Question:
I'm working on setting up ISP failover Cisco Switches and looking for some direction as the setup is a bit different than what I am used to:
There are two firewalls, two ISP's and two core switches setup in GLBP configuration.
One Firewall1 is connected to ISP1 and being used for internet access and NAT's for our servers
Firewall2 is connected to ISP2 and being used only for site to site VPNs
We have multiple VLAN's
ISP1 --> FIREWALL1 & FIREWALL2 (Primary)--> CORESW1
ISP2 --> FIREWALL1 & FIREWALL2 (Secondary) --> CORESW2
Now these firewalls are setup in Active/Standby cofiguration so the Primary ones are going to the Core1 and Secondary ones are going to the Core2.
On the FIREWALL1 there is a PAT setup like this:
object network outside_pat
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic 1.1.1.1
There is none on the secondary so I was thinking about doing one there and setup tracking on my L3 switches. But since the second firewall has all the site to site VPN's I'm thinking I will need to use the interface IP address so something like this:
object network fw2_outside_pat
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
Next on the L3 switches right now I have the default route going to the FIREWALL1's Inside IP lets say of 192.168.1.1. And the Inside IP of FIREWALL2 is 192.168.1.10. So I will setup tracking and a second default route:
track 999 ip route 0.0.0.0 0.0.0.0 reachability
ip route 0.0.0.0 0.0.0.0 192.168.1.10 track 999
This is FIREWALL2 IP
So basically if the default route is no longer working via 192.168.1.1 second route to 192.168.1.10 should become active.
Am I missing anything here?
Answer:
I think I understand your request about default routing to the first pair of ASA's and then the secondary failover route to the second pair of ASA's. I have also assumed that your whole 'routed network is in 192.168.1.x' range.
Hence I have this scenario which hopefully illustrates similar to yours. I set up "ASA's" with simple static routes and NAT/PAT to the internet.
Here in this scenario, there is an IP out on the internet - 100.0.0.1 which I will try and get to in all my tests. I will use the providers interface ip (WAN1 fa0/0) for tracking my default route. Then I will have a backup default route, by making it less prefered. I do this with increasing metric. Therefore it doesnt make it to the routing table until the primary route fails.
Doesnt matter about GLBP too much here because its for downstream devices right? not upstream.
The reason why I wont track 100.0.0.1 is because i will cause flaps with routes and tracking. Because I will be able to get to it via ASA 1 but when the routes fail over, i will still have access to 100.0.0.1 and I will have a default route in the routing table that doesn't work, then it fails over again, then it works via ASA2 then it puts the primary default route back, and we have this flapping problem....
So instead, I will track my providers IP which should be good enough.
Here's show run on CORE01 - some output has been erased.
CORE01#
CORE01#show run
hostname CORE01
!
ip sla monitor 1
type echo protocol ipIcmpEcho 1.1.1.1 source-interface Vlan192
frequency 5
ip sla monitor schedule 1 life forever start-time now
!
!
!
track 1 rtr 1 reachability
!
interface FastEthernet1/0
!
interface FastEthernet1/1
switchport access vlan 192
duplex full
speed 100
spanning-tree portfast
!
interface FastEthernet1/10
switchport mode trunk
!
!
interface Vlan192
ip address 192.168.1.254 255.255.255.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1 name D.R._WAN1_VIA_ASA_CLX1_PMRY track 1
ip route 0.0.0.0 0.0.0.0 192.168.1.10 100 name D.R._WAN2_VIA_ASA_CLX2_BCKUP
ip route 1.1.1.1 255.255.255.255 192.168.1.1 name TO_WAN1_VIA_ASA_CLX1
!
!
CORE01#
=========================================
Here is config on CORE02 (pretty much the same tbh!)
=========================================
CORE02#
CORE02#show run
Building configuration...
hostname CORE02
!
ip sla monitor 1
type echo protocol ipIcmpEcho 1.1.1.1 source-interface Vlan192
frequency 5
ip sla monitor schedule 1 life forever start-time now
!
!
track 1 rtr 1 reachability
!
!
interface FastEthernet1/0
!
interface FastEthernet1/1
switchport access vlan 192
duplex full
speed 100
spanning-tree portfast
!
interface FastEthernet1/10
switchport mode trunk
!
interface Vlan192
ip address 192.168.1.253 255.255.255.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1 name D.R._WAN1_VIA_ASA_CLX1_PMRY track 1
ip route 0.0.0.0 0.0.0.0 192.168.1.10 100 name D.R._WAN2_VIA_ASA_CLX2_BCKUP
ip route 1.1.1.1 255.255.255.255 192.168.1.1 name TO_WAN1_VIA_ASA_CLX1
!
CORE02#
Just to show that the tracking is 'up' and the default route is expected to go via ASA_CLX1 which is the 192.168.1.1 route.
Just to do a traceroute to 100.0.0.1 to see that both should go via ASA_CLX1 (WAN 1)
So both are going via the correct path (WAN 1 which is 1.1.1.X network). Now I will fail WAN 1 by shutting down the interface on WAN 1. Reachability to 1.1.1.1 should stop and therefore tracking should fail. Then we should get our secondary route come in to play. Lets see what happens on both Core's when connectivity to WAN 1 is lost.
As you see, our secondary default route with metric 100 has come in to play. The track went down and took the primary route out of the routing table. Since there is a secondary route, its going via ASA_CLX2. Lets see what happens with traceroute to 100.0.0.1.
Here we can see that both are now taking the path via the second ASA and the WAN 2 link via 2.2.2.X network.
As soon as WAN 1 will recover, the tracking on both will pick this up, and then both will start to route via ASA1 and WAN WS-C3750X-48T-L 1 again.
没有评论:
发表评论