I have seen several requests for information regarding cisco failovers. The following seems to work with 12.4 and higher. Im pretty certain it works with 12.3, but have not confirmed this as i have upgraded all of my clients beyond this.
Ciscos provide a little known item called a tracking object. None of the following can be done through the SDM. It must be done through the CLI, however, i recommend everything be done through the CLI. The SDM has some interesting inadaquacies which i won't go into here.
You will need at least two remote ip's to use as a test. I ussually use 4.2.2.1 for the first and 4.2.2.2 for the second. These two ip's are never down. You will need to create a host static route for each of the ip's going out the interface to test. I have included an example of this in the config. I have also included the overload statements.
I hope the following helps. Please let me know if you know of a better way to do this. I cannot get any of my providers to support me with BGP so this is how i have to do it. I created this using a known good configuration of one of my clients. Please let me know if i entered any typos.
LEGEND
your_first_test_ip = the ip you will use to test your primary connection.
your _second_test_ip = the ip you will use to test your secondary connection.
your_primary_firsthop_ip = the first outside hop of your primary connection. Default route for primary connection.
your_secondary_firsthop_ip = the first outside hop of your secondary connection. Default route for secondary connection.
primary_interface = the interface name of your primary internet connection.
secondary_interface = the interface name of yoru secondary internet connection.
internal_ip_range = ip range of your internal devices.
In my sample config, i will be assuming 2 connections. Once secondary and one primary.
Config:
IP sla monitor 1
type echo protocol ipIcmpEcho your_first_test_ip source-ipaddr your_source_ip
timeout 2000
threshold 2000
frequency 3
ip sla monitor schedule 1 life forever start-time now
ip sla monitor 2
type echo protocol ipIcmpEcho your_second_test_ip source-ipaddr your_source_ip
timeout 2000
threshold 2000
frequency 3
ip sla monitor schedule 2 life forever start-time now
track 100 rtr 1 reachability
track 200 rtr 2 reachability
ip route 0.0.0.0 0.0.0.0 your_primary_firsthop_ip track 100
ip route 0.0.0.0 0.0.0.0 your_secondary_firsthop_ip track 200
ip route your_first_test_ip 255.255.255.255 your_primary_firsthop_ip
ip route your_second_test_ip 255.255.255.255 your_secondary_firsthop_ip
ip nat inside source route-map primary interface primary_interface overload
ip nat inside source route-map secondary interface secondary_interface overload
ip access-list extended primary-route
10 permit ip internal_ip_range 0.0.0.255 any
ip access-list extended secondary-route
10 permit ip internal_ip_range 0.0.0.255 any
route-map primary permit 10
match ip address primary-route
set ip next-hop your_primary_firsthop_ip
route-map secondary permit 10
match ip address secondary-route
set ip next-hop your_secondary_firsthop_ip
Two notes for troubleshooting.
Sh track
-This will show you what state your tracking objects are in.
sh ip access-list
-Watch for hits to your acl's. This way you can verify your natting.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment