Hello All
I hope you can help me with this:
I need PC users from both 1335s to use the http proxy located in one of them in order to access the Internet.
How can I make the proxy and users use one ISP and if it fails, send data through the other ISP?
Thank you
- After looking over your configs, I noticed that VLAN 5 did not have an access-policy assigned to it on 1335-2. This would explain why internet access would not work going out the backup connection. Once you apply that access-policy to VLAN 5, try to have the network failover again. If it fails, try to gather the following information:
- Verify that 1335-1 has become the BACKUP and that 1335-2 has become the MASTER. This can be verified by issuing the "show vrrp" command on both 1335s while it is in a failover state.
- Enable "debug ip icmp" on 1335-2 and attempt to ping 192.168.5.3 from a machine. You should see pings being sent and received to that IP address on the 1335-2.
- Have a running ping going out to the internet from a machine. Issue the "show ip policy-session" command on 1335-2 and see if you see the ping session being NATted correctly.
Let us know if you have any further questions.
Thanks,
Noor
Thank you for asking this question in the Support Community. When designing a network for redundancy and scalability there are a vast array of variables that should be taken into consideration in the design. I will not go into how much redundancy and scalability you desire, because the options are nearly infinite. Based on my understanding of your network, I have recommended a design that provides a moderate amount of both redundancy and scalability. Further, this option will alleviate any manual manipulation, and should failover automatically. I will not go into the technical configurations, but instead describe the general concepts.
Below are the concepts I would employ in the design:
With this design, you can force one connection to be the primary (by being the VRRP Master), but it also provides failover and redundancy because if either Internet connection or NV1335 fails, the other will be used automatically.
I hope this makes sense, but this is just a suggestion that I believe provides a reasonable amount of automatic failover. However, there are multiple ways to achieve this, and you have to determine how much configuration, failover, redundancy, and scalability you desire and chose the proper design based on those requirements. Please, do not hesitate to reply with any questions or additional information. I will be happy to assist you in any way I can.
Levi
Levi
Thanks so much for replying so quickly.
I must mention that there is one TA924 for voice connected to each 1335. These 924s have public IP addresses. These IP addresses are provided by their
respective ISPs.
I must keep the 924s away from the VRRP instance and I should be fine since they are on the default vlan 1. If I lose Voice "it’s ok" because we have POTS for backup. It’s data that I’m concern about.
Would this affect the setup you suggested?
Thanks
The addition of the TA924s for voice traffic could change the network design requirements. If you would like to attach a network diagram, it may be helpful for an accurate recommendation. Will you also include how you would prefer the data network to reach the Internet, and how you would like the voice network to access the Internet, as well as the desired failover scenario for both voice and data?
Levi
- Before I offer my suggestions, I had one additional question regarding your setup. Assuming all connections are up and working, is it your intent that traffic only go through the ISP connected to 1335-1, or, would you like to load balance the traffic across both ISPs connected to 1335-1 and 1335-2?
Thanks,
Noor
Gee Noor,
Load balancing is not a bad idea. Could you suggest for both scenarios, please?
Thanks
- The information below, goes over 2 different scenarios or options you have to set your network up.
Scenario 1 - VRRP with Load Balancing and Failover
In this scenario, VRRP is used to load balance across the 2-1335s in your network. Each 1335 will have 2 VRRP groups configured. There will be 2 VRRP IP addresses on each 1335. This setup requires that half the clients use one VRRP IP as their default gateway, while the other half use the other VRRP IP as their default gateway. Both 1335s will have ping probes set up to test the WAN connections terminating on their device. While both WANs are up and both ping probes are in a pass state, then traffic will be shared across both 1335s and WANs. If one of the WAN connections go down, that 1335 will decrement its VRRP priority so that the 1335 with the working WAN connection becomes the master router thus becoming the only way out to the internet.
An example configuration of this exact scenario is given in the Configuring VRRP in AOS guide. Example #3 shows exactly how to set up for this scenario. This example starts on page 15. One thing you will want to keep in mind is that each 1335 will need its only default route to be out the internet connection that is terminating on it.
Scenario 2 - VRRP with Failover
In this scenario, only one WAN connection will be used as the primary internet connection. The second internet connection will only be used as a backup in case the primary internet connection goes down. In this case, only one VRRP group will need to be configured on each 1335. The 1335 connecting to the primary internet circuit will need to be setup as the master VRRP router. A ping probe will be configured on the primary 1335 to test to see whether its internet connection is up or not. Should the primary internet connection go down, the ping probe will fail causing the VRRP priority on the primary 1335 to decrement so that the secondary 1335 becomes the master router and its internet connection will be used.
What you have currently configured is closer to Scenario1 than Scenario 2. The only things that need to be modified to complete Scenarion 1 are the following:
- The priority statement need to be modified on 1335-2. The statement "vrrp 1 priority 125" needs to be removed as it is currently set to the same priority as 1335-1 which will cause issues.
- Decrement statements need to be added to 1335-1 and 1335-2.
1335-1 needs to have the statement "vrrp 1 track probetogateway decrement 50"
1335-2 needs to have the statement "vrrp 2 track probetogateway decrement 50"
To modify your configuration to be setup for Scenario 2, the following changes will need to be made:
- VRRP 2 will need to be removed from both 1335s.
- The network probe and track will need to be removed from 1335-2
- Only 1335-1 will need the decrement statement inserted.
I hope this answers your question, but please do not hesitate to let us know if you have any followup questions.
Thanks,
Noor
- I went ahead and flagged this post as as "Assumed Answered." If any of the responses on this thread assisted you, please mark them as either Correct or Helpful answers with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you still need assistance, I would be more than happy to continue to work with you on this - just let me know in a reply.
Thanks,
Noor
Thanks for the help Noor. I'm currently making the changes you suggest for scenario 1. I will update and let you know how it went.
Regards,
Gerardo
Hello Noor
I tried scenario number 2 because I'm trying to automate configuration as much as posible by using DHCP and avoiding having to configure machines individually.
Even though the master 1335 becomes the backup when I disconnect its internet, the computers are not able to reach the internet through the new master. I did a traceroute from a machine and it showed that the machine still tries to go out through the previous master 1335.
FYI, computers get their ip configuration from the dhcp server which is 1335-1. The gateway for all computers is 192.168.5.3 (Virtual Router's IP addr) Computers are not configured manually. FYI, no 1335 owns the VR ip addr.
I'm attaching configs. Please let me know what I'm missing.
I appreciate the help
- After looking over your configs, I noticed that VLAN 5 did not have an access-policy assigned to it on 1335-2. This would explain why internet access would not work going out the backup connection. Once you apply that access-policy to VLAN 5, try to have the network failover again. If it fails, try to gather the following information:
- Verify that 1335-1 has become the BACKUP and that 1335-2 has become the MASTER. This can be verified by issuing the "show vrrp" command on both 1335s while it is in a failover state.
- Enable "debug ip icmp" on 1335-2 and attempt to ping 192.168.5.3 from a machine. You should see pings being sent and received to that IP address on the 1335-2.
- Have a running ping going out to the internet from a machine. Issue the "show ip policy-session" command on 1335-2 and see if you see the ping session being NATted correctly.
Let us know if you have any further questions.
Thanks,
Noor