06-14-2012 10:38 AM - edited 03-04-2019 04:41 PM
Currently I'm looking for a way to failover our internet connection from one site to another site over our MPLS line, should that internet connection go down.
My layout: Internet > Cable internet modem (Site B) > ASA 5510 (Site B) > 2821 Router (Site B) > MPLS Line > 2821 Router (Site A) > ASA5510 (Site A) > ISP provider internet router (Site A) > Internet
Facts:
Site B is the one with the internet issues.
The MPLS line is routed using BGP.
I think I'm on the right track with these posts:
https://supportforums.cisco.com/thread/2106249
But there's not enough for me to go on. Any config help is appreciated.
Thanks in advance.
06-14-2012 02:23 PM
Adam,
How are you getting your default route now for site B? One way to do this is to create another default route on site B's router and then point that to the MPLS site. You'd create nat statements on both ASAs for site B and then you should be good.
Do you have a static route pointing to your Cable ISP provider? If so, you can track that and then put the other route in the table should the ISP go down.
On site B's router put in:
ip sla monitor 1
type echo protocol ipicmpecho
frequency 5
ip sla schedule 1 start now lifetime forever
track 1 rtr 1 reachability
ip route 0.0.0.0 0.0.0.0
ip route 0.0.0.0 0.0.0.0
If you're running BGP between site B and site A, you won't need to do anything with BGP. Floating statics are all you really need.
HTH,
John
06-14-2012 02:33 PM
The default route for site B is to our firewall, but we do have static IPs from our cable ISP. Here's a rough mock up config, with some questions:
ip sla 1
icmp-echo
timeout 1000
frequency 3
ip sla schedule 1 life forever start-time now
track 1 ip sla 1 reachability
delay down 10 up 20
ip route 0.0.0.0 0.0.0.0
ip route 0.0.0.0 0.0.0.0
I kind of cobbled that together from several sites. That looks similar to your config, John.
06-14-2012 02:38 PM
The track command on the static route basically states "keep this route in the table as long as the reachability to it is valid." Then on the track command you're monitoring the sla. If the sla fails, reachability goes down for the track command and your static is taken out of the routing table. Then your floating static comes into play.
If your sla is trying to ping the ISP's router and that fails, your route will still fail because you're depending on the sla to succeed. So, it's ok that your router is behind the firewall because this should still work.
HTH,
John
06-15-2012 06:27 AM
Here's the final config:
ip sla monitor 1
type echo protocol ipicmpecho
frequency 5
ip sla monitor schedule 1 life forever start now
track 1 rtr 1 reachability
ip route 0.0.0.0 0.0.0.0
ip route 0.0.0.0 0.0.0.0
For the problem child, I've tried Site A's router's MPLS interface, it's inside router interface, and Site A's default gateway. No luck. Trace route site B shows it's not making the hop over the mpls even though the MPLS line is fully functional besides this.
What am I missing? Is there something I need to put in Router A's config? Note: Pings over MPLS to all of the problem child interfaces I tried come back good, so the Router B can see them just fine. Note: The failover portion works fine in that it is trying to directing it over the mpls, there's just the problem child situation to deal with.
Any help is very much appreciated as this site is cut off from the internet besides RDP right now.
Thanks in advance.
06-15-2012 06:36 AM
Hello Adam,
I have noticed the following line in your initial post:
>> The MPLS line is routed using BGP.
If this is a MPLS L3 VPN service in order to be able to use the MPLS link as an alternate internet access you need to advertise a default route over BGP from the site that will provide internet access to the other one.
Because if this is an MPLS L3 VPN you are peering at each site with SP routers and you need to make them know that a default route is available and to have it propagated to the other site.
So instead of configuring static routes on one site pointing to the other one, you may need to advertise the default route over BGP from the other site.
Hope to help
Giuseppe
06-15-2012 06:39 AM
Can I get IP SLA to failover to this advertised BGP route or do I need to start from scratch since I'm using BGP?
06-15-2012 06:43 AM
Looks like this might be along the lines of what I'm looking for:
https://supportforums.cisco.com/thread/2006404
Investigating giving "weight" to bgp routes right now...
06-15-2012 06:46 AM
Hello Adam,
if the idea is to have a backup internet access via the MPLS cloud, you can keep the part relative to the main default static route, so that it is tracked with an IP SLA. But you need to advertise network 0.0.0.0/0 in BGP from the other router to the MPLS cloud over the existing eBGP session to provide the secondary default route over eBGP.
Hope to help
Giuseppe
06-15-2012 06:52 AM
Having backup internet access via the MPLS cloud is exactly what I'm trying to do. So do I keep my IP SLA config the same and just advertise a default route via BGP or is there something else I need to change? I don't understand BGP too well but I'm thinking I'll have say some way in my advertisment that this is a backup default route. Currently researching that angle...
06-15-2012 07:01 AM
Hello Adam,
for the presence of the ASA boxes you will need almost all of what you have discussed with John and you need to add specific commands for having the default route propagated.
One of simplest ways is to use
router bgp
network 0.0.0.0
to have the CE MPLS router to advertise a default route to the eBGP neighbor. This has to be done on the site that will provide the internet access to the other site.
At the remote end you have to verify that you are receving the default route over eBGP using
show ip bgp 0.0.0.0
If there are no route filters the route should be propagated to the remote MPLS router.
eBGP has AD = 20 > 1 AD of the main static default route
On that node the main default route will be provided by tracked static route and will point to local ASA, the backup route will be provided by eBGP.
As John has said on the ASA of the site providing the internet access you will need additional NAT statements to accomodate the IP subnets of the other site and also some additional static routes for the other site IP subnets to provide return path from the internet.
Hope to help
Giuseppe
06-15-2012 07:42 AM
All of this has helped immensely, I think I'm almost there. With my NATting, all I did was add the following line to Site A's firewall:
nat (inside) 1
The connection isn't consistent, but it looks to be enough to do some surfing. Does this NATting look right?
06-15-2012 07:59 AM
Adam,
The natting looks correct, but you also need to make sure that you have a route on your ASA for that subnet pointing back to the router that you have at Site A. If everything is right, you should be able to ping your siteB internal addresses from the ASA at site A.
John
06-15-2012 08:09 AM
I apologize for ignorance on the topic, but I cannot find in my router config where it defines what networks are being let back in. Any help, again, is greatly appreciated.
06-15-2012 08:31 AM
This would be in your routing table. On your router A, do a "show ip route
Suppose I was on router A and was interested in seeing my internal subnet at site B:
My internal subnet is 172.11.10.0/24, so on router A I would type "sh ip route 172.11.10.0/24"
Routing entry for 172.11.10.0/24
Known via "bgp 2", distance 20, metric 0
Tag 1, type external
Last update from 172.12.0.1 12:17:59 ago
Routing Descriptor Blocks:
* 172.12.0.1, from 172.12.0.1, 12:17:59 ago
Route metric is 0, traffic share count is 1
AS Hops 1
Route tag 1
On this router, I show I learned it from 172.12.0.1 (site B's IP address) and my next hop to get to 172.11.10.0/24 is 172.12.0.1.
If your site A router has site B's internal address, then you'll need to add the route to get to site B go to router A:
ASA# route inside 172.11.10.0 255.255.255.0 192.168.1.1
I'm assuming that router A's interface that connects to the ASA is 192.168.1.1 and the ASA is addressed at 192.168.1.2 (just a huge assumption).
Then when your natted traffic comes back in, the ASA will send to 192.168.1.1 for 172.11.10.0 and router A will send to 172.12.0.1 to get to the 172.11.10.0/24.
Oh, and to see what addresses bgp knows on any of your routers, you can do a "sho ip bgp". The *> means that the route is selected and put in the routing table. * means valid and > means the best route. By default, BGP will only put 1 route in the routing table even if you have multiple destinations out.
John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide