12 Replies Latest reply on May 2, 2012 9:56 AM by gerkhs

    Two 1335s, one ISP each, one http proxy server. Help please...

    gerkhs New Member

      Hello All

       

      I hope you can help me with this:

       

      I need PC users from both 1335s to use the http proxy located in one of them in order to access the Internet.

       

      •      I have one 1335 attached to an ISP and another 1335 attached to a different ISP
      •      I configured Vlan 5 for the users
      •      Port 0/9 is the trunking port on between the 1335s
      •      Ports 10 to 15 are access ports for Vlan 5 on both 1335s
      •      Users and proxy server are talking to each other
      •      Server and users are also accesing the Internet

       

      How can I make the proxy and users use one ISP and if it fails, send data through the other ISP?


      Thank you

        • Re: Two 1335s, one ISP each, one http proxy server. Help please...
          levi Employee

          gerkhs:

           

          Thank you for asking this question in the Support Community.  When designing a network for redundancy and scalability there are a vast array of variables that should be taken into consideration in the design.  I will not go into how much redundancy and scalability you desire, because the options are nearly infinite.  Based on my understanding of your network, I have recommended a design that provides a moderate amount of both redundancy and scalability.  Further, this option will alleviate any manual manipulation, and should failover automatically.  I will not go into the technical configurations, but instead describe the general concepts.

           

          Below are the concepts I would employ in the design:

           

          • Establish a VRRP instance on the two NetVanta 1335s for the "LAN" facing devices to use as the default gateway (Configuring VRRP in AOS) and set NV1335_1 to be the VRRP Master.
          • NV1335_1 will have a default route to the Internet; this default route will be tracked with a Network Monitor ping probe (Configuring Network Monitor in AOS), which will remove this default route if the Internet connection fails; add a floating static route to NV1335_2 that will be added to the route-table when the ping probe fails.
          • NV1335_2 can essentially be configured the opposite of NV1335_1. 

           

          With this design, you can force one connection to be the primary (by being the VRRP Master), but it also provides failover and redundancy because if either Internet connection or NV1335 fails, the other will be used automatically.

           

          I hope this makes sense, but this is just a suggestion that I believe provides a reasonable amount of automatic failover.  However, there are multiple ways to achieve this, and you have to determine how much configuration, failover, redundancy, and scalability you desire and chose the proper design based on those requirements.  Please, do not hesitate to reply with any questions or additional information.  I will be happy to assist you in any way I can.

           

          Levi

          1 of 1 people found this helpful
            • Re: Two 1335s, one ISP each, one http proxy server. Help please...
              gerkhs New Member

              Levi

               

              Thanks so much for replying so quickly.

              I must mention that there is one TA924 for voice connected to each 1335. These 924s have public IP addresses. These IP addresses are provided by their
              respective ISPs.

              I must keep the 924s away from the VRRP instance and I should be fine since they are on the default vlan 1. If I lose Voice "it’s ok" because we have POTS for backup. It’s data that I’m concern about.

              Would this affect the setup you suggested?

              Thanks

                • Re: Two 1335s, one ISP each, one http proxy server. Help please...
                  levi Employee

                  gerkhs:

                   

                  The addition of the TA924s for voice traffic could change the network design requirements.  If you would like to attach a network diagram, it may be helpful for an accurate recommendation.  Will you also include how you would prefer the data network to reach the Internet, and how you would like the voice network to access the Internet, as well as the desired failover scenario for both voice and data?

                   

                  Levi

                    • Re: Two 1335s, one ISP each, one http proxy server. Help please...
                      gerkhs New Member

                      Levi


                      Attached are the 1335 configs with the changes after your suggestions and the diagram.

                       

                      Please let me know if I'm getting close

                      Thanks

                        • Re: Two 1335s, one ISP each, one http proxy server. Help please...
                          Employee

                          gerkhs - Before I offer my suggestions, I had one additional question regarding your setup. Assuming all connections are up and working, is it your intent that traffic only go through the ISP connected to 1335-1, or, would you like to load balance the traffic across both ISPs connected to 1335-1 and 1335-2?

                           

                          Thanks,

                          Noor

                            • Re: Two 1335s, one ISP each, one http proxy server. Help please...
                              gerkhs New Member

                              Gee Noor,

                               

                              Load balancing is not a bad idea. Could you suggest for both scenarios, please?

                               

                              Thanks

                                • Re: Two 1335s, one ISP each, one http proxy server. Help please...
                                  Employee

                                  gerkhs - The information below, goes over 2 different scenarios or options you have to set your network up.

                                   

                                  Scenario 1 - VRRP with Load Balancing and Failover

                                   

                                  In this scenario, VRRP is used to load balance across the 2-1335s in your network. Each 1335 will have 2 VRRP groups configured. There will be 2 VRRP IP addresses on each 1335. This setup requires that half the clients use one VRRP IP as their default gateway, while the other half use the other VRRP IP as their default gateway. Both 1335s will have ping probes set up to test the WAN connections terminating on their device. While both WANs are up and both ping probes are in a pass state, then traffic will be shared across both 1335s and WANs. If one of the WAN connections go down, that 1335 will decrement its VRRP priority so that the 1335 with the working WAN connection becomes the master router thus becoming the only way out to the internet.

                                   

                                  An example configuration of this exact scenario is given in the Configuring VRRP in AOS guide. Example #3 shows exactly how to set up for this scenario. This example starts on page 15. One thing you will want to keep in mind is that each 1335 will need its only default route to be out the internet connection that is terminating on it.

                                   

                                  Scenario 2 - VRRP with Failover

                                   

                                  In this scenario, only one WAN connection will be used as the primary internet connection. The second internet connection will only be used as a backup in case the primary internet connection goes down. In this case, only one VRRP group will need to be configured on each 1335. The 1335 connecting to the primary internet circuit will need to be setup as the master VRRP router. A ping probe will be configured on the primary 1335 to test to see whether its internet connection is up or not. Should the primary internet connection go down, the ping probe will fail causing the VRRP priority on the primary 1335 to decrement so that the secondary 1335 becomes the master router and its internet connection will be used.

                                   

                                  What you have currently configured is closer to Scenario1 than Scenario 2. The only things that need to be modified to complete Scenarion 1 are the following:

                                   

                                  - The priority statement need to be modified on 1335-2. The statement "vrrp 1 priority 125" needs to be removed as it is currently set to the same priority as 1335-1 which will cause issues.

                                  - Decrement statements need to be added to 1335-1 and 1335-2.

                                       1335-1 needs to have the statement "vrrp 1 track probetogateway decrement 50"

                                       1335-2 needs to have the statement "vrrp 2 track probetogateway decrement 50"

                                   

                                  To modify your configuration to be setup for Scenario 2, the following changes will need to be made:

                                   

                                  - VRRP 2 will need to be removed from both 1335s.

                                  - The network probe and track will need to be removed from 1335-2

                                  - Only 1335-1 will need the decrement statement inserted.

                                   

                                  I hope this answers your question, but please do not hesitate to let us know if you have any followup questions.

                                   

                                  Thanks,

                                  Noor

                                  1 of 1 people found this helpful
                                    • Re: Two 1335s, one ISP each, one http proxy server. Help please...
                                      Employee

                                      gerkhs - I went ahead and flagged this post as as "Assumed Answered." If any of the responses on this thread assisted you, please mark them as either Correct or Helpful answers with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you still need assistance, I would be more than happy to continue to work with you on this - just let me know in a reply.

                                       

                                      Thanks,

                                      Noor

                                      • Re: Two 1335s, one ISP each, one http proxy server. Help please...
                                        gerkhs New Member

                                        Hello Noor

                                        I tried scenario number 2 because I'm trying to automate configuration as much as posible by using DHCP and avoiding having to configure machines individually.

                                        Even though the master 1335 becomes the backup when I disconnect its internet, the computers are not able to reach the internet through the new master. I did a traceroute from a machine and it showed that the machine still tries to go out through the previous master 1335.

                                        FYI, computers get their ip configuration from the dhcp server which is 1335-1. The gateway for all computers is 192.168.5.3 (Virtual Router's IP addr) Computers are not configured manually. FYI, no 1335 owns the VR ip addr.

                                        I'm attaching configs. Please let me know what I'm missing.

                                        I appreciate the help

                                          • Re: Two 1335s, one ISP each, one http proxy server. Help please...
                                            Employee

                                            gerkhs - After looking over your configs, I noticed that VLAN 5 did not have an access-policy assigned to it on 1335-2. This would explain why internet access would not work going out the backup connection. Once you apply that access-policy to VLAN 5, try to have the network failover again. If it fails, try to gather the following information:

                                             

                                            - Verify that 1335-1 has become the BACKUP and that 1335-2 has become the MASTER. This can be verified by issuing the "show vrrp" command on both 1335s while it is in a failover state.

                                            - Enable "debug ip icmp" on 1335-2 and attempt to ping 192.168.5.3 from a machine. You should see pings being sent and received to that IP address on the 1335-2.

                                            - Have a running ping going out to the internet from a machine. Issue the "show ip policy-session" command on 1335-2 and see if you see the ping session being NATted correctly.

                                             

                                            Let us know if you have any further questions.

                                             

                                            Thanks,

                                            Noor