Cisco Dual Wan Fail-Over using SLA Tracking « Daakeung’s Weblog

Cisco Dual Wan Fail-Over using SLA Tracking July 3,2009

Posted by daakeung in Cisco, IT.Tags: cisco dual wan, cisco ios, fail over cisco, fail over using ip, route tracking, sla trackingtrackback

Maintaining a high availability connection is critical in any modern network infrastructure. Somewould have access to the internet via multiple ISPs.In most cases where the ISPs would not peer via any routing protocol, customers are left to setupfail-over with static routes.There are two types of failures:

Physical : the router would detect one of its interface not connected, invalidated any next hoproutes through it. In turn move to another valid route with a higher metric.

1.

Logical : the router has it’s interface online, but somewhere along the path it has to take to reachthe destination is unavailable.

2.

Basic router commands with higher metric will not fail-over with a logical failure.Using SLA Tracking, we can accomplish this.Consider the following diagram and configuration:

About these ads

Cisco Dual Wan Fail-Over using SLA Tracking « Daakeung’s Weblog http://daakeung.wordpress.com/2009/07/03/cisco-dual-wan-fail-over-usi...

1 of 6 30/01/2013 12:22

Cisco Dual WAN

Cisco IOS used: c181x-adventerprisek9-mz.124-24.T

! Identify the SLA.

ip sla 10

! Set up the IP address to ping, in this case yahoo.com ip.

icmp-echo 69.147.114.224

! Set how long in milliseconds to wait for a reply.

timeout 1000

! Repeat Rate.

frequency 3


2 of 6 30/01/2013 12:22

! Start SLA 10 from now to forever.

ip sla schedule 10 life forever start-time now

! Setup track 10 to sla 10 for reachabilty.

track 10 ip sla 10 reachability

! Setup route for testing reach ability to the internet.

ip route 69.147.114.224 255.255.255.255 10.0.0.1

! Setup primary link with track 10 parameter.

ip route 0.0.0.0 0.0.0.0 10.0.0.1 track 10

! Setup fail-over link with higher metric.

ip route 0.0.0.0 0.0.0.0 192.168.0.1 20Depending on your configuration, you will need to setup NAT on both interfaces.

Comments»

1. aleks - July 13, 2009I tried it and didn’t get working.I’ve got nat.here is my setup: Fe0 is TimeWarner (nat outside); Fe1 is Verizon (nat outside). Vlan1 is my lan(nat inside).

i’m pinging my isp’s gateways. I see, that tracker goes offline, i see default router changes, but,unable to access internet.

i’ve put nat statements as:ip nat inside source route-map TimeWarner interface FastEthernet0 overloadip nat inside source route-map Verizon interface FastEthernet1 overload


3 of 6 30/01/2013 12:22

route-map TimeWarner deny 10match ip address 115!route-map TimeWarner permit 20match ip address 116!route-map Verizon deny 10match ip address 115!route-map Verizon permit 20match ip address 116

access-list 115 – denies vpn routes outaccess-list 116 – permits any lan ip to go out.

any ideas?

thanks

daakeung - July 13, 2009You can try this config:

route-map TimeWarner deny 10match ip address 115match interface fas 0!route-map TimeWarner permit 20match ip address 116match interface fas 0!route-map Verizon deny 10match ip address 115match interface fas 1!route-map Verizon permit 20match ip address 116match interface fas 1

2. aleks - July 14, 2009Thanks for you help – I’ve added following and got everything working:

route-map TimeWarner permit 20match interface fa0match ip address 116

route-map Verizon permit 20match interface fa1match ip address 116


4 of 6 30/01/2013 12:22

Hope, this will help someone as well

3. ChrisC - July 23, 2009You might want to use some other internet IP address like 4.2.2.2 as the tracked address instead ofyahoo because once you fail over and someone tries to goto the exact yahoo IP address it’ll try toroute you through the downed route, although slim chance that’ll happen since yahoo has so manyIPs.

As a side note, I have a similar setup as well with Cisco ASA 5510′s and everything works finewith a site-to-site VPN too. The only problem is that I can never ping the secondary WAN interface(from the outside) with anti-spoofing (reverse-path) turned on the outside interfaces. The packetsget dropped because the firewall thinks it’s coming from an “internal” address (I’m guessingbecause of the VPN). And it’s the same thing when you fail over to the secondary WAN, youcannot ping the primary WAN for the same reason. Does anyone know a way around this withoutdisabling anti-spoofing?

4. daakeung - July 25, 2009Nice tip, I guess another good destination would be some one of the root hint servers.

As for your question with the Cisco ASA, I think the reason you cannot ping the backup interfaceis because of the default route in the ASA.

Say first ISP is 1.1.1.2 and the second ISP is 2.2.2.2

And the ASA has a default route for 0.0.0.0 to 1.1.1.1

In a NAT scenario, packets coming in ISP2 would try to leave via ISP1 for the return path. Sincethis would change the source ip in this case, the remote IP would see it as a spoof attack.

I haven’t much experience with the ASA, but I think you might have to setup a route map fortraffic arriving on the second ISP to leave via the same interface it came in on.

Let me know how that works out. I would be happy to assist you more with this. When I get backinto the office, I will test this scenario on a cisco router.

5. lemus9232.edublogs.org - October 30, 2012Greetings I am so delighted I found your blog page, I really found you by mistake, while Iwas browsing on Aol for something else, Regardless I am here now and would just like to saythanks for a fantastic post and a all round enjoyable blog (I also love the theme/design), I don’thave time to read it all at the minute but I have book-marked it and also added in your RSS feeds,so when I have time I will be back to read a lot more, Please do keep up the superb work.

6. parking lotnisko - October 30, 2012Thanks in support of sharing such a good thinking, piece of writing is fastidious, thatswhy i have read it fully

7. http://she0n179le.soup.io - January 4, 2013I am genuinely grateful to the holder of this site who has shared this wonderful paragraphat at this place.


5 of 6 30/01/2013 12:22

Theme: Regulus by Binary Moon.Blog at WordPress.com.

Follow

Follow “Daakeung's Weblog”

Powered by WordPress.com


6 of 6 30/01/2013 12:22

Cisco Dual Wan Fail-Over using SLA Tracking « Daakeung’s Weblog

Documents

Transcript of Cisco Dual Wan Fail-Over using SLA Tracking « Daakeung’s Weblog