Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

IP SLA

here's the scenario:

STATIC NAT ON ASA:

Host A - 172.16.205.68 -> 10.10.1.50

Host B - 172.16.202.98 -> 10.10.1.51

All traffics except these 2 hosts above (example) are using via RTR-2. Now, if RTR-2 goes down, failover to RTR-1.

Host A and B will use RTR-1 as primary routes. Now, if RTR-1 goes down, failover to RTR-2.

My IP SLA monitor is on the ASA-Firewall.

route outside 0.0.0.0 0.0.0.0 10.10.1.1 1 track 1

route outside 0.0.0.0 0.0.0.0 10.10.1.3 254

sla monitor 1

type echo protocol ipIcmpEcho 63.75.29.125 interface outside

num-packets 3

timeout 300

frequency 3

sla monitor schedule 1 life forever start-time now

service resetoutside

!

track 1 rtr 1 reachability

IP PBR is on the RTR-2:

interface FastEthernet0/0

ip address 10.10.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip policy route-map serverapps

duplex auto

speed auto

access-list 1 permit 10.10.1.0 0.0.0.255

access-list 2 permit 10.10.1.50

access-list 3 permit 10.10.1.51

!

route-map serverapps permit 100

match ip address 2 3

set ip next-hop 10.10.1.3

RTR-2 ROUTING:

router ospf 1

router-id 10.10.1.1

log-adjacency-changes

network 10.10.1.0 0.0.0.255 area 10

!

ip route 0.0.0.0 0.0.0.0 63.75.29.125

RTR-1 ROUTING:

router ospf 1

router-id 10.10.1.3

log-adjacency-changes

network 10.10.1.0 0.0.0.255 area 10

ip route 0.0.0.0 0.0.0.0 151.131.141.205

I got RTR-2 to RTR-1 SLA working but not RTR-1 to RTR-2. If RTR-1 goes down, should failover to RTR-2 ...

4 REPLIES
Gold

Re: IP SLA

If I read this correctly the firewall will send all the traffic to router2 as long router 2 connection is functional and router 2 will send all the traffic it does not want to process to router 1.

Kinda a different solution to the problem but work mostly.

The only traffic that ever gets to router 1 in the normal case is coming from router 2. What you need to do is have router 2 track router 1 internet connection and not policy router if its down. This is done with the reachabilty option and the track option on the policy router statemnet

New Member

Re: IP SLA

That is correct, firewall sends all traffic to router-2. I need this scenario below.

router-1 - critical applications

backup route: router-2

router-2 - non-critical applications

backup route: router-1

Gold

Re: IP SLA

The more common solution would be to do the policy routing for the critical apps on the firewall but I don't know if the ASA can use the track options on policy routing.

Since you have this much working just add the track to your policy route on router 2 and it will all work. You already know how to do the hard part which is creation of the track object.

The only issue would be to make sure rtr 2 know how to get to rtr 1 internet provider via you internal network rather than the internet but you could monitor via the internet if you really wanted to.

New Member

Re: IP SLA

not work

367
Views
0
Helpful
4
Replies
CreatePlease to create content