I want to enable SLA tracking on my outside interface to change the default route to an alternate one on a second ISP.
I understand I have to choose a host on the outside to be constantly PINGed to check service reliabilty.
What to choose ?
First thing it comes to my mind is nearest object; ie: my primary ISP gateway as shown in show ip route; however this address changes when my DHCP lease changes so how I know what my default gateway is at any given time ?
Or should I use some other address ? What would make sense ? Any advice ?
You can't filter traffic sourcing from the router, but the router can filter traffic destined to itself.
I suggest on the incoming ACL, to allow the echo-reply in order to ping from the router.
ip access-list extended aclFWoutsideIncoming
permit icmp any any echo-reply
This would be my suggestion:
I am assuming you are using two separate physical interfaces to either ISPs.
Firstly look for a public IP on the internet that is fairly stable(like a ublic NTP server or likewise) that you or anybody on your network seldom use and is pingable.Lets call it x.x.x.x
Configure a static route to x.x.x.x with a nexthop of your outside interface to ISP1.
Configure IP SLA monitor to ping x.x.x.x. By this way you are forcing the pings to go through ISP1.
Configure a static DEFAULT ROUTE with a nexthop of your external interface to ISP1 and TRACK it using IP SLA monitor.
Configure another static DEFUALT ROUTE with a next hop of your external interface to ISP2 with an admin distance of 254. Essentially you are creating a floating route. [ip route 0.0.0.0 0.0.0.0 interface_to_ISP2 254]
Thats it you are done. The SLA monitor tracks the reachability of ISP1 and should it fail the floating route is prefered and traffic is rerouted through ISP2.
The exact config depends on how you plan to implement this design like, you could use Dialer interfaces, logical interfaces ..so on and so forth. But this is the general idea. We use this design in our network.