Internet failover routing

I have AT&T MPLS network connected from Main office (A) to 2 branch offices (B,C). Location A and B having local gateway for internet. I want to route internet access automaticaly to A gateway when Branch office B internet is down.

   Which protocol will be right to achieve this?. Will appreciate if can provide any  sample routing  examples.
sumod_jacobSenior IT ManagerAsked:
Who is Participating?
 
morpheiosConnect With a Mentor Commented:
By default 4507 will work static route 4507R Coreswitch (Site A)> MPLS 2821 (Siet A) Router > MPLS 2821 (Site B) Router > 3750 Coreswitch (Site B) > ASA 5510 (Site B) >ATT MIS Router 1841 (Site B)
But when Internet in good condition EIGRP from ATT MIS Router(3825) must add high priority route 4507 Catalyst > ATT MIS Router(3825) to routing table,

Now I think ASA idea is better

I read some cisco manual according ASA its seem to be good idea. Configure sla monitor on ASA and setup backup route  back to 4507R Coreswitch (Site A)> MPLS 2821 (Siet A) Router > MPLS 2821 (Site B) Router > 3750 Coreswitch (Site B) > ASA 5510 (Site B) >ATT MIS Router 1841 (Site B)

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

route outside 0.0.0.0 0.0.0.0 "ATT MIS Router(3825)" 1 track 1
route backup 0.0.0.0 0.0.0.0 "4507R Coreswitch (Site A)"

sla monitor 123
 type echo protocol ipIcmpEcho "Internet_resource" interface outside
 num-packets 3
 frequency 10
sla monitor schedule 123 life forever start-time now
track 1 rtr 123 reachability

May be create new VLAN on ASA5520 and 4507 for back route
0
 
morpheiosCommented:
Hello what kind of routers do you use?

For example in CIsco routers you need define "ip sla monitor" and "track 1 rtr 1 reachability" and then add two routes one of then use "track".

Good example:
http://www.ciscopress.com/articles/article.asp?p=1613547&seqNum=3


0
 
morpheiosCommented:
0
Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

 
sumod_jacobSenior IT ManagerAuthor Commented:
SIte A
MPLS Router =CISCO 2821
Internet ATT MIS Router =3825

Site B
MPLS Router =CISCO 2821
Internet ATT MIS Router =1841

0
 
morpheiosCommented:
Perfect! I have 2821 too and "sla" its work fine.
0
 
sumod_jacobSenior IT ManagerAuthor Commented:
Since it is MPLS Network,  any changes required to do in service providers (ATT) router?
0
 
morpheiosCommented:
No changes needed only in your branch router. Not in ISP. Look in article. If it wiil be problen post your router configs here and I will make changes.

In two words:
1. In branch B ypu define "sla" wich will test internet connection
2. define track in B linked with sla
3 write static routes in B:
ip route branch_a_network  branch_a_mask MPLS_toA_gateway
ip route 0.0.0.0 0.0.0.0 MPLS_toA_gateway metric 100
ip route 0.0.0.0 0.0.0.0 ISP_B_gateway track 1 metric 10
4. in A router allow internet acces from Branch B network in his ACL


ip route 0.0.0.0 0.0.0.0 MPLS_toA_gateway metric 100 has priorety lower than route 0.0.0.0 0.0.0.0 ISP_B_gateway track 1 metric 10 but works alway when track work only if SLA condition is TRUE.
0
 
sumod_jacobSenior IT ManagerAuthor Commented:
My scenario is slightly different, not both ISPs are connected to same router.

Site A Internet
4507 Catalyst > ASA 5520 > ATT MIS Router(3825)

Site A MPLS to Branch B
4507 Catalyst > 2821 MPLS Router

Site B Internet
3750 Catalyst > ASA 5510 > ATT MIS Router(1841)

Site B MPLS to Branch A
3750 Catalyst > 2821 MPLS Router

Here Core switch is doing the routing for both traffic. i see can't do IP SLA command in this switch.
EIGRP and BGP used for routing now.

0
 
morpheiosCommented:
Yes for this scenario you must enaple SLA on Catalyst swith not in router.

3750 munual
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_55_se/configuration/guide/swipsla.html

4507 manual (if you need in futore use B internet fron office A)
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_55_se/configuration/guide/swipsla.html

Simple config SLA on 3750 to test internet via "ASA 5510 > ATT MIS Router(1841)" if test succces route 0.0.0.0 0.0.0.0 to it. Other case route 0.0.0.0 0.0.0.0 to 2821 MPLS Router.
0
 
sumod_jacobSenior IT ManagerAuthor Commented:
I believe IP SLA required atleast IOS Ver 12.4T?. Unfortunately my Switch IOS is ver 12.2. Anyway can enable IP SLA in this version?.

SITE -A
Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-ENTSERVICESK9-M),
Version 12.2(37)SG, RELEASE SOFTWARE (fc1)

SITE -B
Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 12.2(37)SE, RELEASE SOFTWARE (fc2)
0
 
morpheiosCommented:
No. Minimal version for SLA 12.2(46)SE http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_50_se/release/notes/OL18263.html

In older version there is similar technology SAA http://www.cisco.com/en/US/docs/ios/12_1/configfun/configuration/guide/fcd301d.html

You can use it some as SLA.



      

0
 
sumod_jacobSenior IT ManagerAuthor Commented:
O my GOD , my boss want this to be enabled in Site-A instead in Site-B now.

 When i see RTR is not supporting in 4507 core Switch. I saw below link, CISCO stating that SAA won't support in 4500, but others said they have done it. Don't know. I tried in my 4500 switch it doesn't recognise the command. But 3750 (Site B) it does work for me.

http://www.gossamer-threads.com/lists/cisco/nsp/76550 

Is there any way to work this without upgrating IOS? seems i am in hot seat now.
0
 
morpheiosCommented:
Bad news :(

Tcl scripting languge introduced only in 12.3

Last idea: check internet status on some server and use IP RCMD to configure 4507 route table http://www.cisco.com/en/US/docs/ios/12_3/configfun/command/reference/cfr_1g04.html#wp1030124

Why you afraid to update routers firmware?
0
 
sumod_jacobSenior IT ManagerAuthor Commented:

updation required in the Core switch 4507.. you are right i am scared to do that and want to avoid if possible. BTW... what is the impact if i upgrade to 12.4T? will this affect any of the configuration?

 I increased point to 500..
0
 
sumod_jacobSenior IT ManagerAuthor Commented:
Is there any other protocol can use to achieve this fail over?.
0
 
morpheiosCommented:
If your ISP can configure EIGRP on ATT MIS Router(3825) then your Catalyst 4507 can get route by EIGRP protocol.

Static route will  always send to MPLS with low priority. When EIGRP available dinamic route with high priority will work.

4507 with this firmware not use any other flexible routing protocols.


Consider upgrade:
Yes its right this big upgrade anytime require configuration adaptation.
You may search for configuration kewords in guide http://www.cisco.com/en/US/products/ps6441/products_installation_and_configuration_guides_list.html and look is syntax changed.

And you alway may rollback firmware upgrade. Dont forget backup old configuration and old firmware.
0
 
sumod_jacobSenior IT ManagerAuthor Commented:
You mean IP SLA should enable in ATT MIS router(3825) or just configure EIGRP in this router without IP SLA?.

  I have EIGRP already configured in Coreswitch for routing to MPLS

Traffic flow should be as follow
4507R Coreswitch (Site A)> MPLS 2821 (Siet A) Router > MPLS 2821 (Site B) Router > 3750 Coreswitch (Site B) > ASA 5510 (Site B) >ATT MIS Router 1841 (Site B)
0
 
morpheiosCommented:
Not IP SLA, but EIGRP on ATT MIS Router(3825).

You define in 4507 expensive cost route to internet via  MPLS 2821 (Siet A) Router. But when Internet will available ATT MIS Router(3825) provide via EIGRP low-cost route to itself.

By default wiil work static route 4507R Coreswitch (Site A)> MPLS 2821 (Siet A) Router > MPLS 2821 (Site B) Router > 3750 Coreswitch (Site B) > ASA 5510 (Site B) >ATT MIS Router 1841 (Site B)
But when Internet in good condition EIGRP from ATT MIS Router(3825) must add high priority route 4507 Catalyst > ATT MIS Router(3825)

0
 
morpheiosCommented:
I have one more idea: can your  ASA 5520 use backup route? May be you may setup it to use ASA 5510 as gateway if direct connection is failed?

I have no ASA expirience - and cant say is it possible or not.
0
 
sumod_jacobSenior IT ManagerAuthor Commented:
If only EIGRP configured on ATT MIS Router(3825), how does this monitor the internet access and reroute when its down?
0
 
sumod_jacobSenior IT ManagerAuthor Commented:
Below is the site-A Coreswitch and ASA 5520 routing tables...

4507R Coreswitch Routing (Site-A)

router eigrp 615
 redistribute static metric 1000000 100 255 1 1500 route-map REDIST_STATIC_ROUTES
 passive-interface default
 no passive-interface Vlan9
 no passive-interface Vlan90
 no passive-interface Vlan100
 no passive-interface Vlan101
 no passive-interface GigabitEthernet6/48
 network 10.1.0.0 0.0.255.255
 network 192.168.0.0 0.0.7.255
 no auto-summary
!
no ip forward-protocol nd
no ip forward-protocol udp tftp
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp tacacs
ip route 10.1.5.0 255.255.255.192 10.1.16.44
ip route 10.1.5.64 255.255.255.192 10.1.16.44
ip route 10.1.40.0 255.255.255.0 10.1.9.5
ip route 172.16.254.0 255.255.255.0 10.1.9.10
no ip http server
no ip http secure-server
!
ip flow ingress infer-fields
ip flow ingress layer2-switched
ip flow-export source Vlan90
ip flow-export version 5
!
ip route-cache flow infer-fields
!
ip access-list standard PROTECT_VTY
 permit 192.168.0.0 0.0.7.255
 permit 10.1.0.0 0.0.255.255
 permit 10.2.0.0 0.0.255.255
 permit 172.16.254.0 0.0.0.255
 permit 172.17.254.0 0.0.0.255
 permit 10.3.0.0 0.0.255.255
ip access-list standard REDIST_STATIC_ROUTES
 permit 172.16.254.0 0.0.0.255
 permit 10.1.40.0 0.0.0.255
!
ip access-list extended Guest_Wireess
ip access-list extended Net_Control
 remark Access-list used to identify telnet and ssh traffic used for device mana
gement
 permit tcp any any eq 22
 permit tcp any eq 22 any
 permit tcp any any eq telnet
 permit tcp any eq telnet any
ip access-list extended VoIP
 remark Access-list used to identify VoIP bearer traffic
 deny   udp any any fragments
 permit udp any range 16384 32767 any range 16384 32767
ip access-list extended VoIP_Signaling
 remark Access-list used to identify VoIP signaling traffic
 permit tcp any any range 2000 2002
 permit tcp any range 2000 2002 any
 permit tcp any any eq 1720
 permit tcp any eq 1720 any
 permit tcp any range 11000 11999 any range 11000 11999
 permit udp any any eq 2427
 permit udp any eq 2427 any
 permit tcp any any eq 2748
 permit tcp any eq 2748 any
 permit tcp any any range 1099 1129
 permit tcp any range 1099 1129 any
!
access-list hardware entries scattered
!
route-map REDIST_STATIC_ROUTES permit 10
 match ip address REDIST_STATIC_ROUTES


ASA 5520 (Site-A)

access-list outside_access_in extended permit tcp any host 12.39.xxx.xx object-g
roup Web_TCP_Ports
access-list outside_access_in extended permit tcp any host 12.39.xxx.xx object-g
roup Web_TCP_Ports
access-list DEFAULT_ONLY standard permit host 0.0.0.0

route-map REDISTRIBUTE_DEFAULT permit 10
 match ip address DEFAULT_ONLY
!
!
router eigrp 615
 no auto-summary
 network 10.1.9.0 255.255.255.0
 network 172.16.200.0 255.255.255.0
 passive-interface default
 no passive-interface inside
 redistribute static route-map REDISTRIBUTE_DEFAULT
!
route outside 0.0.0.0 0.0.0.0 12.39.245.1 1 track 1
route inside 10.1.0.0 255.255.0.0 10.1.9.1 1
route web&sp_dmz 10.1.40.0 255.255.255.0 172.16.200.5 1
route inside 10.2.0.0 255.255.0.0 10.1.9.1 1
route inside 172.17.254.0 255.255.255.0 10.1.9.1 1
route outside 192.58.128.30 255.255.255.255 12.39.245.1 1
route inside 192.168.0.0 255.255.248.0 10.1.9.1 1
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.