tracking my ISP gateway with SLA ... to choose alternate one in case of ...

Answered Question
Apr 30th, 2009
User Badges:

I want to enable SLA tracking on my outside interface to change the default route to an alternate one on a second ISP.


I understand I have to choose a host on the outside to be constantly PINGed to check service reliabilty.


What to choose ?


First thing it comes to my mind is nearest object; ie: my primary ISP gateway as shown in show ip route; however this address changes when my DHCP lease changes so how I know what my default gateway is at any given time ?


Or should I use some other address ? What would make sense ? Any advice ?

Correct Answer by Edison Ortiz about 8 years 1 month ago

You can't filter traffic sourcing from the router, but the router can filter traffic destined to itself.


I suggest on the incoming ACL, to allow the echo-reply in order to ping from the router.


ip access-list extended aclFWoutsideIncoming

permit icmp any any echo-reply


HTH,


__


Edison.

Correct Answer by karthikvish2000 about 8 years 1 month ago

This would be my suggestion:


I am assuming you are using two separate physical interfaces to either ISPs.


Firstly look for a public IP on the internet that is fairly stable(like a ublic NTP server or likewise) that you or anybody on your network seldom use and is pingable.Lets call it x.x.x.x


Configure a static route to x.x.x.x with a nexthop of your outside interface to ISP1.


Configure IP SLA monitor to ping x.x.x.x. By this way you are forcing the pings to go through ISP1.


Configure a static DEFAULT ROUTE with a nexthop of your external interface to ISP1 and TRACK it using IP SLA monitor.


Configure another static DEFUALT ROUTE with a next hop of your external interface to ISP2 with an admin distance of 254. Essentially you are creating a floating route. [ip route 0.0.0.0 0.0.0.0 interface_to_ISP2 254]


Thats it you are done. The SLA monitor tracks the reachability of ISP1 and should it fail the floating route is prefered and traffic is rerouted through ISP2.


The exact config depends on how you plan to implement this design like, you could use Dialer interfaces, logical interfaces ..so on and so forth. But this is the general idea. We use this design in our network.


HTH

karthik


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Loading.
Giuseppe Larosa Thu, 04/30/2009 - 21:23
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Nacho,

the DNS server provided in the DHCP answer can be a good choice it should be a stable ip address belonging to your ISP.



Hope to help

Giuseppe


nlariguet Fri, 05/01/2009 - 16:35
User Badges:

I tried it but the assigned DNS server is not answering my ping command; and by the way none of the DNS servers used by my ISP. (I can ping everything else and is working eg ping google.com or ping a.b.c.d). Could the lack of response be intentional by the ISP ?

Correct Answer
karthikvish2000 Fri, 05/01/2009 - 21:26
User Badges:

This would be my suggestion:


I am assuming you are using two separate physical interfaces to either ISPs.


Firstly look for a public IP on the internet that is fairly stable(like a ublic NTP server or likewise) that you or anybody on your network seldom use and is pingable.Lets call it x.x.x.x


Configure a static route to x.x.x.x with a nexthop of your outside interface to ISP1.


Configure IP SLA monitor to ping x.x.x.x. By this way you are forcing the pings to go through ISP1.


Configure a static DEFAULT ROUTE with a nexthop of your external interface to ISP1 and TRACK it using IP SLA monitor.


Configure another static DEFUALT ROUTE with a next hop of your external interface to ISP2 with an admin distance of 254. Essentially you are creating a floating route. [ip route 0.0.0.0 0.0.0.0 interface_to_ISP2 254]


Thats it you are done. The SLA monitor tracks the reachability of ISP1 and should it fail the floating route is prefered and traffic is rerouted through ISP2.


The exact config depends on how you plan to implement this design like, you could use Dialer interfaces, logical interfaces ..so on and so forth. But this is the general idea. We use this design in our network.


HTH

karthik


nlariguet Mon, 05/04/2009 - 11:34
User Badges:

thanks for the reply; your proposed solution is crystal-clear, however I am having problems pinging outside that are not directly related to this issue


eg: ping 195.71.11.67 repeat 5 timeout 4 (ie: within the router) ... 0% success

eg: sh log (last entry shown)

... list aclFWoutsideIncoming denied icmp 195.71.11.67 -> a.b.c.d (0/0), 1 packet

... where a.b.c.d is the current IP address assigned to the outside interface


so next question is: are my access-list allowing outgoing traffic originating within the router or must I place some specific entry related to the current IP address assigned by the DHCP server to the outside interface ?


... say «permit ip host any reflect aclFWoutsideTemp»

... before current «permit ip any any reflect aclFWoutsideTemp» entry ?


ip access-list extended aclFWoutsideIncoming

remark firewall feature: outside interface inbound traffic filters; ie: InterNet initiated traffic

remark denying anyone using invalid addresses inbound:

deny ip 0.0.0.0 0.255.255.255 any log

deny ip 127.0.0.0 0.255.255.255 any log

deny ip 172.16.0.0 0.15.255.255 any log

deny ip 224.0.0.0 15.255.255.255 any log

remark denying anyone using my private addresses (anti-spoofing) inbound:

deny ip 10.195.45.0 0.0.0.255 any log

remark denying anyone using ICMP echo/redirect messages inbound:

deny icmp any any echo log

deny icmp any any redirect log

deny icmp any any mask-request log

permit icmp any 10.195.45.0 0.0.0.255

remark allowing the cable modem (acting as DHCP server) inbound:

permit udp any eq bootps any eq bootpc

remark allowing specific NTP servers inbound:

permit udp host 192.5.41.209 eq ntp any eq ntp

permit udp host 192.5.41.40 eq ntp any eq ntp

permit udp host 192.5.41.41 eq ntp any eq ntp

evaluate aclFWoutsideTemp

deny ip any any log


ip access-list extended aclFWoutsideOutgoing

remark firewall feature: outside interface outbound traffic filters; ie: IntraNet initiated traffic

remark allowing valid ICMP messages outbound (for proper network operation):

permit icmp 10.195.45.0 0.0.0.255 any echo

permit icmp 10.195.45.0 0.0.0.255 any parameter-problem

permit icmp 10.195.45.0 0.0.0.255 any packet-too-big

permit icmp 10.195.45.0 0.0.0.255 any source-quench

deny icmp any any log

permit ip any any reflect aclFWoutsideTemp

deny ip any any log

interface FastEthernet0/0

description InterNet uplink

ip address dhcp client-id FastEthernet0/0 hostname whatever

ip access-group aclFWoutsideIncoming in

ip access-group aclFWoutsideOutgoing out

ip verify unicast source reachable-via rx allow-default 100

no ip redirects

no ip unreachables

no ip proxy-arp

ip inspect cbacOutside out

ip flow ingress

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no cdp enable

no mop enabled


Correct Answer
Edison Ortiz Mon, 05/04/2009 - 12:27
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

You can't filter traffic sourcing from the router, but the router can filter traffic destined to itself.


I suggest on the incoming ACL, to allow the echo-reply in order to ping from the router.


ip access-list extended aclFWoutsideIncoming

permit icmp any any echo-reply


HTH,


__


Edison.

Actions

This Discussion