jump to navigation

Cisco Dual Wan Fail-Over using SLA Tracking July 3, 2009

Posted by daakeung in Cisco, IT.
Tags: , , , , ,
trackback
Maintaining a high availability connection is critical in any modern network infrastructure.  Some would have access to the internet via multiple ISPs.
In most cases where the ISPs would not peer via any routing protocol, customers are left to setup fail-over with static routes.
There are two types of failures:
  1. Physical : the router would detect one of its interface not connected, invalidated any next hop routes through it. In turn move to another valid route with a higher metric.
  2. Logical : the router has it’s interface online, but somewhere along the path it has to take to reach the destination is unavailable.
Basic router commands with higher metric will not fail-over with a logical failure.
Using SLA Tracking, we can accomplish this.
Consider the following diagram and configuration:
Cisco Dual WAN

Cisco Dual WAN

Cisco IOS used: c181x-adventerprisek9-mz.124-24.T

! Identify the SLA.
ip sla 10

! Set up the IP address to ping, in this case yahoo.com ip.
icmp-echo 69.147.114.224

! Set how long in milliseconds to wait for a reply.
timeout 1000

! Repeat Rate.
frequency 3

! Start SLA 10 from now to forever.
ip sla schedule 10 life forever start-time now

! Setup track 10 to sla 10 for reachabilty.
track 10 ip sla 10 reachability

! Setup route for testing reach ability to the internet.
ip route 69.147.114.224 255.255.255.255 10.0.0.1

! Setup primary link with track 10 parameter.
ip route 0.0.0.0 0.0.0.0 10.0.0.1 track 10

! Setup fail-over link with higher metric.
ip route 0.0.0.0 0.0.0.0 192.168.0.1 20
Depending on your configuration, you will need to setup NAT on both interfaces.

Advertisements

Comments»

1. aleks - July 13, 2009

I tried it and didn’t get working.
I’ve got nat.
here is my setup: Fe0 is TimeWarner (nat outside); Fe1 is Verizon (nat outside). Vlan1 is my lan (nat inside).

i’m pinging my isp’s gateways. I see, that tracker goes offline, i see default router changes, but, unable to access internet.

i’ve put nat statements as:
ip nat inside source route-map TimeWarner interface FastEthernet0 overload
ip nat inside source route-map Verizon interface FastEthernet1 overload

route-map TimeWarner deny 10
match ip address 115
!
route-map TimeWarner permit 20
match ip address 116
!
route-map Verizon deny 10
match ip address 115
!
route-map Verizon permit 20
match ip address 116

access-list 115 – denies vpn routes out
access-list 116 – permits any lan ip to go out.

any ideas?

thanks

daakeung - July 13, 2009

You can try this config:

route-map TimeWarner deny 10
match ip address 115
match interface fas 0
!
route-map TimeWarner permit 20
match ip address 116
match interface fas 0
!
route-map Verizon deny 10
match ip address 115
match interface fas 1
!
route-map Verizon permit 20
match ip address 116
match interface fas 1

2. aleks - July 14, 2009

Thanks for you help – I’ve added following and got everything working:

route-map TimeWarner permit 20
match interface fa0
match ip address 116

route-map Verizon permit 20
match interface fa1
match ip address 116

Hope, this will help someone as well 🙂

3. ChrisC - July 23, 2009

You might want to use some other internet IP address like 4.2.2.2 as the tracked address instead of yahoo because once you fail over and someone tries to goto the exact yahoo IP address it’ll try to route you through the downed route, although slim chance that’ll happen since yahoo has so many IPs.

As a side note, I have a similar setup as well with Cisco ASA 5510’s and everything works fine with a site-to-site VPN too. The only problem is that I can never ping the secondary WAN interface (from the outside) with anti-spoofing (reverse-path) turned on the outside interfaces. The packets get dropped because the firewall thinks it’s coming from an “internal” address (I’m guessing because of the VPN). And it’s the same thing when you fail over to the secondary WAN, you cannot ping the primary WAN for the same reason. Does anyone know a way around this without disabling anti-spoofing?

4. daakeung - July 25, 2009

Nice tip, I guess another good destination would be some one of the root hint servers.

As for your question with the Cisco ASA, I think the reason you cannot ping the backup interface is because of the default route in the ASA.

Say first ISP is 1.1.1.2 and the second ISP is 2.2.2.2

And the ASA has a default route for 0.0.0.0 to 1.1.1.1

In a NAT scenario, packets coming in ISP2 would try to leave via ISP1 for the return path. Since this would change the source ip in this case, the remote IP would see it as a spoof attack.

I haven’t much experience with the ASA, but I think you might have to setup a route map for traffic arriving on the second ISP to leave via the same interface it came in on.

Let me know how that works out. I would be happy to assist you more with this. When I get back into the office, I will test this scenario on a cisco router.

5. lemus9232.edublogs.org - October 30, 2012

Greetings I am so delighted I found your blog page, I really found you by mistake, while I
was browsing on Aol for something else, Regardless I am here now and would just like to say thanks for a fantastic post and a all round enjoyable blog (I also love the theme/design), I don’t have time to read it all at the minute but I have book-marked it and also added in your RSS feeds, so when I have time I will be back to read a lot more, Please do keep up the superb work.

6. parking lotnisko - October 30, 2012

Thanks in support of sharing such a good thinking, piece of writing is fastidious, thats
why i have read it fully

7. http://she0n179le.soup.io - January 4, 2013

I am genuinely grateful to the holder of this site who has shared this wonderful paragraph
at at this place.

8. Rob - January 31, 2013

hi in the post you say: “In a NAT scenario, packets coming in ISP2 would try to leave via ISP1 for the return path. Since this would change the source ip in this case, the remote IP would see it as a spoof attack.

I haven’t much experience with the ASA, but I think you might have to setup a route map for traffic arriving on the second ISP to leave via the same interface it came in on.”

Could you help my i dont know how to make that route map i have try many thinks but no one work

9. gnc satiereal saffron extract - May 20, 2013

Men and women are hunting for healthier substitutes for
fatty, junk foodstuff. Make your have carrot ice cream with carrot juice and taste with
ginger, honey, and cashews, walnuts, saffron, and sunflower seeds.

10. Granheritage - August 5, 2013

I am actually glad to glance at this web site posts which carries lots of useful information, thanks for providing these information.

11. Donna - August 13, 2013

We are a group of volunteers and starting a new scheme in our community.
Your site provided us with valuable info to work on.

You’ve done a formidable job and our entire community will be thankful to you.

12. Sula - March 6, 2014

Good tip Experts,
Have an implementation in the coming weeks. This is a plus to my knowledge.

13. Johng40 - June 5, 2014

Hi! Someone in my Myspace group shared this website with us so I came to look it over. I’m definitely loving the information. I’m bookmarking and will be tweeting this to my followers! Great blog and terrific design and style. ceakgfdkaedk

14. conjuros magicos - August 1, 2014

En las ocasiones que pruebo un amarre algunas veces en parte tiene efecto.
¿Presentan algún problema?

15. fallout 4 - March 13, 2016

You really make it seem really easy with your presentation however I in finding this matter
to be really something that I think I would by no means
understand. It kind of feels too complicated and extremely large for me.

I am looking forward to your next put up, I’ll try to
get the dangle of it!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: