cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
817
Views
3
Helpful
6
Replies

tracking my ISP gateway with SLA ... to choose alternate one in case of ...

nlariguet
Level 1
Level 1

I want to enable SLA tracking on my outside interface to change the default route to an alternate one on a second ISP.

I understand I have to choose a host on the outside to be constantly PINGed to check service reliabilty.

What to choose ?

First thing it comes to my mind is nearest object; ie: my primary ISP gateway as shown in show ip route; however this address changes when my DHCP lease changes so how I know what my default gateway is at any given time ?

Or should I use some other address ? What would make sense ? Any advice ?

2 Accepted Solutions

Accepted Solutions

This would be my suggestion:

I am assuming you are using two separate physical interfaces to either ISPs.

Firstly look for a public IP on the internet that is fairly stable(like a ublic NTP server or likewise) that you or anybody on your network seldom use and is pingable.Lets call it x.x.x.x

Configure a static route to x.x.x.x with a nexthop of your outside interface to ISP1.

Configure IP SLA monitor to ping x.x.x.x. By this way you are forcing the pings to go through ISP1.

Configure a static DEFAULT ROUTE with a nexthop of your external interface to ISP1 and TRACK it using IP SLA monitor.

Configure another static DEFUALT ROUTE with a next hop of your external interface to ISP2 with an admin distance of 254. Essentially you are creating a floating route. [ip route 0.0.0.0 0.0.0.0 interface_to_ISP2 254]

Thats it you are done. The SLA monitor tracks the reachability of ISP1 and should it fail the floating route is prefered and traffic is rerouted through ISP2.

The exact config depends on how you plan to implement this design like, you could use Dialer interfaces, logical interfaces ..so on and so forth. But this is the general idea. We use this design in our network.

HTH

karthik

View solution in original post

You can't filter traffic sourcing from the router, but the router can filter traffic destined to itself.

I suggest on the incoming ACL, to allow the echo-reply in order to ping from the router.

ip access-list extended aclFWoutsideIncoming

permit icmp any any echo-reply

HTH,

__

Edison.

View solution in original post

6 Replies 6

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Nacho,

the DNS server provided in the DHCP answer can be a good choice it should be a stable ip address belonging to your ISP.

Hope to help

Giuseppe

I tried it but the assigned DNS server is not answering my ping command; and by the way none of the DNS servers used by my ISP. (I can ping everything else and is working eg ping google.com or ping a.b.c.d). Could the lack of response be intentional by the ISP ?

This would be my suggestion:

I am assuming you are using two separate physical interfaces to either ISPs.

Firstly look for a public IP on the internet that is fairly stable(like a ublic NTP server or likewise) that you or anybody on your network seldom use and is pingable.Lets call it x.x.x.x

Configure a static route to x.x.x.x with a nexthop of your outside interface to ISP1.

Configure IP SLA monitor to ping x.x.x.x. By this way you are forcing the pings to go through ISP1.

Configure a static DEFAULT ROUTE with a nexthop of your external interface to ISP1 and TRACK it using IP SLA monitor.

Configure another static DEFUALT ROUTE with a next hop of your external interface to ISP2 with an admin distance of 254. Essentially you are creating a floating route. [ip route 0.0.0.0 0.0.0.0 interface_to_ISP2 254]

Thats it you are done. The SLA monitor tracks the reachability of ISP1 and should it fail the floating route is prefered and traffic is rerouted through ISP2.

The exact config depends on how you plan to implement this design like, you could use Dialer interfaces, logical interfaces ..so on and so forth. But this is the general idea. We use this design in our network.

HTH

karthik

thanks for the reply; your proposed solution is crystal-clear, however I am having problems pinging outside that are not directly related to this issue

eg: ping 195.71.11.67 repeat 5 timeout 4 (ie: within the router) ... 0% success

eg: sh log (last entry shown)

... list aclFWoutsideIncoming denied icmp 195.71.11.67 -> a.b.c.d (0/0), 1 packet

... where a.b.c.d is the current IP address assigned to the outside interface

so next question is: are my access-list allowing outgoing traffic originating within the router or must I place some specific entry related to the current IP address assigned by the DHCP server to the outside interface ?

... say «permit ip host any reflect aclFWoutsideTemp»

... before current «permit ip any any reflect aclFWoutsideTemp» entry ?

ip access-list extended aclFWoutsideIncoming

remark firewall feature: outside interface inbound traffic filters; ie: InterNet initiated traffic

remark denying anyone using invalid addresses inbound:

deny ip 0.0.0.0 0.255.255.255 any log

deny ip 127.0.0.0 0.255.255.255 any log

deny ip 172.16.0.0 0.15.255.255 any log

deny ip 224.0.0.0 15.255.255.255 any log

remark denying anyone using my private addresses (anti-spoofing) inbound:

deny ip 10.195.45.0 0.0.0.255 any log

remark denying anyone using ICMP echo/redirect messages inbound:

deny icmp any any echo log

deny icmp any any redirect log

deny icmp any any mask-request log

permit icmp any 10.195.45.0 0.0.0.255

remark allowing the cable modem (acting as DHCP server) inbound:

permit udp any eq bootps any eq bootpc

remark allowing specific NTP servers inbound:

permit udp host 192.5.41.209 eq ntp any eq ntp

permit udp host 192.5.41.40 eq ntp any eq ntp

permit udp host 192.5.41.41 eq ntp any eq ntp

evaluate aclFWoutsideTemp

deny ip any any log

ip access-list extended aclFWoutsideOutgoing

remark firewall feature: outside interface outbound traffic filters; ie: IntraNet initiated traffic

remark allowing valid ICMP messages outbound (for proper network operation):

permit icmp 10.195.45.0 0.0.0.255 any echo

permit icmp 10.195.45.0 0.0.0.255 any parameter-problem

permit icmp 10.195.45.0 0.0.0.255 any packet-too-big

permit icmp 10.195.45.0 0.0.0.255 any source-quench

deny icmp any any log

permit ip any any reflect aclFWoutsideTemp

deny ip any any log

interface FastEthernet0/0

description InterNet uplink

ip address dhcp client-id FastEthernet0/0 hostname whatever

ip access-group aclFWoutsideIncoming in

ip access-group aclFWoutsideOutgoing out

ip verify unicast source reachable-via rx allow-default 100

no ip redirects

no ip unreachables

no ip proxy-arp

ip inspect cbacOutside out

ip flow ingress

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no cdp enable

no mop enabled

You can't filter traffic sourcing from the router, but the router can filter traffic destined to itself.

I suggest on the incoming ACL, to allow the echo-reply in order to ping from the router.

ip access-list extended aclFWoutsideIncoming

permit icmp any any echo-reply

HTH,

__

Edison.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: