds like what you're looking for is dual homing. This is not what the functionality of 5.6 calls for.

Let me clarify what it is that you're asking for, before I file an enhancement. :D

Which are you looking to do:

1. Both P1 and P2 are plugged into your . Only one IP address is assigned to BOTH interfaces. P1 one will be used unless it goes down, in which P2 will take over.

or

2. Both P1 and P2 are plugged in and assigned their own IPs on their own respective subnets. Each able to accept client HTTP requests to proxy.



what about option 2 listed above?

Community Member

Re: Proxying on P2 Interface

Wage,

You should be able to proxy using M1 and P1 without any problems. P2 does not listen for clients by default (to prevent having an open proxy - P2 is intended to be the "outside / public" interface).

Community Member

Re: Proxying on P2 Interface

i would like to connect one interface to a certain vlan and another interface to another vlan, is this possible?

Community Member

Re: Proxying on P2 Interface

Wage,

There is no reason why it wouldn't work, assuming proper routing. Be aware that certain services, like authentication traffic to an AD server will use the M1 interface.

229
Views
0
Helpful
7
Replies
CreatePlease to create content