04-21-2010 07:33 AM
Hello guys,
I have private PPP link between two sites connected to two L3 switches as routed port. Traffic between these two LANs is sailing smoothly via the PPP link bidirectional. I have also implemented IPSec VPN tunnel between the same two sites via the internet as backup in case the private link failed. In this case, the tunnel is working great.
When the PPP link restored on the L3 switch the LAN traffic continue to pass through the tunnel.
How do I configure the firewall or the switch to drop the IPSec tunnel when the PPP link restore?
The trick here is my internet ASA5520 firewall at both sites doesn’t know this route because it is part of the LAN. Can sla monitor and tracking with ACL will work? If so, any advice
Site A:
PPP link address 10.10.10.1/30 on L3 switch
ASA 192.168.1.1 outside
192.168.2.1/24 inside
Site B:
PPP link address 10.10.10.2/30 on L3 switch
ASA 10.0.1.1/30
Inside 192.168.2.1/24
Thanks,
Eric
04-21-2010 07:57 AM
Hi,
You want to use the dedicated line as the primary link and the IPsec tunnel as a backup?
Are both connections using static routes (no dynamic routing protocol)?
If so, just use the IP SLA feature with tracking on the ASA.
For example:
The ASA can have a primary static route to the PPP link and if it fails, establish the IPsec tunnel through the Internet connection. The good thing is that if it fails, the ASA then starts routing back again through the PPP link when it comes back.
Federico.
04-21-2010 12:22 PM
You are correct Federica and can you send me an example config? or what do you think for below link. Looking into that for possible resolution.
04-21-2010 12:25 PM
I only wanted to send inside traffic via the PPP link and internet traffic out via my asa firewall
04-21-2010 01:31 PM
Hey guys, I have tested various sla tracking solutions in my lab and finally got the best solution base on the design. I will advise later.
Thx,
Eric
04-22-2010 08:20 PM
Hello Guys,
After testing various config I came accross my old references that I used to design MPLS private link. This tracking SLA policy config works great on L3 switch! Make sure the port that will be use on L3 switch is set to routed port instead of trunking betwn two locations. Use L3 subnet to create PPP link.
ip route 0.0.0.0 0.0.0.0 5.5.5.2 <
ip route 4.4.4.0 255.255.255.0 interface ethernet0/1 6.6.6.2 track 50 << to private PPP link
ip sla 1
icmp-echo 6.6.6.2
ip sla monitor schedule 1 life forever start-time now
num 3
freq 10
access-list 101 permit icmp any host 6.6.6.2 echo
route-map local permit 20
match ip address 101
set ip next-hop verify-availability 6.6.6.2 10 track 50
track 50 rtr 1 reachability
delay down 10 up 10
interface ethernet0/1
ip policy route-map local
Thank you all for your input and hope this help others. Please rate this
Thx,
Eric
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide