Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Internet Failover / IP SLA

Hi Support Community

Can somebody please advise me what is the best approach for the following :

I have used IP SLA in several implementations to track a static route, this is usually tracking an IP address in the MPLS cloud which when not reachable causes failover to a VPN tunnel. The source address is usually the core switch so when the MPLS fails the VPN takes over, this always works fine in situations were we cannot implment dynamic routing for various reasons.

I need to do similar except this time it wont be internet failing over to VPN it will be internet traffic failing over to another internet link. Our DC has a default route to the firewall inside interface which connects via the external interface to the internet router, this default route is redistributed into OSPF so other sites can use this default route to the internet. Our secondary internet is located in another data centre, when the primary internet fails we should use this.

For security we cannot use dynamic routing on the firewall therefore use a static route, the plan is to use IP SLA to monitor this internet link :

My first question is to detect downstream failure of internet what would you monitor, the IP address of the internet router outside interface or something further downstream ?

My second question is, say you monitored google dns so ( not going to do this its just an example and curious as to how it would work )  with IP SLA and static routes with a source address of the core switch, if i couldnt get to my static route would be removed and i would then learn a redistributed default route to the secondary internet, at this stage is reachable and the source address used in the IP SLA is also routeable so does this mean my orignal static route would be inserted again becasue the core switch IP address can now access through the secondary internet therefore causing the original static route to be added back to the routing table ? If that is the case i assume you would then just make the source address of the IP SLA an IP that is only reachable by the primary firewall ?

Thanks, Carl