Static Default Route - Is it possible to create a monitor to the internet?

darrenriley5 · ‎10-08-2010

We have two data centres each with its own internet connection. Currently we have a simple set up in that any devices on the LAN which need go out to the internet (bypassing the proxy) use the static default route at each data centre which points to the internal lan address the firewalls (firewall at each data cenre) . Obviously the problem with this set up as there is no dynamic failover. What I would like to do is create some a monitor which would be able to monitor things out on the internet. If the monitor couldn't reach these then the static default route would be removed from the routing table. Does anyone know if this is possible with Cisco 6500 switches?

Many Thanks

Darren

Jon Marshall · ‎10-08-2010

Darren

The way to do this is to use IP SLA and track the default-route. So you basically set up a ping to test the reachablility of a destination on the internet. If the ping is successful then the route stays in the routing table, if it fails the route is removed. By the way if you do remove the route what will you replace it with ? Can you reroute to the other data centre ?

IP SLA is with tracking of routes is supported on most routers but switches are a different story. I'm assuming there are no routers in between the 6500 switches and the firewalls ?

The 6500 does support tracking or at least it seems to but it does depend on your IOS version and supervisor. If you can provide me with those and they are okay i can provide you with the commands to try but there are no guarantees as i don't have spare 6500 switches to test with and i've never done it on a 6500 before.

Jon

darrenriley5 · ‎10-08-2010

Hi Jon,

We redistribute the static routes into EIGRP.

Yes,we have no routers between the switches and the firewall. At one data centre we have Nexus 7K's using version 4.2.6, the other data centre has 6500's (WS-SUP720-BASE, Version 12.2(17d)SXB7) which we are hoping to replace with Nexus 7K's in the near future.

Any help much appreciated.

Many Thanks

Darren

Jon Marshall · ‎10-08-2010

Darren

Okay, i'm pretty sure Nexus will not support IP SLA. What devices are your firewalls and if they are ASAs what code are they running ?

Jon

Robert Taylor · ‎10-08-2010

N7k has IP SLA on the development roadmap (last timeframe I heard was for first quarter of 2011 calendar year).

As of right now, there is no way to track internet connectivity success on the n7k.

Rob

darrenriley5 · ‎10-08-2010

Jon,

We have two tiers, checkpoint and ASA's (8.2(2) 4.

Thanks

Darren

Robert Taylor · ‎10-08-2010

One thing you could consider is to run a routing protocol to the ASA, and let the ASA do the IP SLA/Object tracking, and redistribute those statics into the routing protocol (ospf).

In that scenario, ASA pings out to the internet, and when pings fail, he withdraws his static route from the routing table, and thus from redistribution.

Jon Marshall · ‎10-08-2010

robetayl wrote:
One thing you could consider is to run a routing protocol to the ASA, and let the ASA do the IP SLA/Object tracking, and redistribute those statics into the routing protocol (ospf).
In that scenario, ASA pings out to the internet, and when pings fail, he withdraws his static route from the routing table, and thus from redistribution.

My reply took so long to write you beat me to it

Jon Marshall · ‎10-08-2010

darrenriley5 wrote:
Jon,
We have two tiers, checkpoint and ASA's (8.2(2) 4.
Thanks
Darren

Darren

If the ASA's are the internal firewalls ie. they connect to the 6500 switches then what you could do is -

1) have a default static route on the ASA

2) run EIGRP on the ASA and peer with the 6500

3) redistribute the static route into EIGRP so the 6500 gets it. When the 6500 receives the route it will have an AD of 170

4) add a floating static default-route on the 6500 with an AD of > 170 pointing to the backup route you want to take

5) on the ASA track the default-route you have configured. Tracking allows you to ping a destination on the internet and if that ping fails then the route os removed.

If the route is removed it is no longer redistributed into EIGRP and therefore the 6500 uses it's floating static instead pointing to the backup route. If the ping then later works the ASA will restore the route, redistribute it into EIGRP and then the 6500 will use the EIGRP received route rather than the floating static.

ASA 8.x code supports both EIGRP and route tracking - see this doc for route tracking example -

ASA 8.2 configuration guide

Caveats -

1) you would need to allow ICMP through the outside checkpoints to the internet and back but you could tie it down to ICMP echo/echo reply and you would know the src/dst IPs

2) The config guide for the ASA route tracking talks of installing a backup route when the primary route fails. You don't actually want this, instead you simply want it to remove the current route. I suspect it will work fine but you need to check.

Jon

darrenriley5 · ‎10-12-2010

Jon,

Thanks very much for the response. One small problem in that the ASA is the external firewall making it more difficult in that I can't run eigrp on the Checkpoint.

Thanks

Darren

Jon Marshall · ‎10-12-2010

Darren

You could do as Robert suggested then and run OSPF instead of EIGRP as the checkpoints support OSPF and it is the same principle.

Jon