Techrunner
asked on
internet Failover Inbound and Outbound
Hello Experts,
Please have a look to attached diagram.
I have 2 parts A & B. Part A already exist and running. We are planning to add Part B as show in the diagram.
Part A consists of ASA 5540 and 2921 as Edge Router and Microsoft TMG as Web Proxy for internal users
All other traffic routed to ASA. ASA handles NAT and ACL's
Objective of adding Part B is to have Redundancy Inbound and Outbound. However, firstly I want to focus on outbound redundancy then I will move to Inbound Part.
After adding Part B, TMG will have 3 NIC's. 2 NIC will be connected to ASA's and 1 to internal
For Web proxy fail over I will configure TMG ISP-R feature. But my concern is for other traffic
Therefore, please can someone help me what are best possible ways I can use for outbound failover.
Thanking in advance. I appreciate the help
design.jpg
Please have a look to attached diagram.
I have 2 parts A & B. Part A already exist and running. We are planning to add Part B as show in the diagram.
Part A consists of ASA 5540 and 2921 as Edge Router and Microsoft TMG as Web Proxy for internal users
All other traffic routed to ASA. ASA handles NAT and ACL's
Objective of adding Part B is to have Redundancy Inbound and Outbound. However, firstly I want to focus on outbound redundancy then I will move to Inbound Part.
After adding Part B, TMG will have 3 NIC's. 2 NIC will be connected to ASA's and 1 to internal
For Web proxy fail over I will configure TMG ISP-R feature. But my concern is for other traffic
Therefore, please can someone help me what are best possible ways I can use for outbound failover.
Thanking in advance. I appreciate the help
design.jpg
ASKER
Hi,
Thanks for inbound I just came across this thread
https://www.experts-exchange.com/questions/23443125/Redundant-inbound-and-outbound-internet-connections-via-Cisco-hardware.html
Map public IP's ( isp 1 and isp 2 ) to same DNS record.
But I was just wondering the DNS request identify that ISP1 is down and it should go to ISP2 IP.
Thanks for inbound I just came across this thread
https://www.experts-exchange.com/questions/23443125/Redundant-inbound-and-outbound-internet-connections-via-Cisco-hardware.html
Map public IP's ( isp 1 and isp 2 ) to same DNS record.
But I was just wondering the DNS request identify that ISP1 is down and it should go to ISP2 IP.
That's the problem - it won't.
With inbound mail it's fine as you can use MX priorities to set the preferred mail server. If the preferred mail server is unreachable the second preference is tried. All you would do is set one MX record to go down ISP1 link and the other to go down ISP2 link.
You can't do that with DNS though. You can simply create multiple host (A) records for the server, using the different IPs you mapped, and let the DNS server return the results in a round-robin fashion.
This will mean clients might see 'Page can not be displayed' if you're hosting a web server, for example as they might be given the IP which is down.
With inbound mail it's fine as you can use MX priorities to set the preferred mail server. If the preferred mail server is unreachable the second preference is tried. All you would do is set one MX record to go down ISP1 link and the other to go down ISP2 link.
You can't do that with DNS though. You can simply create multiple host (A) records for the server, using the different IPs you mapped, and let the DNS server return the results in a round-robin fashion.
This will mean clients might see 'Page can not be displayed' if you're hosting a web server, for example as they might be given the IP which is down.
ASKER
Hi,
I was planning to do in this way.
- Decrease the TTL of the DNS record to 1 hour.
- Whenever our ISP1 ine goes down beyond 1 hour, I will change the DNS record mapping to ISP2 public IP
Thanks
I was planning to do in this way.
- Decrease the TTL of the DNS record to 1 hour.
- Whenever our ISP1 ine goes down beyond 1 hour, I will change the DNS record mapping to ISP2 public IP
Thanks
That makes this manual failover then though. You want to automate this by adding all this complexity.
What will your users do for an hour while DNS records are still waiting to expire?
What will your users do for an hour while DNS records are still waiting to expire?
ASKER
Sir,
Is there other recommendation to achieve this redudancy without the using BGP. Because BGP is expensive :)
Is there other recommendation to achieve this redudancy without the using BGP. Because BGP is expensive :)
You might be able to use a load-balancer, although this would require you to change things again and you probably wouldn't get the result you want.
ASKER
Sorry for repeating this stuff again, what if I decrease the TTL to 15 minutes.
Then manually update the dns records.
But I was wondering about 1 more point how the server will reply back to request through ISP2.
My current default route L3 switch is pointing to ASA
Thanks
Then manually update the dns records.
But I was wondering about 1 more point how the server will reply back to request through ISP2.
My current default route L3 switch is pointing to ASA
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi craigbeck,
I agree with you and I'll consider on having BGP.
What are the requirements of BGP ?
How the setup will be in aspects of NAT, IP addressing ?
Thanks
I agree with you and I'll consider on having BGP.
What are the requirements of BGP ?
How the setup will be in aspects of NAT, IP addressing ?
Thanks
If you go with a pair of lines from the same ISP there's no requirement other than the two ISP feeds come into the same switch on the same VLAN. You don't really have to do anything.
The ISP's routers will talk BGP between each-other and will use HSRP to automatically tell your router which link to use. All you do on your router is configure a default gateway as normal.
The ISP's routers will talk BGP between each-other and will use HSRP to automatically tell your router which link to use. All you do on your router is configure a default gateway as normal.
ASKER
Actually I have different ISP's
I realise this.
Get a second link from ISP1 and do the BGP solution. Leave ISP2 connected to your TMG.
Job done!
Get a second link from ISP1 and do the BGP solution. Leave ISP2 connected to your TMG.
Job done!
ASKER
:) Not possible we have already for ISP2 $3200
I want to stick current ISP's
Thanks
I want to stick current ISP's
Thanks
So as I said, you can't do what you want to achieve. You'll only get a halfway-house solution unfortunately.
ASKER
Thank you sir
I will keep in consideration this point and plan it accordingly.
Thanks once again for great support
I will keep in consideration this point and plan it accordingly.
Thanks once again for great support
The way you have it at the moment is the best you'll get with what you've got for outbound redundancy as you actively want to send all web traffic via ISP2 by default.
As was mentioned in your first question (previous thread for other experts) if you want to achieve proper inbound redundancy you'll need to implement a BGP solution. If you use two different ISPs you'll need to purchase your own AS number and associated PI address space, then provide routing updates to each ISP. This will probably need different routers and will definitely require a redesign of your external network. Ultimately that will mean you will have to go with the solution I mentioned a long while back which means you have a dedicated router on each circuit.