04-30-2009 06:49 PM - edited 03-06-2019 05:29 AM
I want to enable SLA tracking on my outside interface to change the default route to an alternate one on a second ISP.
I understand I have to choose a host on the outside to be constantly PINGed to check service reliabilty.
What to choose ?
First thing it comes to my mind is nearest object; ie: my primary ISP gateway as shown in show ip route; however this address changes when my DHCP lease changes so how I know what my default gateway is at any given time ?
Or should I use some other address ? What would make sense ? Any advice ?
Solved! Go to Solution.
05-01-2009 09:26 PM
This would be my suggestion:
I am assuming you are using two separate physical interfaces to either ISPs.
Firstly look for a public IP on the internet that is fairly stable(like a ublic NTP server or likewise) that you or anybody on your network seldom use and is pingable.Lets call it x.x.x.x
Configure a static route to x.x.x.x with a nexthop of your outside interface to ISP1.
Configure IP SLA monitor to ping x.x.x.x. By this way you are forcing the pings to go through ISP1.
Configure a static DEFAULT ROUTE with a nexthop of your external interface to ISP1 and TRACK it using IP SLA monitor.
Configure another static DEFUALT ROUTE with a next hop of your external interface to ISP2 with an admin distance of 254. Essentially you are creating a floating route. [ip route 0.0.0.0 0.0.0.0 interface_to_ISP2 254]
Thats it you are done. The SLA monitor tracks the reachability of ISP1 and should it fail the floating route is prefered and traffic is rerouted through ISP2.
The exact config depends on how you plan to implement this design like, you could use Dialer interfaces, logical interfaces ..so on and so forth. But this is the general idea. We use this design in our network.
HTH
karthik
05-04-2009 12:27 PM
You can't filter traffic sourcing from the router, but the router can filter traffic destined to itself.
I suggest on the incoming ACL, to allow the echo-reply in order to ping from the router.
ip access-list extended aclFWoutsideIncoming
permit icmp any any echo-reply
HTH,
__
Edison.
04-30-2009 09:23 PM
Hello Nacho,
the DNS server provided in the DHCP answer can be a good choice it should be a stable ip address belonging to your ISP.
Hope to help
Giuseppe
05-01-2009 04:35 PM
I tried it but the assigned DNS server is not answering my ping command; and by the way none of the DNS servers used by my ISP. (I can ping everything else and is working eg ping google.com or ping a.b.c.d). Could the lack of response be intentional by the ISP ?
05-01-2009 09:19 PM
05-01-2009 09:26 PM
This would be my suggestion:
I am assuming you are using two separate physical interfaces to either ISPs.
Firstly look for a public IP on the internet that is fairly stable(like a ublic NTP server or likewise) that you or anybody on your network seldom use and is pingable.Lets call it x.x.x.x
Configure a static route to x.x.x.x with a nexthop of your outside interface to ISP1.
Configure IP SLA monitor to ping x.x.x.x. By this way you are forcing the pings to go through ISP1.
Configure a static DEFAULT ROUTE with a nexthop of your external interface to ISP1 and TRACK it using IP SLA monitor.
Configure another static DEFUALT ROUTE with a next hop of your external interface to ISP2 with an admin distance of 254. Essentially you are creating a floating route. [ip route 0.0.0.0 0.0.0.0 interface_to_ISP2 254]
Thats it you are done. The SLA monitor tracks the reachability of ISP1 and should it fail the floating route is prefered and traffic is rerouted through ISP2.
The exact config depends on how you plan to implement this design like, you could use Dialer interfaces, logical interfaces ..so on and so forth. But this is the general idea. We use this design in our network.
HTH
karthik
05-04-2009 11:34 AM
thanks for the reply; your proposed solution is crystal-clear, however I am having problems pinging outside that are not directly related to this issue
eg: ping 195.71.11.67 repeat 5 timeout 4 (ie: within the router) ... 0% success
eg: sh log (last entry shown)
... list aclFWoutsideIncoming denied icmp 195.71.11.67 -> a.b.c.d (0/0), 1 packet
... where a.b.c.d is the current IP address assigned to the outside interface
so next question is: are my access-list allowing outgoing traffic originating within the router or must I place some specific entry related to the current IP address assigned by the DHCP server to the outside interface ?
... say «permit ip host
... before current «permit ip any any reflect aclFWoutsideTemp» entry ?
ip access-list extended aclFWoutsideIncoming
remark firewall feature: outside interface inbound traffic filters; ie: InterNet initiated traffic
remark denying anyone using invalid addresses inbound:
deny ip 0.0.0.0 0.255.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 224.0.0.0 15.255.255.255 any log
remark denying anyone using my private addresses (anti-spoofing) inbound:
deny ip 10.195.45.0 0.0.0.255 any log
remark denying anyone using ICMP echo/redirect messages inbound:
deny icmp any any echo log
deny icmp any any redirect log
deny icmp any any mask-request log
permit icmp any 10.195.45.0 0.0.0.255
remark allowing the cable modem (acting as DHCP server) inbound:
permit udp any eq bootps any eq bootpc
remark allowing specific NTP servers inbound:
permit udp host 192.5.41.209 eq ntp any eq ntp
permit udp host 192.5.41.40 eq ntp any eq ntp
permit udp host 192.5.41.41 eq ntp any eq ntp
evaluate aclFWoutsideTemp
deny ip any any log
ip access-list extended aclFWoutsideOutgoing
remark firewall feature: outside interface outbound traffic filters; ie: IntraNet initiated traffic
remark allowing valid ICMP messages outbound (for proper network operation):
permit icmp 10.195.45.0 0.0.0.255 any echo
permit icmp 10.195.45.0 0.0.0.255 any parameter-problem
permit icmp 10.195.45.0 0.0.0.255 any packet-too-big
permit icmp 10.195.45.0 0.0.0.255 any source-quench
deny icmp any any log
permit ip any any reflect aclFWoutsideTemp
deny ip any any log
interface FastEthernet0/0
description InterNet uplink
ip address dhcp client-id FastEthernet0/0 hostname whatever
ip access-group aclFWoutsideIncoming in
ip access-group aclFWoutsideOutgoing out
ip verify unicast source reachable-via rx allow-default 100
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect cbacOutside out
ip flow ingress
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
no mop enabled
05-04-2009 12:27 PM
You can't filter traffic sourcing from the router, but the router can filter traffic destined to itself.
I suggest on the incoming ACL, to allow the echo-reply in order to ping from the router.
ip access-list extended aclFWoutsideIncoming
permit icmp any any echo-reply
HTH,
__
Edison.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: