There are often requests for information regarding Cisco failovers. The following seems to work with 12.4 and higher. It should also work with 12.3, but this has not been tested.
Cisco provides a little known item called a tracking object. None of the following can be done through the SDM. It must be done through the CLI, however, it's recommended that you do everything through the CLI. The SDM has some interesting inadequacies (for another article).
You will need at least two remote IPs to use as a test. For example, you can use 4.2.2.1 for the first and 4.2.2.2 for the second. These two IPs are never down. You will need to create a host static route for each of the IPs going out the interface to test. There is an example of this in the config. Also included are the overload statements.
Hopefully the following helps. If you know if a better way to do this, please share it here. This was created using a known good configuration of a real client.
LEGEND
your_first_test_ip = the ip you will use to test your primary connection.
your _second_test_ip = the ip you will use to test your secondary connection.
your_primary_firsthop_ip = the first outside hop of your primary connection. Default route for primary connection.
your_secondary_firsthop_ip = the first outside hop of your secondary connection. Default route for secondary connection.
primary_interface = the interface name of your primary Internet connection.
secondary_interface = the interface name of your secondary Internet connection.
internal_ip_range = ip range of your internal devices.
This sample config assumes 2 connections. Once secondary and one primary.
Config:
IP sla monitor 1 type echo protocol ipIcmpEcho your_first_test_ip source-ipaddr your_source_ip timeout 2000 threshold 2000
frequency 3 IP sla monitor schedule 1 life forever start-time now
IP sla monitor 2 type echo protocol ipIcmpEcho your_second_test_ip source-ipaddr your_source_ip timeout 2000 threshold 2000
frequency 3 IP sla monitor schedule 2 life forever start-time now track 100 rtr 1 reachability track 200 rtr 2 reachability
IP route 0.0.0.0 0.0.0.0 your_primary_firsthop_ip track 100
IP route 0.0.0.0 0.0.0.0 your_secondary_firsthop_ip track 200
IP route your_first_test_ip 255.255.255.255 your_primary_firsthop_ip
IP route your_second_test_ip 255.255.255.255 your_secondary_firsthop_ip
IP nat inside source route-map primary interface primary_interface overload
IP nat inside source route-map secondary interface secondary_interface overload
IP access-list extended primary-route 10 permit ip internal_ip_range 0.0.0.255 any
IP access-list extended secondary-route 10 permit ip internal_ip_range 0.0.0.255 any
route-map primary permit 10 match ip address primary-route set ip next-hop your_primary_firsthop_ip
route-map secondary permit 10 match ip address secondary-route set ip next-hop your_secondary_firsthop_ip
Two notes for troubleshooting.
Sh track
This will show you what state your tracking objects are in.
sh ip access-list
Watch for hits to your acl's. This way you can verify your natting.
Get the Best out of what is in your Hand !!!
2 comments:
Thanks for the information.
Do we have to do any thing on the remote site as the remote site has a route pointing from the primary WAN connection , do we have to run the track there as well
Post a Comment