07-14-2011 02:34 PM - edited 03-04-2019 12:59 PM
Hello,
The topology I'm currently working on has an ASA at the edge (plugged directly into the ISP equipment) with a 3750X stack behind it. The 3750X has an NLAN interface for internal routing between multiple sites.
The 3750X has a default static route pointing to the ASA device and also has EIGRP running (receives routes through the NLAN).
The ASA also has EIGRP but the outside interface is set to passive, so all internal routes are learned from the 3750X's NLAN interface. The ASA has a static default route pointing to the ISP.
Basic requirements are that all internal traffic goes through the NLAN while all internet traffic goes through the ISP.
I need the 3750X to start routing packets through the NLAN as a secondary default route (to use the other sites internet feeds) in case the ASA ISP connection goes down, but since they are on two different boxes I am unsure of the best way to do this. I want the default route to point back to the ASA once the local internet link is back up, so I don't think I can use two static default routes with different route costs.
Can someone lend me their assistance in getting this working properly?
Thanks!
Solved! Go to Solution.
07-14-2011 02:49 PM
Hi,
Well,I think you want to re-route internet traffic to another box when ASA can't reach the internet. You can be done with IP SLA on the C3750X. It should be something like this. I'd track DNS server 8.8.8.8. Assuming that if I can't reach that DNS,I would re-route. You may track other IP address if you want to.
C3750X
!
ip sla monitor 1
type echo protocol ipIcmpEcho 8.8.8.8
timeout 1000
frequency 3
threshold 2
!
ip sla monitor schedule 1 life forever start-time now
!
track 1rtr 1 reachability
!
ip route 8.8.8.8 255.255.255.255
ip route 0.0.0.0 0.0.0.0 <ASA IP address> track 1
ip route 0.0.0.0 0.0.0.0 <NLAN BOX IP address> 100
!
Let's check this link: http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx.html
HTH,
Toshi
07-14-2011 02:49 PM
Hi,
Well,I think you want to re-route internet traffic to another box when ASA can't reach the internet. You can be done with IP SLA on the C3750X. It should be something like this. I'd track DNS server 8.8.8.8. Assuming that if I can't reach that DNS,I would re-route. You may track other IP address if you want to.
C3750X
!
ip sla monitor 1
type echo protocol ipIcmpEcho 8.8.8.8
timeout 1000
frequency 3
threshold 2
!
ip sla monitor schedule 1 life forever start-time now
!
track 1rtr 1 reachability
!
ip route 8.8.8.8 255.255.255.255
ip route 0.0.0.0 0.0.0.0 <ASA IP address> track 1
ip route 0.0.0.0 0.0.0.0 <NLAN BOX IP address> 100
!
Let's check this link: http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx.html
HTH,
Toshi
07-14-2011 03:48 PM
That makes sense. Would the default route point back to the ASA once the main internet link (and thus the route to 8.8.8.8) is re-established using that ip sla setup? The key is that I don't want to have to clear the secondary ip route statement from the config just so the proper route is used again.
marwanshawi, I'm not really sure what you mean, but I can 'draw' the diagram if it helps.
EIGRP->
(Internet) ---- (ASA) ---- (Switch)
|
NLAN (EIGRP)
If I perform a 'show route' on the ASA it will display all the internal routes as EIGRP with the NLAN interface on the 3750X switch as the next hop.
07-15-2011 05:49 AM
Hi,
Q: Would the default route point back to the ASA once the main internet link (and thus the route to 8.8.8.8) is re-established using that ip sla setup?
A: Yes it has to be. You may adjust timing parameters on IP SLA you want.
I think you're runing Eigrp to let ASA know where to route internal networks. We was trying to handle a backup default route. I think IP SLA could help you.
HTH,
Toshi
07-15-2011 08:24 AM
Hi,
I read through the document. The configuration suggest something similar but slightly different (highlighted in bold)
The example in the document is as follows:
interface FastEthernet 0/0
description primary-link
ip address 10.1.1.1 255.0.0.0
interface Dialer 0
description backup-link
ip address 10.2.2.2 255.0.0.0
ip sla monitor 1
type echo protocol ipIcmpEcho 172.16.23.7
timeout 1000
frequency 3
threshold 2
ip sla monitor schedule 1 life forever start-time now
track 123 rtr 1 reachability
access list 101 permit icmp any host 172.16.23.7 echo
route map MY-LOCAL-POLICY permit 10
match ip address 101
set interface dialer 0 null 0
!
ip local policy route-map MY-LOCAL-POLICY
ip route 0.0.0.0 0.0.0.0 10.1.1.242 track 123
ip route 0.0.0.0 0.0.0.0 10.2.2.125 254
What exactly does the route map portion do? There is also no default route in the document pointing to the IP SLA destination as your config suggested. Is that really needed?
07-15-2011 09:25 AM
Hi,
Configurations I provided is okay and it can be used as an example. What you want to do is a floating route for a default route and you want to track how to reach the internet not just a next-hop(IP SLA can do this). You just read how IP SLA works:
And then test and let us know how things work out.
HTH,
Toshi
07-15-2011 06:55 PM
Thanks a lot for the help. It works just great.
I ended up using the ISP's gateway instead of 8.8.8.8 as I happen to use that IP for connectivity tests all the time (took me a few to realise why my pings weren't working when they should have been)
07-14-2011 02:59 PM
Can you put a simple diagram of how the switch and the Asa cinched interim of EIGRP
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide