Resilient routing Links - please help!!

Unanswered Question
Mar 30th, 2009

Hello there,

I hope one of you techies can help me with this problem.

I need to put in additional resilience into our network due to a problem we recently experienced.

We currently have routes out our network via two pix's (in a failover config) which connect to our providers two devices. The provider routes unfortunately come into our network via a single duct so a jcb on that single duct will cause an outage on both routes, as has happened in the past.

In addition we have another route via a 1Gb LES to a sister site and I want to configure my devices to send outbound traffic via this connection in the unfortunate but not altogether unlikely event our dual provider links were taken out.

Our sister site also has a similar configuration to ours -

The core/edge devices send all outbound traffic (via a default route) to the firewalls which have been configured with a static default route out to the providers devices.

Please advice as to how I would configure my devices.

1. Would I configure a second default route on my edge switches with a different metric?

2. Presumably the Pix would inform the Edge devices that the provider link had gone down, how? There is no routing protocol on the Pix's although there is OSPF on the edge devices. Would I need any additional configuration on my Pix's?

3. What configuration do I need to add to my LES switches? At the moment there is no connection from either LES switch to the provider devices as they are simply in place for intersite traffic.

4. On the sister site, what would I need to configure? Would I need an additional static route on their Pix's sending the failover traffic back.

I'm sorry I've asked so many questions, I am a bit confused and as always know I can rely on some good answers from this forum.

Please let me know if you require any further clarification.

Cheers,

Martha.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
mfawehin Mon, 03/30/2009 - 07:57

This is really urgent guys so any pointers in the right direction will be much appreciated.

Giuseppe Larosa Mon, 03/30/2009 - 12:40

Hello Martha,

if I remember correctly we had already talked about the double fault of the pix pair.

About your questions:

i), ii) without a routing protocol running pix can say nothing to edge switches.

However, new features include the association of object tracking to static routes:

so you can have a primary default static route pointing to the pix pair and tracking ip reachability of some well chosen ip address (ISP ip address for example) that can be a meaningful test of path health.

the secondary default route can point to the sister site

see

http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx.html

You should verify if this can be used on edge switches.

ASA can support OSPF but pix I don't know if they can.

iii) and iV)

routing configuration for inter-site shouild be fine.

NAT configuration has to be modified to provide translation for ip addresses of sister site if any.

So you may need to modify some ACLs that define NAttable aaddresses on both sites

Hope to help

Giuseppe

mfawehin Mon, 03/30/2009 - 23:46

Thanks Giuseppe as always for the great advice. I will read up on the link sent and see how I can apply it to our set up. How about traffic inbound at Site 2 destined for site 1?

Can I just assume that since Site 2 Pix's sent out the traffic , it will of course return to Site 2 Pix's and then use the LES to send it back to Site 1? Is there any config I need to add to the Site 2 Pix?

Cheers,

Martha.

mfawehin Tue, 03/31/2009 - 00:37

Hi Giuseppe,

Thanks I have read the document and I have created the config below and the questions and points I require clarification with follow:

Configure primary and secondary interfaces

int fa0/20

desc pix interface (primary)

ip address 10.17.1.250

int fa0/25

desc LES interface (backup)

ip address 10.20.1.250

Configuring Cisco IOS IP SLAs

conf t

rtr 1

type echo protocol ipIcmpEcho

timeout 1000

frequency 3

threshold 2

exit

rtr schedule 1 life forever start-time now

track 123 rtr 1 reachability

configuring policy routing for static routing (primary interface)

conf t

access-list 101 permit icmp any host echo

route-map MY-LOCAL-POLICY permit 10

match ip address 101

set interface

exit

ip local policy route-map MY-LOCAL-POLICY

Configure default route for pri int using static routing

conf t

ip route 0.0.0.0 0.0.0.0 10.17.1.254 track 123

Configure floating static default route on sec interface

conf t

ip route 0.0.0.0 0.0.0.0 10.20.1.254 254

Verify state of tracked object for reliable static routing backup using object tracking

show ip route track-table

I have pretty much copied the example given in the link you sent me but a bit of confusion has arisen in terms of the fact that the example seems to be pointing to a single host 172.16.23.7

and I'm not sure what address I should be using here.

I apologise if the question sounds silly, I just want to make sure I am doing the right thing.

To recap, the desire is for all outbound traffic to go via the LES to Site 2 in the event of the provider link failure.

The IP addresses are

Edge switch 1

fa0/20 - 10.17.1.250 (primary interface)

fa0/25 - 10.20.1.250 (secondary interface)

Pix

10.17.1.254

LES switch

10.20.1.254

In the example given, they used type echo protocol ipIcmpEcho 172.16.23.7

the address is also the destination address defined in the access list. What should I have here and also when I configure my set interface command in my route map, should I use the primary interface here.

I suppose asking all these questions show I have very little understanding of what is going on here but I really just have to get this working ASAP.

Thanks so much for all your assistance, it is much appreciated.

Cheers,

Martha.

Giuseppe Larosa Tue, 03/31/2009 - 01:41

Hello Martha,

>> the desire is for all outbound traffic to go via the LES to Site 2 in the event of the provider link failure.

So a possible choice for the ip address to be tracked is the ip address of the ISP router on the link to SiteA.

Or also an ip address inside the ISP network this can be useful when a BGP session is running to distinguish when the link is up but the BGP session is down.

I'm not sure the route-map is needed in your case I will review the document.

Edit:

I've given a look at the example at the end of the document.

The route-map is used to locally redirect the icmp packets of the SLA probe so the set interface has to be towards the primary interface (the one used by the primary default route) in your case interface to the pix.

Edit2:

>> Can I just assume that since Site 2 Pix's sent out the traffic , it will of course return to Site 2 Pix's and then use the LES to send it back to Site 1? Is there any config I need to add to the Site 2 Pix?

if we are speaking of internet facing links pix of site2 needs to perform NAT to send traffic to the internet. The public ip address block used by pix of site2 should be enough to have return traffic to come back on site2. (if the public address blocks are different)

Hope to help

Giuseppe

mfawehin Tue, 03/31/2009 - 02:47

Giuseppe, you are just too good, thanks for all your help in breaking it down for me, I have amended my config as appropriate.

I will test this when I have my downtime window on Thursday and let you know how I get on.

Again, many thanks.

Martha.

Actions

This Discussion