Cisco Dual Wan Fail-Over using SLA Tracking July 3, 2009
Posted by daakeung in Cisco, IT.Tags: cisco dual wan, cisco ios, fail over cisco, fail over using ip, route tracking, sla tracking
trackback
- Physical : the router would detect one of its interface not connected, invalidated any next hop routes through it. In turn move to another valid route with a higher metric.
- Logical : the router has it’s interface online, but somewhere along the path it has to take to reach the destination is unavailable.
Cisco Dual WAN
Cisco IOS used: c181x-adventerprisek9-mz.124-24.T
! Identify the SLA.
ip sla 10
! Set up the IP address to ping, in this case yahoo.com ip.
icmp-echo 69.147.114.224
! Set how long in milliseconds to wait for a reply.
timeout 1000
! Repeat Rate.
frequency 3
! Start SLA 10 from now to forever.
ip sla schedule 10 life forever start-time now
! Setup track 10 to sla 10 for reachabilty.
track 10 ip sla 10 reachability
! Setup route for testing reach ability to the internet.
ip route 69.147.114.224 255.255.255.255 10.0.0.1
! Setup primary link with track 10 parameter.
ip route 0.0.0.0 0.0.0.0 10.0.0.1 track 10
! Setup fail-over link with higher metric.
ip route 0.0.0.0 0.0.0.0 192.168.0.1 20
Depending on your configuration, you will need to setup NAT on both interfaces.
I tried it and didn’t get working.
I’ve got nat.
here is my setup: Fe0 is TimeWarner (nat outside); Fe1 is Verizon (nat outside). Vlan1 is my lan (nat inside).
i’m pinging my isp’s gateways. I see, that tracker goes offline, i see default router changes, but, unable to access internet.
i’ve put nat statements as:
ip nat inside source route-map TimeWarner interface FastEthernet0 overload
ip nat inside source route-map Verizon interface FastEthernet1 overload
route-map TimeWarner deny 10
match ip address 115
!
route-map TimeWarner permit 20
match ip address 116
!
route-map Verizon deny 10
match ip address 115
!
route-map Verizon permit 20
match ip address 116
access-list 115 – denies vpn routes out
access-list 116 – permits any lan ip to go out.
any ideas?
thanks
You can try this config:
route-map TimeWarner deny 10
match ip address 115
match interface fas 0
!
route-map TimeWarner permit 20
match ip address 116
match interface fas 0
!
route-map Verizon deny 10
match ip address 115
match interface fas 1
!
route-map Verizon permit 20
match ip address 116
match interface fas 1
Thanks for you help – I’ve added following and got everything working:
route-map TimeWarner permit 20
match interface fa0
match ip address 116
route-map Verizon permit 20
match interface fa1
match ip address 116
Hope, this will help someone as well
You might want to use some other internet IP address like 4.2.2.2 as the tracked address instead of yahoo because once you fail over and someone tries to goto the exact yahoo IP address it’ll try to route you through the downed route, although slim chance that’ll happen since yahoo has so many IPs.
As a side note, I have a similar setup as well with Cisco ASA 5510′s and everything works fine with a site-to-site VPN too. The only problem is that I can never ping the secondary WAN interface (from the outside) with anti-spoofing (reverse-path) turned on the outside interfaces. The packets get dropped because the firewall thinks it’s coming from an “internal” address (I’m guessing because of the VPN). And it’s the same thing when you fail over to the secondary WAN, you cannot ping the primary WAN for the same reason. Does anyone know a way around this without disabling anti-spoofing?
Nice tip, I guess another good destination would be some one of the root hint servers.
As for your question with the Cisco ASA, I think the reason you cannot ping the backup interface is because of the default route in the ASA.
Say first ISP is 1.1.1.2 and the second ISP is 2.2.2.2
And the ASA has a default route for 0.0.0.0 to 1.1.1.1
In a NAT scenario, packets coming in ISP2 would try to leave via ISP1 for the return path. Since this would change the source ip in this case, the remote IP would see it as a spoof attack.
I haven’t much experience with the ASA, but I think you might have to setup a route map for traffic arriving on the second ISP to leave via the same interface it came in on.
Let me know how that works out. I would be happy to assist you more with this. When I get back into the office, I will test this scenario on a cisco router.