cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8743
Views
31
Helpful
10
Replies
Beginner

Configure PBR with IP SLA on FTD

Hello Everyone , We are running FMC/FTD (4110) v6.2 , is it possible to create a PBR policy with IP SLA for Active/Active dual ISP scenario ? So far i am able to configure PBR with next hop but dont see any option to tie in IP sla with route map ?

10 REPLIES 10
Cisco Employee

First step is to configure IP

First step is to configure IP SLA tracking for the desired host. This will ensure R1 router will continuously monitor the Linux proxy and stop redirecting http traffic to it in the event it fails:

R1(config)# ip sla 1
R1(config-ip-sla)# icmp-echo 192.168.150.2
R1(config-ip-sla)# frequency 4
R1(config-ip-sla)# timeout 2000
R1(config-ip-sla)# threshold 100
R1(config-ip-sla)# ip sla schedule 1 life forever start-time now

The above configuration defines and starts an IP SLA probe on router R1.

The ICMP Echo probe sends an ICMP Echo (ping) packet to IP 192.168.150.2 every 4 seconds, as defined by the frequency parameter.

Timeout sets the amount of time (in milliseconds) the Cisco IOS IP SLAs operation waits for a response from its request packet. This has been set to 2000 milliseconds, or 2 seconds which gives the host ample time to respond.

Threshold sets the rising threshold that generates a reaction event and stores history information for the Cisco IOS IP SLAs operation.

After defining the IP SLA operation, our next step is to define an object that tracks the SLA probe. This can be accomplished by using the IOS Track Object as shown below:

R1(config)# track 1 ip sla 1 reachability

The above command will track the state of the IP SLA operation. If there are no ping responses from the monitored IP address (192.168.150.2), the track will go down and it will come back up when the IP SLA operation starts receiving ping responses once again.

To verify the track status, use the “show track” command as shown below:

R1# show track 1
Track 1
  IP SLA 1 reachability
  Reachability is Up
    30 changes, last change 1d08h
  Latest operation return code: OK
  Latest RTT (millisecs) 1
  Tracked by:
    ROUTE-MAP 0

The command output verifies that the tracked object is UP and has a response time of 1ms.  A closer look shows that ,for the duration of the tracking, the state has changed 30 times and the last change was 1 day and 8 hours ago.  This information is extremely important should it be necessary to troubleshoot intermittent problems that might be reported by the users.

The show route-map command is a favourite as it combines enough information to help verify everything is working as it should:

R1# show route-map
route-map linux-proxy, permit, sequence 1
  Match clauses:
    ip address (access-lists): http-traffic
  Set clauses:
    ip next-hop verify-availability 192.168.150.10 1 track 1  [up]
  Policy routing matches: 3864291 packets, 511957007 bytes

 

The numbers shown here verify immediately that our host is reachable (up) and that R1 has redirected more than 510MB of traffic through the Linux proxy!

The show IP SLA statistics command provides in a similar way useful information that helps verify the object tracking is working correctly and the tracked host is up:

R1# show ip sla statistics
IPSLAs Latest Operation Statistics

IPSLA operation id: 1
Latest RTT: 1 milliseconds
Latest operation start time: *21:36:47.855 UTC Tue Apr 3 2012
Latest operation return code: OK
Number of successes: 16
Number of failures: 0
Operation time to live: Forever
#Please rate if it helps
Beginner

Hello Farhan, Thanks for

Hello Farhan, Thanks for helping but this is incorrect, I am not looking for router configs.

Cisco Employee

So, do you need that for the

So, do you need that for the Firewall or FTD?

Beginner

FTD is firewall

FTD is firewall

Cisco Employee

I am searching for this, But

I am searching for this, But i am not able to find this for firewalls, I will certainly give you some links which may help you to dig in.

If that helps!

Beginner

"FlexConfig" is all I can say

Active/Standby Dual ISP:

You can achieve that by creating an SLA Monitor Object and linking it with a static route.

Open the device from Device Management under "Devices" 

Navigate to Routing > Add Static Route Configuration >

Fill in your route details.

The last option "Route Tracking" will help you add a "SLA Monitor Object".

Complete the SLA Monitor Object configuration and attach it with the route and you are good to go.

You can also create and modify your SLA Monitors under "Objects"

Active/Active Dual ISP:

This requires creating a policy based route which is not directly supported by FMC and hence need to be acheived through FlexConfig.

Re: Configure PBR with IP SLA on FTD

Hello Anwaradil,

 

Yes, in version 6.2 is possible to do that with FlexConfig.

 

Here is a video that explain step to step the way to get it:

 

https://www.youtube.com/watch?v=lakHhw9CR5Y

 

Regards,

Beginner

Re: Configure PBR with IP SLA on FTD

Hello Anwaradil,

you can check this video

https://www.youtube.com/watch?v=MKcSBTJ55e8&t=18s

Beginner

Re: Configure PBR with IP SLA on FTD

Hello Anwaradil,

you can check this video

https://www.youtube.com/watch?v=MKcSBTJ55e8&t=18s

 

Highlighted
Explorer

Re: Configure PBR with IP SLA on FTD

Yes, that is possible but it is not natively supported by the FMC so you need to use the FlexConfig feature of the FMC.