Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1651
Views
0
Helpful
7
Replies

ISP redundancy testing

Tim.Lofgren
Level 1
Level 1

‎02-18-2020 02:33 PM

Community members,

I have a firewall that I need to test ISP redundancy configuration on. There is a layer 3 switch directly connected to that firewall that is the core switch for the building that I am in. On my desk is another layer 3 switch that is directly connected to the core switch for this building. There is no direct connection to the firewall. I need to make the switch on my desk use the firewall as the default gateway instead of the firewall that is in the default path of the core switch. They are on different subnets but all routing is configured on the core switch. I am just trying to bypass that route that controls all traffic from this site and let this device stand alone with a separate route so that I can test the failover of the ISP redundancy config without disrupting the main route. I hope this make sense.  Let me know if any further explanation is needed.

 

Tim

1 person had this problem
Labels:
0 Helpful
7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

‎02-18-2020 02:44 PM - edited ‎02-19-2020 12:32 AM

its nice draw a network diagram to understand and post sample config what you think is working

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Tim.Lofgren
Level 1
Level 1
In response to balaji.bandi

‎02-19-2020 10:46 AM

@balaji.bandi 

 

Thank you for the interest.  I have added a simple diagram of the portion of the network that involves this situation.  All that I need is a bump in the right direction.  Currently my laptop is connected to the core switch via Ethernet CAT6.  It is also connected via console to the Test switch.  There are two pathways in the drawing.  The default route of all traffic uses the green pathway from the core out to the edge firewall and then beyond to the internet.  I need to route only traffic for the Test Switch out the black path to the Test Firewall so that I can then connect the two Test PC's to perform the ISP redundancy failover testing on the Test Firewall.  Currently the Test Switch has a Default gateway and default route to the Test firewall.  But that did not work as only the directly connected Core Switch could ping the Test Switch.  Is there a way to send all traffic from the Test Switch to the Test Firewall instead of the default path of the Core Switch that goes to the Interior Firewall?

 

Tim

 

 

Preview file
50 KB
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Tim.Lofgren

‎02-19-2020 01:51 PM

Tim

 

There are still some things about your situation that I do not know and that might impact my suggestion. But the drawing is helpful. And if I am understanding the drawing correctly my suggestion is that there is not anything that you can do on the test switch to direct the test traffic to the new firewall. No matter what the test switch configures as its default gateway its path outbound is through the core switch. And that means that the core switch will make it own decision about how to forward the traffic (no matter what the test switch decided). So what you need is to configure Policy Based Routing on the core switch to recognize traffic originating from the test PCs and forward that traffic to the test firewall. (and one of the things that I do not know is whether your core switch supports PBR) If you get PBR working correctly on the core switch it should achieve your requirements.

HTH

Rick
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Richard Burts

‎02-19-2020 01:57 PM

Tim

 

I am confident that my suggestion to use PBR is the solution to your primary question about how to test ISP failover. But in reading your post I realize that there may be another issue involved. You told us that "only the directly connected Core Switch could ping the Test Switch." This is probably an indication that the test firewall does not have a route for the subnet used for the test PCs. You probably need to add a route on the test firewall to the test subnet. 

 

 

HTH

Rick
0 Helpful

Tim.Lofgren
Level 1
Level 1
In response to Richard Burts

‎02-20-2020 07:08 AM

@Richard Burts 

 

Thanks for the information.  I will do some more investigating to determine if PBR is supported on the Core and how to configure that for my needs.  I will report back if this works.

 

Tim

0 Helpful

Tim.Lofgren
Level 1
Level 1
In response to Tim.Lofgren

‎03-03-2020 02:57 PM

Just FYI for anyone that wants to know.  I was able to get it working without using PBR.  I set the port for one test machine on the vlan that connects to the firewall and gave the machine that is connected to it a static IP inside that network range with the ip of the firewall as the default gateway.  It was not a fancy solution to the testing but it did let me test the ISP redundancy failover configuration of the firewall successfully.  Thanks to all who made suggestions.

 

Tim

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Tim.Lofgren

‎03-05-2020 07:05 AM

Tim

 

Thanks for the update. Glad to know that you got it to work. Interesting that you got it to work without needing PBR. The key to that is that the test firewall is in the same vlan as the PC. Based on your description we had assumed that the test switch and PC were in a vlan (and a subnet) different from the test firewall. If both are in the same subnet then certainly all you need is a different default gateway on the PC. If they had been different subnets then you would have needed PBR.

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents