cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Popup Hotspot Using ISR 1000 with WiFi/LTE for Teleworkers and Micro Branchesr
344
Views
0
Helpful
2
Replies
Highlighted
Beginner

Failover of Traffic using IPSLA

Proposed SolutionProposed Solution

 

 

Here is the Proposed solution for replacing current Cisco IPS (stand alone) with two Firepower Threat Device (stand alone).

 

Since we have not procured FMC, HA is not possible using FDM supplied with FTD. Now the requirement is to failover the traffic from one FTD to another using IP SLA. 

 

Can someone advise what configuration will go in to achieve this setup.

2 REPLIES 2
Highlighted
Contributor

Re: Failover of Traffic using IPSLA

Hi,

 

Based on your explanation, you would need to track multiple interfaces to make it work without creating a black hole in the network. In my opinion, you can use static routes on the CE MPLS router and Core switches. For example, on Core 1 you would have 2 static routes one with FTD 1 as the next-hop (this is the interface you will be tracking) and another with Core SW2 as the next-hop (this static route will have a higher AD). Core SW 1 would need to monitor via icmp the G/01 of FTD and either g0/0 of FTD or port 1
of CE MPLS router and if anyone one of them fails traffic switches over to FTD 2 by removing the primary static route and installing back up route.

 

IP SLA configuration to track multiple interfaces ( you would need this configuration on Core switches and MPLS router):

 

ip sla 1
icmp-echo x.x.x.x source-interface xx
timeout 15000
frequency 15
ip sla schedule 1 life forever start-time now
!
ip sla 2
icmp-echo x.x.x.x source-interface xx
timeout 15000
frequency 15
ip sla schedule 1 life forever start-time now
!

track 1 ip sla 1
track 2 ip sla 2
!
track 3 list boolean or
object 1
object 2
!
ip route 0.0.0.0 0.0.0.0 x.x.x.x track 3 (primary link)
ip route 0.0.0.0 0.0.0.0 x.x.x.x 5 ( any number that's greater than 1)

 

Hope this helps!

Highlighted
Beginner

Re: Failover of Traffic using IPSLA

"Since we have not procured FMC"

 

What do mean?, Why dont you use virtual FMC?