Solved: Need to configure automated failover over WAN links

mangesh.kamble · ‎09-06-2010

Dear All,

I am having 2 ISP links coming over 2 different WAN routers. Each of the Router getting connected over respective L2 Switch, and from there they getting connected over ASA 5550. There is a trunk configured between the 2 L2 switches and both the frewalls are configured in HA mode, they have interconnectivity over single link. And from this firewalls there is connectivity going to CORe each. Core switches are configured with VSS technology.

What my requirement is I need to configure ip sla in order to achieve automated failover over the WAN links. Now what I have learned as a standard method to achieve the same is you configure ip sla monitor for ipicmpecho and then you create 2 track objects for state and reachability each and then configure HSRP where you call this particular track objects.

But I am getting confused how can I implement the same in my scenaio.

Need suggestionsand valuable guidance please, thanks in advance.

Regards,

Mangesh.

WAN 1 WAN 2

------------------------ ---------------------------

| |

Router 1 Router 2

| |

| Trunk |

L2 Switch 1 -------------------------------------------------------- L2 Switch 2

| |

| H.A |

Firewall --------------------------------------------------------------- Firewall

| |

| VSS |

CORE1 ---------------------------------------------------------------- CORE2

Nagaraja Thanthry · ‎09-06-2010

Hello,

If you would like to use tracking, you can add an additional line in the

standby configuration:

Router 1:

interface FastEthernet0/0

description Internet_1

ip address aaa.bbb.ccc.ddd 255.255.255.248

ip nat outside

exit

interface FastEthernet0/1

description LAN_1

ip address 192.168.2.2 255.255.255.0

ip nat inside

standby 1 ip 192.168.2.1

standby 1 priority 254

standby 1 preempt

standby 1 track 1 -- SLA tracking

standby 1 mac-address 0020.2222.2222

exit

ip nat pool Cisco aaa.bbb.ccc.xxx aaa.bbb.ccc.yyy netmask 255.255.255.248

ip nat inside source list 1 pool Cisco overload

access-list 1 permit 192.168.2.0 0.0.0.255

Router 2:

interface FastEthernet0/0

ip address jjj.kkk.lll.mmmm 255.255.255.248

ip nat outside

exit

interface FastEthernet0/1

ip address 192.168.2.3 255.255.255.0

ip nat inside

standby 1 ip 192.168.2.1

standby 1 priority 1

standby 1 preempt

standby 1 track 1 -- SLA tracking

standby 1 mac-address 0020.2222.2222

exit

http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080

094e8c.shtml

Here is the configuration guide to configure the IP SLA feature:

http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx

.html#wp1079801

Hope this helps.

Regards,

NT

View solution in original post

Nagaraja Thanthry · ‎09-06-2010

Hello,

You can create HSRP only for the inside interface of both WAN routers. On

the inside, you create a virtual IP as the default gateway and create the

HSRP group between both routers. One will be the active device and the other

will be the standby. On both routers, configure NAT rules to take

corresponding public IP (or interface IP) when going to internet. Here is a

sample configuration:

Router 1:

interface FastEthernet0/0

description Internet_1

ip address aaa.bbb.ccc.ddd 255.255.255.248

ip nat outside

exit

interface FastEthernet0/1

description LAN_1

ip address 192.168.2.2 255.255.255.0

ip nat inside

standby 1 ip 192.168.2.1

standby 1 priority 254

standby 1 preempt

standby 1 mac-address 0020.2222.2222

exit

ip nat pool Cisco aaa.bbb.ccc.xxx aaa.bbb.ccc.yyy netmask 255.255.255.248

ip nat inside source list 1 pool Cisco overload

access-list 1 permit 192.168.2.0 0.0.0.255

Router 2:

interface FastEthernet0/0

ip address jjj.kkk.lll.mmmm 255.255.255.248

ip nat outside

exit

!

interface FastEthernet0/1

ip address 192.168.2.3 255.255.255.0

ip nat inside

standby 1 ip 192.168.2.1

standby 1 priority 1

standby 1 preempt

standby 1 mac-address 0020.2222.2222

exit

ip nat pool Cisco jjj.kkk.lll.xxx jjj.kkk.lll.yyy netmask 255.255.255.248

ip nat inside source list 1 pool Cisco overload

access-list 1 permit 192.168.2.0 0.0.0.255

On the ASA failover devices:

route outside 0.0.0.0 0.0.0.0 192.168.2.1

Hope this helps.

Regards,

NT

mangesh.kamble · ‎09-06-2010

Dear Nagaraja,

Thanks for your reply. I agree with what you are trying to explain. Full marks for that, but my requirement says that I need to use ip sla for this failover.

Can you please help me out for this with respect to topology.

Thanks and Regards,

Mangesh.

Nagaraja Thanthry · ‎09-06-2010

Hello,

If you would like to use tracking, you can add an additional line in the

standby configuration:

Router 1:

interface FastEthernet0/0

description Internet_1

ip address aaa.bbb.ccc.ddd 255.255.255.248

ip nat outside

exit

interface FastEthernet0/1

description LAN_1

ip address 192.168.2.2 255.255.255.0

ip nat inside

standby 1 ip 192.168.2.1

standby 1 priority 254

standby 1 preempt

standby 1 track 1 -- SLA tracking

standby 1 mac-address 0020.2222.2222

exit

ip nat pool Cisco aaa.bbb.ccc.xxx aaa.bbb.ccc.yyy netmask 255.255.255.248

ip nat inside source list 1 pool Cisco overload

access-list 1 permit 192.168.2.0 0.0.0.255

Router 2:

interface FastEthernet0/0

ip address jjj.kkk.lll.mmmm 255.255.255.248

ip nat outside

exit

interface FastEthernet0/1

ip address 192.168.2.3 255.255.255.0

ip nat inside

standby 1 ip 192.168.2.1

standby 1 priority 1

standby 1 preempt

standby 1 track 1 -- SLA tracking

standby 1 mac-address 0020.2222.2222

exit

http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080

094e8c.shtml

Here is the configuration guide to configure the IP SLA feature:

http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx

.html#wp1079801

Hope this helps.

Regards,

NT

mangesh.kamble · ‎09-06-2010

ok, so basically the below config can be considered as final configuration for my scenario:-

Router 1:

interface FastEthernet0/0

description Internet_1

ip address aaa.bbb.ccc.ddd 255.255.255.248

ip nat outside

exit

interface FastEthernet0/1

description LAN_1

ip address 192.168.2.2 255.255.255.0

ip nat inside

standby 1 ip 192.168.2.1

standby 1 priority 254

standby 1 preempt

standby 1 track 1 -- SLA tracking

standby 1 track 2 -- SLA tracking

standby 1 mac-address 0020.2222.2222

exit

ip sla 2

icmp-echo (aaa.bbb.ccc.ddd+1) source-interface fa0/0

timeout 1000

frequency 3

threshold 2

exit

ip sla schedule 2 life forever start-time now

track 1 rtr 2 state

track 2 rtr 2 state reachability

ip nat pool Cisco aaa.bbb.ccc.xxx aaa.bbb.ccc.yyy netmask 255.255.255.248

ip nat inside source list 1 pool Cisco overload

access-list 1 permit 192.168.2.0 0.0.0.255

Router 2:

interface FastEthernet0/0

ip address jjj.kkk.lll.mmmm 255.255.255.248

ip nat outside

exit

interface FastEthernet0/1

ip address 192.168.2.3 255.255.255.0

ip nat inside

standby 1 ip 192.168.2.1

standby 1 priority 1

standby 1 preempt

standby 1 track 1 -- SLA tracking

standby 1 track 2 -- SLA tracking

standby 1 mac-address 0020.2222.2222

exit

ip sla 2

icmp-echo (jjj.kkk.lll.mmmm +1) source-interface fa0/0

timeout 1000

frequency 3

threshold 2

exit

ip sla schedule 2 life forever start-time now

track 1 rtr 2 state

track 2 rtr 2 state reachability

ip nat pool Cisco jjj.kkk.lll.xxx jjj.kkk.lll.yyy netmask 255.255.255.248

ip nat inside source list 1 pool Cisco overload

access-list 1 permit 192.168.2.0 0.0.0.255

Please correct if I am doing anything wrong here.

Thanks and Regards,

Mangesh.

Nagaraja Thanthry · ‎09-06-2010

Hello,

Why are you configuring two track statements? In HSRP, when you configure

preempt, the primary device always takes over as soon as it gets the

connectivity back to the tracked object. So, if the interface goes down or

if the ISP network goes down, in both cases, it will switch over to standby

device and once the network comes back up, it will regain the active role.

Regards,

NT

mangesh.kamble · ‎09-06-2010

I just followed what I have seen regarding ip sla, in one of the videos by Cisco they did similar config but in that they mapped same ip sla to 2 tracks state and reachability.

Please correct in this case do I need to even match any of state and reachability or not ?

Thanks and regards,

Mangesh.

Nagaraja Thanthry · ‎09-06-2010

Hello,

You could certainly do that. I would say you can track the status of the

interface and then connectivity.

standby 1 track "wan interface"

standby 1 track 1

This way, if the WAN interface goes down or if the reachability to the

remote device breaks, then the second device will takeover. You can also use

the "decrement" portion of tracking to lower the priority of the device so

the other device can become active device.

Hope this helps.

Regards,

NT

mangesh.kamble · ‎09-07-2010

Dear Nagaraja,

I agree to what you are saying but as far as standard HSRP is considered, as per that you can only track serial interface.

And what we get on WAN is usually RJ-45. So will require your suggestions over that as well.

That was the main idea behind going for 2 track objects.

Thanks and Regards,

Mangesh.