09-06-2010 12:02 AM - edited 03-04-2019 09:40 AM
Dear All,
I am having 2 ISP links coming over 2 different WAN routers. Each of the Router getting connected over respective L2 Switch, and from there they getting connected over ASA 5550. There is a trunk configured between the 2 L2 switches and both the frewalls are configured in HA mode, they have interconnectivity over single link. And from this firewalls there is connectivity going to CORe each. Core switches are configured with VSS technology.
What my requirement is I need to configure ip sla in order to achieve automated failover over the WAN links. Now what I have learned as a standard method to achieve the same is you configure ip sla monitor for ipicmpecho and then you create 2 track objects for state and reachability each and then configure HSRP where you call this particular track objects.
But I am getting confused how can I implement the same in my scenaio.
Need suggestionsand valuable guidance please, thanks in advance.
Regards,
Mangesh.
WAN 1 WAN 2
------------------------ ---------------------------
| |
| |
Router 1 Router 2
| |
| Trunk |
L2 Switch 1 -------------------------------------------------------- L2 Switch 2
| |
| H.A |
Firewall --------------------------------------------------------------- Firewall
| |
| VSS |
CORE1 ---------------------------------------------------------------- CORE2
Solved! Go to Solution.
09-06-2010 01:09 AM
Hello,
If you would like to use tracking, you can add an additional line in the
standby configuration:
Router 1:
interface FastEthernet0/0
description Internet_1
ip address aaa.bbb.ccc.ddd 255.255.255.248
ip nat outside
exit
interface FastEthernet0/1
description LAN_1
ip address 192.168.2.2 255.255.255.0
ip nat inside
standby 1 ip 192.168.2.1
standby 1 priority 254
standby 1 preempt
standby 1 track 1 -- SLA tracking
standby 1 mac-address 0020.2222.2222
exit
ip nat pool Cisco aaa.bbb.ccc.xxx aaa.bbb.ccc.yyy netmask 255.255.255.248
ip nat inside source list 1 pool Cisco overload
access-list 1 permit 192.168.2.0 0.0.0.255
Router 2:
interface FastEthernet0/0
ip address jjj.kkk.lll.mmmm 255.255.255.248
ip nat outside
exit
interface FastEthernet0/1
ip address 192.168.2.3 255.255.255.0
ip nat inside
standby 1 ip 192.168.2.1
standby 1 priority 1
standby 1 preempt
standby 1 track 1 -- SLA tracking
standby 1 mac-address 0020.2222.2222
exit
http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080
094e8c.shtml
Here is the configuration guide to configure the IP SLA feature:
http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx
.html#wp1079801
Hope this helps.
Regards,
NT
09-06-2010 12:16 AM
Hello,
You can create HSRP only for the inside interface of both WAN routers. On
the inside, you create a virtual IP as the default gateway and create the
HSRP group between both routers. One will be the active device and the other
will be the standby. On both routers, configure NAT rules to take
corresponding public IP (or interface IP) when going to internet. Here is a
sample configuration:
Router 1:
interface FastEthernet0/0
description Internet_1
ip address aaa.bbb.ccc.ddd 255.255.255.248
ip nat outside
exit
interface FastEthernet0/1
description LAN_1
ip address 192.168.2.2 255.255.255.0
ip nat inside
standby 1 ip 192.168.2.1
standby 1 priority 254
standby 1 preempt
standby 1 mac-address 0020.2222.2222
exit
ip nat pool Cisco aaa.bbb.ccc.xxx aaa.bbb.ccc.yyy netmask 255.255.255.248
ip nat inside source list 1 pool Cisco overload
access-list 1 permit 192.168.2.0 0.0.0.255
Router 2:
interface FastEthernet0/0
ip address jjj.kkk.lll.mmmm 255.255.255.248
ip nat outside
exit
!
interface FastEthernet0/1
ip address 192.168.2.3 255.255.255.0
ip nat inside
standby 1 ip 192.168.2.1
standby 1 priority 1
standby 1 preempt
standby 1 mac-address 0020.2222.2222
exit
ip nat pool Cisco jjj.kkk.lll.xxx jjj.kkk.lll.yyy netmask 255.255.255.248
ip nat inside source list 1 pool Cisco overload
access-list 1 permit 192.168.2.0 0.0.0.255
On the ASA failover devices:
route outside 0.0.0.0 0.0.0.0 192.168.2.1
Hope this helps.
Regards,
NT
09-06-2010 12:48 AM
Dear Nagaraja,
Thanks for your reply. I agree with what you are trying to explain. Full marks for that, but my requirement says that I need to use ip sla for this failover.
Can you please help me out for this with respect to topology.
Thanks and Regards,
Mangesh.
09-06-2010 01:09 AM
Hello,
If you would like to use tracking, you can add an additional line in the
standby configuration:
Router 1:
interface FastEthernet0/0
description Internet_1
ip address aaa.bbb.ccc.ddd 255.255.255.248
ip nat outside
exit
interface FastEthernet0/1
description LAN_1
ip address 192.168.2.2 255.255.255.0
ip nat inside
standby 1 ip 192.168.2.1
standby 1 priority 254
standby 1 preempt
standby 1 track 1 -- SLA tracking
standby 1 mac-address 0020.2222.2222
exit
ip nat pool Cisco aaa.bbb.ccc.xxx aaa.bbb.ccc.yyy netmask 255.255.255.248
ip nat inside source list 1 pool Cisco overload
access-list 1 permit 192.168.2.0 0.0.0.255
Router 2:
interface FastEthernet0/0
ip address jjj.kkk.lll.mmmm 255.255.255.248
ip nat outside
exit
interface FastEthernet0/1
ip address 192.168.2.3 255.255.255.0
ip nat inside
standby 1 ip 192.168.2.1
standby 1 priority 1
standby 1 preempt
standby 1 track 1 -- SLA tracking
standby 1 mac-address 0020.2222.2222
exit
http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080
094e8c.shtml
Here is the configuration guide to configure the IP SLA feature:
http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx
.html#wp1079801
Hope this helps.
Regards,
NT
09-06-2010 02:20 AM
ok, so basically the below config can be considered as final configuration for my scenario:-
Router 1:
interface FastEthernet0/0
description Internet_1
ip address aaa.bbb.ccc.ddd 255.255.255.248
ip nat outside
exit
interface FastEthernet0/1
description LAN_1
ip address 192.168.2.2 255.255.255.0
ip nat inside
standby 1 ip 192.168.2.1
standby 1 priority 254
standby 1 preempt
standby 1 track 1 -- SLA tracking
standby 1 track 2 -- SLA tracking
standby 1 mac-address 0020.2222.2222
exit
ip sla 2
icmp-echo (aaa.bbb.ccc.ddd+1) source-interface fa0/0
timeout 1000
frequency 3
threshold 2
exit
ip sla schedule 2 life forever start-time now
track 1 rtr 2 state
track 2 rtr 2 state reachability
ip nat pool Cisco aaa.bbb.ccc.xxx aaa.bbb.ccc.yyy netmask 255.255.255.248
ip nat inside source list 1 pool Cisco overload
access-list 1 permit 192.168.2.0 0.0.0.255
Router 2:
interface FastEthernet0/0
ip address jjj.kkk.lll.mmmm 255.255.255.248
ip nat outside
exit
interface FastEthernet0/1
ip address 192.168.2.3 255.255.255.0
ip nat inside
standby 1 ip 192.168.2.1
standby 1 priority 1
standby 1 preempt
standby 1 track 1 -- SLA tracking
standby 1 track 2 -- SLA tracking
standby 1 mac-address 0020.2222.2222
exit
ip sla 2
icmp-echo (jjj.kkk.lll.mmmm +1) source-interface fa0/0
timeout 1000
frequency 3
threshold 2
exit
ip sla schedule 2 life forever start-time now
track 1 rtr 2 state
track 2 rtr 2 state reachability
ip nat pool Cisco jjj.kkk.lll.xxx jjj.kkk.lll.yyy netmask 255.255.255.248
ip nat inside source list 1 pool Cisco overload
access-list 1 permit 192.168.2.0 0.0.0.255
Please correct if I am doing anything wrong here.
Thanks and Regards,
Mangesh.
09-06-2010 06:02 AM
Hello,
Why are you configuring two track statements? In HSRP, when you configure
preempt, the primary device always takes over as soon as it gets the
connectivity back to the tracked object. So, if the interface goes down or
if the ISP network goes down, in both cases, it will switch over to standby
device and once the network comes back up, it will regain the active role.
Regards,
NT
09-06-2010 09:57 AM
I just followed what I have seen regarding ip sla, in one of the videos by Cisco they did similar config but in that they mapped same ip sla to 2 tracks state and reachability.
Please correct in this case do I need to even match any of state and reachability or not ?
Thanks and regards,
Mangesh.
09-06-2010 10:05 AM
Hello,
You could certainly do that. I would say you can track the status of the
interface and then connectivity.
standby 1 track "wan interface"
standby 1 track 1
This way, if the WAN interface goes down or if the reachability to the
remote device breaks, then the second device will takeover. You can also use
the "decrement" portion of tracking to lower the priority of the device so
the other device can become active device.
Hope this helps.
Regards,
NT
09-07-2010 01:03 AM
Dear Nagaraja,
I agree to what you are saying but as far as standard HSRP is considered, as per that you can only track serial interface.
And what we get on WAN is usually RJ-45. So will require your suggestions over that as well.
That was the main idea behind going for 2 track objects.
Thanks and Regards,
Mangesh.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide