SVI - Floating Static

Unanswered Question
Mar 12th, 2009

Hi Everyone,

I have 2 6509's configured with an SVI directly connected to a pair of ASA's in an active/standby failover configuration.

The design requires the use of 2 static routes, one floating for failover. The primary route is destined for the pair of ASA's and the secondary route is destined for another router in the event both firewall's are lost.

The problem is, as everyone knows, that the SVI will not go down unless the entire Vlan goes down and the primary static route in the routing table will not be removed.

Using 2 static routes (one floating) I need to achieve this. Any diea's?

I could use a static route and track it with an SLA, but the 6509's do not support it.

I will look forward to your responses.

Cheers,

Chris

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Thu, 03/12/2009 - 13:19

Chris

My first thought was just make sure only the ASA's are allocated into that vlan but then of course there is the L2 trunk between the 6500 switches which will keep the SVI's up.

The only thing that springs to mind is to use a dynamic routing protocol between the 6500's, the ASA's and the other router and weight the metric from the other router so the active ASA is preferred when it is up.

The ASA's run OSFP and also with version 8.0 they support EIGRP.

Jon

Giuseppe Larosa Thu, 03/12/2009 - 13:52

Hello Chris,

I agree with Jon you need to use a dynamic routing protocol in this case to be able to take advantage of the third device/router when needed (both ASA failed).

Other collegues have reported usage of OSPF with ASA.

There are some peculiar aspects like the fact they don't really support parallel paths (they choice to use only one) but they build regular OSPF adjacencies

Hope to help

Giuseppe

christopher.clayden Thu, 03/12/2009 - 15:20

Hi Guys,

Thank you for the responses. Ya, I am currently running OSPF but have a requirement to move away from it as dynamic routing protocols are not statefull during failover with the ASA's.

Any other ideas? Thanks again guys.

Cheers,

Chris

Jon Marshall Thu, 03/12/2009 - 16:01

Chris

Not sure what you mean by not stateful. I was talking about running OSPF between the inside interfaces of the ASA and the 6500's.

One of the key things with OSPF is to make sure that the DR is the 6500. If it turns out to be the ASA then there is a delay as a new election is kicked off.

You are a limited in what you can do. What you could do as an alternative but it is real messy is to route all traffic to the router. On the router send the traffic back to the ASA device. You could then run IP SLA on the router to ensure the ASA is up and running. But this really is a kludge.

That's really the only thing i can think of.

Jon

christopher.clayden Thu, 03/12/2009 - 16:18

Thanks again for the reply Jon.

I am running an active/standby stateful failover configuration between the 2 ASA's. OSPF, EIGRP, RIP, etc are not stateful during the failover between the 2 firewalls. This is nothing to do with OSPF, the ASA's simply can not support failover statefully with dynamic routing protocols.

Thanks for the idea with the rerouting "kludge", unfortunately the other router is also a 6509 that does not support IPSLA.. :-)

Thanks Again.

Chris

Jon Marshall Thu, 03/12/2009 - 16:24

Chris

unfortunately the other router is also a 6509 that does not support IPSLA.. :-)

You are just plain unlucky :-)

Don't suppose you have any spare kit lying around such as spare routers :-).

Seriously though because of the L2 trunk i know of no other way of achieving what you want. The SVI's will always stay up.

Jon

christopher.clayden Wed, 03/18/2009 - 07:58

Gents,

I just wanted to thank you for your responses and share some info with you.

I have found a solution to my problem - “SVI Autostate Exclude”.

Thanks again.

Cheers,

Chris

Jon Marshall Wed, 03/18/2009 - 09:10

Chris

Many thanks for getting back to us with the solution. I couldn't find info on it for 6500 but from the 3560 command reference -

"When you enter the switchport autostate exclude command on a port, the command applies to all VLANs that are enabled on the port."

So i'm assuming you are applying this command to the trunk link between the 2 6500 switches ?

If so just be aware that any other vlans that don't have ports active and are not on other trunk links would also be down. This probably isn't an issue for you but i have seen setups where 2 vlans have been used on the 6500 switches purely for IGP neighborships and all the other vlan interfaces have been made passive. Clearly applying the command to the the trunk link in this scenario would stop the neighborships.

Once again many thanks - i have not come across that command before and i can see how useful it could be in certain scenarios.

Jon

Actions

This Discussion