ā10-08-2010 03:31 AM - edited ā03-06-2019 01:23 PM
We have two data centres each with its own internet connection. Currently we have a simple set up in that any devices on the LAN which need go out to the internet (bypassing the proxy) use the static default route at each data centre which points to the internal lan address the firewalls (firewall at each data cenre) . Obviously the problem with this set up as there is no dynamic failover. What I would like to do is create some a monitor which would be able to monitor things out on the internet. If the monitor couldn't reach these then the static default route would be removed from the routing table. Does anyone know if this is possible with Cisco 6500 switches?
Many Thanks
Darren
ā10-08-2010 03:49 AM
Darren
The way to do this is to use IP SLA and track the default-route. So you basically set up a ping to test the reachablility of a destination on the internet. If the ping is successful then the route stays in the routing table, if it fails the route is removed. By the way if you do remove the route what will you replace it with ? Can you reroute to the other data centre ?
IP SLA is with tracking of routes is supported on most routers but switches are a different story. I'm assuming there are no routers in between the 6500 switches and the firewalls ?
The 6500 does support tracking or at least it seems to but it does depend on your IOS version and supervisor. If you can provide me with those and they are okay i can provide you with the commands to try but there are no guarantees as i don't have spare 6500 switches to test with and i've never done it on a 6500 before.
Jon
ā10-08-2010 06:11 AM
Hi Jon,
We redistribute the static routes into EIGRP.
Yes,we have no routers between the switches and the firewall. At one data centre we have Nexus 7K's using version 4.2.6, the other data centre has 6500's (WS-SUP720-BASE, Version 12.2(17d)SXB7) which we are hoping to replace with Nexus 7K's in the near future.
Any help much appreciated.
Many Thanks
Darren
ā10-08-2010 06:55 AM
Darren
Okay, i'm pretty sure Nexus will not support IP SLA. What devices are your firewalls and if they are ASAs what code are they running ?
Jon
ā10-08-2010 07:07 AM
N7k has IP SLA on the development roadmap (last timeframe I heard was for first quarter of 2011 calendar year).
As of right now, there is no way to track internet connectivity success on the n7k.
Rob
ā10-08-2010 07:18 AM
Jon,
We have two tiers, checkpoint and ASA's (8.2(2) 4.
Thanks
Darren
ā10-08-2010 07:48 AM
One thing you could consider is to run a routing protocol to the ASA, and let the ASA do the IP SLA/Object tracking, and redistribute those statics into the routing protocol (ospf).
In that scenario, ASA pings out to the internet, and when pings fail, he withdraws his static route from the routing table, and thus from redistribution.
ā10-08-2010 07:56 AM
robetayl wrote:
One thing you could consider is to run a routing protocol to the ASA, and let the ASA do the IP SLA/Object tracking, and redistribute those statics into the routing protocol (ospf).
In that scenario, ASA pings out to the internet, and when pings fail, he withdraws his static route from the routing table, and thus from redistribution.
My reply took so long to write you beat me to it
ā10-08-2010 07:55 AM
darrenriley5 wrote:
Jon,
We have two tiers, checkpoint and ASA's (8.2(2) 4.
Thanks
Darren
Darren
If the ASA's are the internal firewalls ie. they connect to the 6500 switches then what you could do is -
1) have a default static route on the ASA
2) run EIGRP on the ASA and peer with the 6500
3) redistribute the static route into EIGRP so the 6500 gets it. When the 6500 receives the route it will have an AD of 170
4) add a floating static default-route on the 6500 with an AD of > 170 pointing to the backup route you want to take
5) on the ASA track the default-route you have configured. Tracking allows you to ping a destination on the internet and if that ping fails then the route os removed.
If the route is removed it is no longer redistributed into EIGRP and therefore the 6500 uses it's floating static instead pointing to the backup route. If the ping then later works the ASA will restore the route, redistribute it into EIGRP and then the 6500 will use the EIGRP received route rather than the floating static.
ASA 8.x code supports both EIGRP and route tracking - see this doc for route tracking example -
Caveats -
1) you would need to allow ICMP through the outside checkpoints to the internet and back but you could tie it down to ICMP echo/echo reply and you would know the src/dst IPs
2) The config guide for the ASA route tracking talks of installing a backup route when the primary route fails. You don't actually want this, instead you simply want it to remove the current route. I suspect it will work fine but you need to check.
Jon
ā10-12-2010 07:25 AM
Jon,
Thanks very much for the response. One small problem in that the ASA is the external firewall making it more difficult in that I can't run eigrp on the Checkpoint.
Thanks
Darren
ā10-12-2010 09:03 AM
Darren
You could do as Robert suggested then and run OSPF instead of EIGRP as the checkpoints support OSPF and it is the same principle.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide