Cisco Dual Wan Fail-Over Using SLA Tracking Daakeung's Weblog

Cisco Dual Wan Fail-Over using SLA Tracking Daakeungs Weblog
http://daakeung.wordpress.com/2009/07/03/cisco-dual-wan-fail-over-usi...
About these ads
Cisco Dual Wan Fail-Over using SLA Tracking 2009

Posted by daakeung in Cisco, IT. Tags: cisco dual wan, cisco ios, fail over cisco, fail over using ip, route tracking, sla tracking trackback
July 3,
Maintaining a high availability connection is critical in any modern network infrastructure. Some would have access to the internet via multiple ISPs. In most cases where the ISPs would not peer via any routing protocol, customers are left to setup fail-over with static routes. There are two types of failures: 1. Physical : the router would detect one of its interface not connected, invalidated any next hop routes through it. In turn move to another valid route with a higher metric. 2. Logical : the router has its interface online, but somewhere along the path it has to take to reach the destination is unavailable. Basic router commands with higher metric will not fail-over with a logical failure. Using SLA Tracking, we can accomplish this. Consider the following diagram and configuration:
1 of 6
30/01/2013 12:22
Cisco Dual WAN Cisco IOS used: c181x-adventerprisek9-mz.124-24.T ! Identify the SLA. ip sla 10 ! Set up the IP address to ping, in this case yahoo.com ip. icmp-echo 69.147.114.224 ! Set how long in milliseconds to wait for a reply. timeout 1000 ! Repeat Rate. frequency 3
2 of 6
30/01/2013 12:22
! Start SLA 10 from now to forever. ip sla schedule 10 life forever start-time now ! Setup track 10 to sla 10 for reachabilty. track 10 ip sla 10 reachability ! Setup route for testing reach ability to the internet. ip route 69.147.114.224 255.255.255.255 10.0.0.1 ! Setup primary link with track 10 parameter. ip route 0.0.0.0 0.0.0.0 10.0.0.1 track 10 ! Setup fail-over link with higher metric. ip route 0.0.0.0 0.0.0.0 192.168.0.1 20 Depending on your configuration, you will need to setup NAT on both interfaces.
Comments
1. aleks - July 13, 2009 I tried it and didnt get working. Ive got nat. here is my setup: Fe0 is TimeWarner (nat outside); Fe1 is Verizon (nat outside). Vlan1 is my lan (nat inside). im pinging my isps gateways. I see, that tracker goes offline, i see default router changes, but, unable to access internet. ive put nat statements as: ip nat inside source route-map TimeWarner interface FastEthernet0 overload ip nat inside source route-map Verizon interface FastEthernet1 overload
3 of 6
30/01/2013 12:22
route-map TimeWarner deny 10 match ip address 115 ! route-map TimeWarner permit 20 match ip address 116 ! route-map Verizon deny 10 match ip address 115 ! route-map Verizon permit 20 match ip address 116 access-list 115 denies vpn routes out access-list 116 permits any lan ip to go out. any ideas? thanks daakeung - July 13, 2009 You can try this config: route-map TimeWarner deny 10 match ip address 115 match interface fas 0 ! route-map TimeWarner permit 20 match ip address 116 match interface fas 0 ! route-map Verizon deny 10 match ip address 115 match interface fas 1 ! route-map Verizon permit 20 match ip address 116 match interface fas 1 2. aleks - July 14, 2009 Thanks for you help Ive added following and got everything working: route-map TimeWarner permit 20 match interface fa0 match ip address 116 route-map Verizon permit 20 match interface fa1 match ip address 116
4 of 6
30/01/2013 12:22
Hope, this will help someone as well 3. ChrisC - July 23, 2009 You might want to use some other internet IP address like 4.2.2.2 as the tracked address instead of yahoo because once you fail over and someone tries to goto the exact yahoo IP address itll try to route you through the downed route, although slim chance thatll happen since yahoo has so many IPs. As a side note, I have a similar setup as well with Cisco ASA 5510s and everything works fine with a site-to-site VPN too. The only problem is that I can never ping the secondary WAN interface (from the outside) with anti-spoofing (reverse-path) turned on the outside interfaces. The packets get dropped because the firewall thinks its coming from an internal address (Im guessing because of the VPN). And its the same thing when you fail over to the secondary WAN, you cannot ping the primary WAN for the same reason. Does anyone know a way around this without disabling anti-spoofing? 4. daakeung - July 25, 2009 Nice tip, I guess another good destination would be some one of the root hint servers. As for your question with the Cisco ASA, I think the reason you cannot ping the backup interface is because of the default route in the ASA. Say first ISP is 1.1.1.2 and the second ISP is 2.2.2.2 And the ASA has a default route for 0.0.0.0 to 1.1.1.1 In a NAT scenario, packets coming in ISP2 would try to leave via ISP1 for the return path. Since this would change the source ip in this case, the remote IP would see it as a spoof attack. I havent much experience with the ASA, but I think you might have to setup a route map for traffic arriving on the second ISP to leave via the same interface it came in on. Let me know how that works out. I would be happy to assist you more with this. When I get back into the office, I will test this scenario on a cisco router. 5. lemus9232.edublogs.org - October 30, 2012 Greetings I am so delighted I found your blog page, I really found you by mistake, while I was browsing on Aol for something else, Regardless I am here now and would just like to say thanks for a fantastic post and a all round enjoyable blog (I also love the theme/design), I dont have time to read it all at the minute but I have book-marked it and also added in your RSS feeds, so when I have time I will be back to read a lot more, Please do keep up the superb work. 6. parking lotnisko - October 30, 2012 Thanks in support of sharing such a good thinking, piece of writing is fastidious, thats why i have read it fully 7. http://she0n179le.soup.io - January 4, 2013 I am genuinely grateful to the holder of this site who has shared this wonderful paragraph at at this place.
5 of 6
30/01/2013 12:22
Theme: Regulus by Binary Moon. Blog at WordPress.com.
Follow
Follow Daakeung's Weblog

Powered by WordPress.com
6 of 6
30/01/2013 12:22

Cisco Dual Wan Fail-Over Using SLA Tracking Daakeung's Weblog

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Cisco Dual Wan Fail-Over Using SLA Tracking Daakeung's Weblog

Transféré par

Droits d'auteur :

Formats disponibles

Cisco Dual Wan Fail-Over using SLA Tracking Daakeungs Weblog

About these ads

Cisco Dual Wan Fail-Over using SLA Tracking 2009