01-29-2020 10:18 PM
I have two different ISPs. ISP-A and ISP-B. my specific IP class (ACL-B) uses ISP-B. i have simple scenario that default ACL-A traffic will use default route towards ISP-A. selected traffic (ACL-B) would go to ISP-B. this is done by configuring PBR in ASA 5508x Firewall. Now i need to re-configure PBR route map that if ISP-B link goes down all traffic should route to ISP-A and vice virsa.
i am confused, this can be achieved from route map or in redundancy configuration.
_______
Zargham
01-29-2020 11:19 PM
Hi there,
You need to use IP SLA and tracking object to be used within the route-map. Try the following, substitue the <Variables> and interface names as required:
! sla monitor 1 type echo protocol ipIcmpEcho <ISP-1> interface OUTSIDE1 frequency 10 sla monitor schedule 1 life forever start-time now track 1 rtr 1 reachability ! sla monitor 2 type echo protocol ipIcmpEcho <ISP-2> interface OUTSIDE2 frequency 10 sla monitor schedule 2 life forever start-time now track 2 rtr 2 reachability ! route-map ISP-PBR permit 10 match ip address <ACL-A> set ip next-hop verify-availability <ISP-1> 1 track 1 set ip next-hop verify-availability <ISP-2> 2 track 2 ! route-map ISP-PBR permit 20 match ip address <ACL-B> set ip next-hop verify-availability <ISP-1> 1 track 2 set ip next-hop verify-availability <ISP-2> 2 track 1 !
cheers,
Seb.
01-30-2020 01:20 AM
Thanks Seb,
this is valuable reply.....let me test and will reply you soon after testing
01-30-2020 02:08 AM
Just noticed a typo...:
! route-map ISP-PBR permit 20 match ip address <ACL-B> set ip next-hop verify-availability <ISP-2> 1 track 2 set ip next-hop verify-availability <ISP-1> 2 track 1 !
01-30-2020 02:47 AM - edited 01-30-2020 07:53 AM
Hello
@Zargham Haider wrote:
I have two different ISPs. ISP-A and ISP-B.
i have simple scenario that default ACL-A traffic will use default route towards ISP-A. selected traffic (ACL-B) would go to ISP-B.
If you have all default traffic going via ISPA and you wish speific traffic to go via ISPB then i would say what @Seb Rupik posted was correct however you would only require one pbr track statement because if/when the monitored ip sla track fails all traffic being policy routed traffic would failover and be routed back via the rts default path towards ISPA
example:
ip sla 1
icmp-echo <ISPB host> source-ip XXXXX
ip sla schedule 1 life forever start-time now
access-list 100 permit ip xxxx yyyyy
route-map PBR
match ip address 100
set ip next-hop verify-availability <ISPB> 1 track 1
int x/x
description Lan facing
ip policy route-map PBR
01-30-2020 05:24 AM
@paul driver agreed, but if you want true redundancy then in the event of ISP-A failing you would want all traffic to go via ISP-B.
Perhaps adjust ACL-A so that it denies the ACL-B subnets but permits (matches) everything else.
01-30-2020 07:51 AM - edited 01-30-2020 07:56 AM
Hello
@Seb Rupik I still think you would only require just the one PBR track statement with maybe an additional static route track if the OP is using floating static default routes for each isp however if dynamic routing is in use then just the one should do it
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide