Thanks for your reply.

We are using 3750X as our core switch for all site and ASA 5540 as Firewall.

We have MPLS connection between all sites through the vendor. MPLS router manage by vendor and as well as Internet router manage by vendor.

Here is your answer

1.We have a static route to send traffic to vendor MPLS router.

2.We don't have any dynamic routing between core switch and CE router

3.We have four sites.Every sites have their own internet to go outside which is called by local internet.We forwarded traffic from our core Switch to firewall and Firewall connected with vendor router.

4.Yes MPLS router and Internet router is different one.

5.Our requirement is like that

  a.We are connected by MPLS and if the internet link is down in any side Is it possible to through internet traffic to MPLS for using Head office Internet or vice versa.

6.Our  Core switches  is IP service license.

Thanks a lot and waiting for your suggestion and comments.

Ok based on your diagram, before explanation, let's assume something:

- your LAN network 172.16.0.0/16

- SVI on all core switch is vlan 10 and it has access to internet

On your core switch, on each sites, you are doing:

ip route 172.16.0.0 255.255.0.0 IP_Router_MPLS

ip route 0.0.0.0 0.0.0.0 IP_FIREWALL_INSIDE

All users default gateway is on the core switch.

If this is correct (I mean if I understand your explanations), then what you need to do are:

- Ask your MPLS provider to advertise the default route from MPLS (as you are not dealing with dynamic routing, it will be easier, no metric change,...)

- On you core switches (each sites):

- configure IP SLA to track the router interface (best way would be outside interface because if internet is down this interface will goes down and not the inside one) or a specific host on internet like 8.8.8.8

- configure a default route like(actual one) based on tracking and configure a 2nd going to your mpls

The config will looks like:

ip sla 1
  icmp-echo x.x.x.x source-interface vlan 10
  timeout 1000

 threshold 2
  frequency 3
ip sla schedule 1 life forever start-time now

track 1 ip sla 1 reachability

ip route 8.8.8.8 255.255.255.255 IP_FIREWALL_INSIDE ==> This a specific route to reach 8.8.8.8 trhough your firewall to insure that track is UP when local internet is up

ip route 0.0.0.0 0.0.0.0 IP_FIREWALL_INSIDE 1 track 1

ip route 0.0.0.0 0.0.0.0 IP_Router_MPLS 10

How it will works:

1. It will test outside interface of your internet router or 8.8.8.8 (you need to adapt the specific route based on what you want to track. You can't track ASA as its interface will be every time UP even if internet goes down.

2. If track is down, then the actual default route will be removed and the 2nd one will take the ownership to forward all traffic through your MPLS.

Be careful to ask your MPLS provider to announce the default route.

Hope this is clear. Sorry for typo issues, I'm through my mobile phone :-)

PS: Please don't forget to rate and mark as correct answer if this solved your issue

Thank you so much.My understanding is clear.To be confirm everything sharing my Head office and remote Site Details diagram with Configuration for your help.

Never mind!!!

Also I have a confusion about your Query like

Ask your MPLS provider to advertise the default route from MPLS.

My query is which default route MPLS provider need to advertise.

Sorry to bother you lot.

I will have a look of your diagrams this evening, sorry for that :-) Right now, your MPLS provider is advertising all LAN networks, let's say (based on your design, quick view on it) 172.28.0.0/16

If your local internet goes down, the local core switch will forward all traffic (including internet) to your mpls network. When the packet arrives to your MPLS router, if it want to reach let's 202.121.10.25, there are 2 solutions:

- your MPLS provide a default route to forward all internet traffic to your HO, then fine

- if no default route is announce the packet doesn't know where to go, then drop.

Is it a more clear? Let me know.

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue

Now I have a route for internet to Firewall like 0.0.0.0 0.0.0.0 x.x.x.x(Firewall Outside IP)

Right now I have route on core switch 0.0.0.0 0.0.0.0 172.28.15.254(Firewall Inside)

So far my understanding, we configure IP SLA which point 8.8.8.8 if found fail it should route all inside traffic(including Internet)  to MPLS_Router and MPLS provider need to point advertise these traffic to HO Firewall's Outside interface or HO MPLS_router interface.

I am sorry to ask too many query. Please never mind...I need to make sure before doing any change.

I think we can get a better opinion from you  to fix the issue.

Thanks

Abdul

No problem i'm here to help.

Now you have your defaut route pointing to your firewall.

You need to add route for 8.8.8.8 to your firewall in order to make ip sla working.

You need to modify the actual default route pointing to your firewall by adding the track capability (is track up the route stay, if track down the route disappear).

However your current config have static routes going through mpls but only for lan. You'll need to add a 2nd default route pointing to your mpls router with higher administrative distance (like I wrote on my previous answer).

Now you've done with the core switch. But when Internet traffic reaches the mpls router, it has to know where to send it in order to get internet access (Internet gateway and natting), this can be accomplished only if your mpls provider advertise a default route to everybody to forward internet destination traffic to your HO. Otherwise this traffic doesn't have a route and it will be dropped. Is it ok? Does that make sense?

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue 

So far my understanding

We can configure Branch office as below

ip sla 1
  icmp-echo 172.28.15.1 source-interface vlan 23(172.28.15.1 is the core SW Management IP at HO and VLAN 23 is Management VLAN at Branch)
  timeout 1000 

 threshold 2
  frequency 3
ip sla schedule 1 life forever start-time now

track 1 ip sla 1 reachability

ip route 0.0.0.0 0.0.0.0 172.28.23.254 1 track 1

ip route 0.0.0.0 0.0.0.0 172.28.15.254 10  

And we need to do vice versa if HO internet fail internet traffic will route to Branch

Configure For HO as below

ip sla 1
  icmp-echo 172.28.23.1 source-interface vlan 15(172.28.23.1 is the core SW Management IP at Branch  and VLAN 15 is Management VLAN at HO )
  timeout 1000 

 threshold 2
  frequency 3
ip sla schedule 1 life forever start-time now

track 1 ip sla 1 reachability

ip route 0.0.0.0 0.0.0.0 172.28.15.254 1 track 1

ip route 0.0.0.0 0.0.0.0 172.28.23.254 10

All configuration change at Core switch for both end.Is it correct. We are not going to change any configuration at Firewall for both end.

Is it correct.Please put you opinion and do necessary change if need.We are 24/7 production company.Any change we made will effect our service.

Thanks

Ok Fine if you want to do the same thing for HO. The only thing is to choose the right branch to access internet. And if this internet is down too, what happens?

For your IP SLA for branch, Why you want to test IP 172.28.15.1 ? This IP is on HO and traffic is going through MPLS not internet. Then you will never see that internet is down and traffic never be forwarded through MPLS. This IP SLA shows up only when MPLS is UP/DOWN. Same applies for your HO config.

The config I've provided before was testing internet host.

The goal of this IP SLA is to remove your actual default route when local internet is down, then you need at least to test that part of your network (internet host or even outside firewall) Inside couldn't be tested because even if internet is down, this interface will still be UP.

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue.

You mean I need to change ping IP with 8.8.8.8 what I changed below.We can use the source-ip 172.28.23.1 instead of source-interface vlan 23

ip sla 1
  icmp-echo 8.8.8.8 source-ip 172.28.23.1(172.28.23.1 is Management IP at Branch SW)
  timeout 1000 

 threshold 2
  frequency 3
ip sla schedule 1 life forever start-time now

track 1 ip sla 1 reachability

ip route 0.0.0.0 0.0.0.0 172.28.23.254 1 track 1

ip route 0.0.0.0 0.0.0.0 172.28.15.254 10  

And we need to do vice versa if HO internet fail internet traffic will route to Branch

Configure For HO as below

ip sla 1
  icmp-echo 8.8.8.8 source-ip 172.28.15.1(172.28.15.1 is the core   Management  at HO )
  timeout 1000 

 threshold 2
  frequency 3
ip sla schedule 1 life forever start-time now

track 1 ip sla 1 reachability

ip route 0.0.0.0 0.0.0.0 172.28.15.254 1 track 1

ip route 0.0.0.0 0.0.0.0 172.28.23.254 10

Please add your suggestion is need any change on above configuration.

Thanks

The source IP could be any switch interface.

However, you need, as I said, to add a specific route for 8.8.8.8

ip route 8.8.8.8 255.255.255.255 IP_FIREWALL_INSIDE ==> This a specific route to reach 8.8.8.8 trhough your firewall to insure that track is UP when local internet is up

Be sure that the ip used as source is authorized on firewall to access internet.

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue.

Never mind ,

Do you think I need to change my configuration what i sent to you or can I get a configuration how I can configure .

Thanks

Now add the specific route to ping 8.8.8.8 from Core Sw.

Please have a looks on the below configuration what I did

Alabama Plant

Configure in Core-Switch

ip sla 10
icmp-echo 8.8.8.8 source-ip 172.28.15.1

threshold 2
frequency 3
ip sla schedule 10 life forever start-time now

track 10 ip sla 10 reachability
delay down 60 up 180

ip route 0.0.0.0 0.0.0.0 172.28.15.254 1 track 10

ip route 0.0.0.0 0.0.0.0 172.28.23.254 10
ip route 8.8.8.8 255.255.255.255 172.28.15.254

Georgia Plant:

Configure in Core-Switch

ip sla 10
icmp-echo 8.8.8.8 source-ip 172.28.23.1

threshold 2
frequency 3

ip sla schedule 10 life forever start-time now

track 10 ip sla 10 reachability
delay down 60 up 180

ip route 0.0.0.0 0.0.0.0 172.28.23.254 1 track 10

ip route 0.0.0.0 0.0.0.0 172.28.15.254 10
ip route 8.8.8.8 255.255.255.255 172.28.23.254

Thanks