Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Internet Failover via MPLS Cisco 2800

Currently I'm looking for a way to failover our internet connection from one site to another site over our MPLS line, should that internet connection go down.

My layout: Internet > Cable internet modem (Site B) > ASA 5510 (Site B) > 2821 Router (Site B) > MPLS Line > 2821 Router (Site A) > ASA5510 (Site A) > ISP provider internet router (Site A) > Internet

Facts:

Site B is the one with the internet issues.

The MPLS line is routed using BGP.

I think I'm on the right track with these posts:

https://supportforums.cisco.com/thread/2106249

http://brain.pobudz.net/?p=65

But there's not enough for me to go on. Any config help is appreciated.

Thanks in advance.

Everyone's tags (6)
46 REPLIES

Internet Failover via MPLS Cisco 2800

Adam,

How are you getting your default route now for site B? One way to do this is to create another default route on site B's router and then point that to the MPLS site. You'd create nat statements on both ASAs for site B and then you should be good.

Do you have a static route pointing to your Cable ISP provider? If so, you can track that and then put the other route in the table should the ISP go down.

On site B's router put in:

ip sla monitor 1

type echo protocol ipicmpecho

frequency 5

ip sla schedule 1 start now lifetime forever

track 1 rtr 1 reachability

ip route 0.0.0.0 0.0.0.0 track 1

ip route 0.0.0.0 0.0.0.0 254

If you're running BGP between site B and site A, you won't need to do anything with BGP. Floating statics are all you really need.

HTH,

John

HTH, John *** Please rate all useful posts ***
New Member

Internet Failover via MPLS Cisco 2800

The default route for site B is to our firewall, but we do have static IPs from our cable ISP. Here's a rough mock up config, with some questions:

ip sla 1

icmp-echo

timeout 1000

frequency 3

ip sla schedule 1 life forever start-time now

track 1 ip sla 1 reachability

delay down 10 up 20

ip route 0.0.0.0 0.0.0.0 track 1 (does this work because the address the track command is attached to isn't the icmp-echo address?)

ip route 0.0.0.0 0.0.0.0 200 (is this right?)

I kind of cobbled that together from several sites. That looks similar to your config, John.

Internet Failover via MPLS Cisco 2800

The track command on the static route basically states "keep this route in the table as long as the reachability to it is valid." Then on the track command you're monitoring the sla. If the sla fails, reachability goes down for the track command and your static is taken out of the routing table. Then your floating static comes into play.

If your sla is trying to ping the ISP's router and that fails, your route will still fail because you're depending on the sla to succeed. So, it's ok that your router is behind the firewall because this should still work.

HTH,

John

HTH, John *** Please rate all useful posts ***
New Member

Internet Failover via MPLS Cisco 2800

Here's the final config:

ip sla monitor 1

type echo protocol ipicmpecho

frequency 5

ip sla monitor schedule 1 life forever start now

track 1 rtr 1 reachability

ip route 0.0.0.0 0.0.0.0 track 1

ip route 0.0.0.0 0.0.0.0 254

For the problem child, I've tried Site A's router's MPLS interface, it's inside router interface, and Site A's default gateway. No luck. Trace route site B shows it's not making the hop over the mpls even though the MPLS line is fully functional besides this.

What am I missing? Is there something I need to put in Router A's config? Note: Pings over MPLS to all of the problem child interfaces I tried come back good, so the Router B can see them just fine. Note: The failover portion works fine in that it is trying to directing it over the mpls, there's just the problem child situation to deal with.

Any help is very much appreciated as this site is cut off from the internet besides RDP right now.

Thanks in advance.

Hall of Fame Super Silver

Re: Internet Failover via MPLS Cisco 2800

Hello Adam,

I have noticed the following line in your initial post:

>> The MPLS line is routed using BGP.

If this is a MPLS L3 VPN service in order to be able to use the MPLS link as an alternate internet access you need to advertise a default route over BGP from the site that will provide internet access to the other one.

Because if this is an MPLS L3 VPN you are peering at each site with SP routers and you need to make them know that a default route is available and to have it propagated to the other site.

So instead of configuring static routes on one site pointing to the other one, you may need to advertise the default route over BGP from the other site.

Hope to help

Giuseppe

New Member

Internet Failover via MPLS Cisco 2800

Can I get IP SLA to failover to this advertised BGP route or do I need to start from scratch since I'm using BGP?

New Member

Internet Failover via MPLS Cisco 2800

Looks like this might be along the lines of what I'm looking for:

https://supportforums.cisco.com/thread/2006404

Investigating giving "weight" to bgp routes right now...

Hall of Fame Super Silver

Re: Internet Failover via MPLS Cisco 2800

Hello Adam,

if the idea is to have a backup internet access via the MPLS cloud, you can keep the part relative to the main default static route, so that it is tracked with an IP SLA. But you need to advertise network 0.0.0.0/0 in BGP from the other router to the MPLS cloud over the existing eBGP session to provide the secondary default route over eBGP.

Hope to help

Giuseppe

New Member

Re: Internet Failover via MPLS Cisco 2800

Having backup internet access via the MPLS cloud is exactly what I'm trying to do. So do I keep my IP SLA config the same and just advertise a default route via BGP or is there something else I need to change? I don't understand BGP too well but I'm thinking I'll have say some way in my advertisment that this is a backup default route. Currently researching that angle...

Hall of Fame Super Silver

Re: Internet Failover via MPLS Cisco 2800

Hello Adam,

for the presence of the ASA boxes you will need almost all of what you have discussed with John and you need to add specific commands for having the default route propagated.

One of simplest ways is to use

router bgp

network 0.0.0.0

to have the CE MPLS router to advertise a default route to the eBGP neighbor. This has to be done on the site that will provide the internet access to the other site.

At the remote end you have to verify that you are receving the default route over eBGP using

show ip bgp 0.0.0.0

If there are no route filters the route should be propagated to the remote MPLS router.

eBGP has AD = 20 > 1 AD of the main static default route

On that node the main default route will be provided by tracked static route and will point to local ASA, the backup route will be provided by eBGP.

As John has said on the ASA of the site providing the internet access you will need additional NAT statements to accomodate the IP subnets of the other site and also  some additional static routes for  the other site IP subnets to provide return path from the internet.

Hope to help

Giuseppe

New Member

Internet Failover via MPLS Cisco 2800

All of this has helped immensely, I think I'm almost there. With my NATting, all I did was add the following line to Site A's firewall:

nat (inside) 1

The connection isn't consistent, but it looks to be enough to do some surfing. Does this NATting look right?

Re: Internet Failover via MPLS Cisco 2800

Adam,

The natting looks correct, but you also need to make sure that you have a route on your ASA for that subnet pointing back to the router that you have at Site A. If everything is right, you should be able to ping your siteB internal addresses from the ASA at site A.

John

HTH, John *** Please rate all useful posts ***
New Member

Internet Failover via MPLS Cisco 2800

I apologize for ignorance on the topic, but I cannot find in my router config where it defines what networks are being let back in. Any help, again, is greatly appreciated.

Re: Internet Failover via MPLS Cisco 2800

This would be in your routing table. On your router A, do a "show ip route ". You should get back something if you're advertising these networks from router B.

Suppose I was on router A and was interested in seeing my internal subnet at site B:

My internal subnet is 172.11.10.0/24, so on router A I would type "sh ip route 172.11.10.0/24"

Routing entry for 172.11.10.0/24

  Known via "bgp 2", distance 20, metric 0

  Tag 1, type external

  Last update from 172.12.0.1 12:17:59 ago

  Routing Descriptor Blocks:

  * 172.12.0.1, from 172.12.0.1, 12:17:59 ago

      Route metric is 0, traffic share count is 1

      AS Hops 1

      Route tag 1

On this router, I show I learned it from 172.12.0.1 (site B's IP address) and my next hop to get to 172.11.10.0/24 is 172.12.0.1.

If your site A router has site B's internal address, then you'll need to add the route to get to site B go to router A:

ASA# route inside 172.11.10.0 255.255.255.0 192.168.1.1

I'm assuming that router A's interface that connects to the ASA is 192.168.1.1 and the ASA is addressed at 192.168.1.2 (just a huge assumption).

Then when your natted traffic comes back in, the ASA will send to 192.168.1.1 for 172.11.10.0 and router A will send to 172.12.0.1 to get to the 172.11.10.0/24.

Oh, and to see what addresses bgp knows on any of your routers, you can do a "sho ip bgp". The *> means that the route is selected and put in the routing table. * means valid and > means the best route. By default, BGP will only put 1 route in the routing table even if you have multiple destinations out.

John

HTH, John *** Please rate all useful posts ***
New Member

Re: Internet Failover via MPLS Cisco 2800

First off, big thank you to both John and Giuseppe for getting me this far!

John, I checked my sh ip route put my route inside in. The internet connection over the MPLS was choppy before, now it's a little less choppy. I ping yahoo from a computer on Site B, I get 4 sucessful pings back, then 2 time outs, then it repeats, so at least it's constant.

Here's my tracert from that computer on Site B:

Tracing route to google.com [74.125.225.35]

over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms 

  2     *        *      244 ms 

  3     *        *      120 ms 

  4     *        *       23 ms 

  5     *        *       48 ms 

  6     *        *       50 ms  cr81.ipsin.ip.att.net [12.122.152.154]

  7    45 ms    35 ms    35 ms  cr1.cgcil.ip.att.net [12.122.152.138]

  8    59 ms   122 ms   107 ms  gar2.clboh.ip.att.net [12.122.99.49]

  9   143 ms   112 ms   196 ms  12.249.24.6

10     *        *      105 ms  209.85.254.120

11     *        *       64 ms  209.85.250.28

12     *        *      456 ms  ord08s06-in-f3.1e100.net [74.125.225.35]

Trace complete.

Does that tell you anything? It might still something in my ASA, I'm thinking about where I would check to see if some of those packets aren't being let in on the ASA. Not sure right now, researching...

Re: Internet Failover via MPLS Cisco 2800

Adam,

I'm more curious as to why you're timing out here and why the latency is so high at the router that you're local to:

  2     *        *      244 ms

  3     *        *      120 ms 

  4     *        *       23 ms 

  5     *        *       48 ms 

I know you diagrammed the topology up top, but can you do a visio diagram showing us how this is laid out?

HTH, John *** Please rate all useful posts ***
New Member

Re: Internet Failover via MPLS Cisco 2800

Hopefully it's attached to this post.

Re: Internet Failover via MPLS Cisco 2800

Adam,

That's a tremendous help; thank you. How are you testing this now? Are you actually bringing the site down? When you're doing your ping, where does the default route point on site B's router? Is it going to the ASA in site B or does it point to site A's router (actually it will point to the MPLS PE)?

John

HTH, John *** Please rate all useful posts ***
New Member

Re: Internet Failover via MPLS Cisco 2800

Site B is currently down, the current internet facing port Site B's ASA is bad. This is one of the reason's I'm trying this. Also, when we move the internet to a good port on ASA B, I want to keep this in place in case the internet goes out again.

The default route on site B router points to it's MPLS interface, which is keying me off that the IP SLA did make the switch.

Re: Internet Failover via MPLS Cisco 2800

Do you get the same responses if you ping a host in site A?

HTH, John *** Please rate all useful posts ***
New Member

Re: Internet Failover via MPLS Cisco 2800

From Site A the internet works fine.

Re: Internet Failover via MPLS Cisco 2800

I'm sorry...I meant do you get the same problem when you ping a host in site A from the host in site B. Try a traceroute to see if you get the same type of result.

HTH, John *** Please rate all useful posts ***
New Member

Re: Internet Failover via MPLS Cisco 2800

Pings and traceroutes from Site B to Site A run fine. So far it seems to be isolated to internet traffic from Site B out through Site A's internet.

Re: Internet Failover via MPLS Cisco 2800

Hmm...can you post the nat configuration on the ASA and the route back to site B? Also, does your site A internet router do anything with natting or anything like that or is it strictly the ASA?

HTH, John *** Please rate all useful posts ***
New Member

Internet Failover via MPLS Cisco 2800

John,

Question 1: This is everything that doesn't pertain to the DMZ, which has no play in this:

access-list inside_nat0_outbound extended permit ip any 255.255.255.0

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

!

route outside 0.0.0.0 0.0.0.0 1

route inside 255.255.255.0 1

Question 2: As far as I know, no NATting on the internet router, we certainly didn't ask them to.

Internet Failover via MPLS Cisco 2800

Adam,

route inside 255.255.255.0 1

This should be pointing to your router (2821 interface) that connects to the ASA.

access-list inside_nat0_outbound extended permit ip any 255.255.255.0

The above line could be causing an issue only because you're basically telling the ASA to not nat anything going to this subnet. What you should be doing here is tying down the subnets that are in your dmz and not natting to those. Everything else should be natted. Your "nat (inside) 1 0 0" line matches all traffic, so the "nat ... site b subnet" is really unnecessary.

So, what I would do is the following:

Let's say your DMZ is 192.168.18.0/24.

Try removing:

access-list inside_nat0_outbound extended permit ip any 255.255.255.0

and putting in:

access-list inside_nat0_outbound extended permit ip 192.168.18.0 255.255.255.0 255.255.255.0

Obviously you'll want to cover all of your DMZs if you have more than one.

Then you can remove the nat (inside) 1 line.

You also need to change your static route on the ASA to point to the router as stated above.

HTH, John *** Please rate all useful posts ***
New Member

Internet Failover via MPLS Cisco 2800

Ok, trying to apply this to my other site (Site C) because they're having internet problems of their own. Should be set up the exact same way Site B is. Here's the commands I put in:

Commands

Site C router#

ip sla monitor 1

type echo protocol ipicmpecho

frequency 5

ip sla monitor schedule 1 life forever start now

track 1 rtr 1 reachability

ip route 0.0.0.0 0.0.0.0 track 1

ip route 0.0.0.0 0.0.0.0 254

Site A router#

router bgp

network 0.0.0.0

Site A firewall#

route inside 255.255.255.0 1

nat (inside) 1 255.255.255.0

Results

From Site C I ping a site like yahoo. I get 9 replies, 2 timeouts. The pattern repeats.

So close, but there's still some problems. Any help is greatly appreciated.

Thanks in advance.

New Member

Internet Failover via MPLS Cisco 2800

tracert results from a pc on Site C:

  1    <1 ms    <1 ms    <1 ms 

  2     3 ms     3 ms     3 ms 

  3    18 ms    19 ms    19 ms  cr81.okbil.ip.att.net [12.123.210.246]

  4    17 ms    19 ms    19 ms  cr2.cgcil.ip.att.net [12.122.1.194]

  5    20 ms    19 ms    20 ms  cr1.cgcil.ip.att.net [12.122.2.53]

  6    19 ms    15 ms    15 ms  cr81.ipsin.ip.att.net [12.122.152.137]

  7     *        *        *     Request timed out.

  8    14 ms    13 ms    13 ms 

  9    14 ms    14 ms    14 ms 

10     *        *       27 ms  gi2-10.na41.b021117-0.ind01.atlas.cogentco.com [38.109.176.9]

11    15 ms    15 ms    27 ms  te4-2.3805.ccr01.ind01.atlas.cogentco.com [38.20.52.225]

12    18 ms    18 ms    18 ms  te3-1.ccr01.cvg02.atlas.cogentco.com [154.54.84.165]

13    20 ms    20 ms    20 ms  te3-1.ccr01.cmh02.atlas.cogentco.com [154.54.84.174]

14    22 ms    22 ms    38 ms  te4-8.ccr02.cle04.atlas.cogentco.com [154.54.28.169]

15    26 ms   217 ms   204 ms  te3-2.ccr01.pit02.atlas.cogentco.com [154.54.30.6]

16     *        *        *     Request timed out.

17    36 ms    36 ms    36 ms  te0-0-0-2.ccr21.iad02.atlas.cogentco.com [154.54.1.42]

18    36 ms    36 ms    36 ms  te2-7.mpd01.iad01.atlas.cogentco.com [154.54.31.226]

19    35 ms    35 ms    35 ms  yahoo.iad01.atlas.cogentco.com [154.54.11.114]

20    35 ms    35 ms    35 ms  ae-6.pat2.dce.yahoo.com [216.115.102.176]

21    69 ms    69 ms    69 ms  ae-6.pat2.dax.yahoo.com [216.115.96.21]

22    65 ms    65 ms    69 ms  ae-1-d111.msr2.mud.yahoo.com [216.115.104.103]

23     *        *        *     Request timed out.

24    66 ms    69 ms    70 ms  te-8-1.fab2-a-gdc.mud.yahoo.com [209.191.78.141]

25    69 ms    63 ms    69 ms  te-8-2.bas-c1.mud.yahoo.com [209.191.78.173]

26    69 ms    63 ms    70 ms  ir1.fp.vip.mud.yahoo.com [209.191.122.70]

Trace complete.

New Member

Internet Failover via MPLS Cisco 2800

Ok, so we're getting somewhere now. Did some pinging around my network:

Site C PC > Site C Router: pings good

       "        > Site C MPLS interface: pings good

      "         > Site A MPLS interface: pings good

      "         > Site A inside ASA interface: pings good

      "         > Site A outside ASA interface: all pings dropped

      "         > Site A ISP provided router: guess what....9 replies, 2 drops, repeat

The problem comes once those packets get outside the ASA.

2150
Views
0
Helpful
46
Replies
CreatePlease to create content