IP SLA for multi WAN failover on Cisco 3560 X IP Services

We have purchased a Cisco 3560X Layer 3 switch to replace our old L2 Switch and Router - we have an MPLS network and a backup DSL internet connection in place currently.  

Currently our Cisco 2821 Router Has IP SLA configured to switch over from the MPLS WAN connection when the link is lost to a DSL connection.  We want to replace this router with the 3560X (enterprise licensed IP Services) but we can't figure out how to setup the IP SLA/Track portion of this like it was before on the router?  Is this possible?  The IOS on this switch is ver. 15.02  

Thanks very much!
Steve
LambtonAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rkrug8421Commented:
We do this quite a bit with 3560X running IP Base, 15.0. Not sure why your setup would be different. For our setups, we have a service provider managed router, self managed router, and 3560X in ip routing mode in a transit/dmz network. For example, let's use the 10.10.10.0/28 subnet for transit:
10.10.10.1 - Service Provider managed router
10.10.10.8 - Self managed router connected to broadband provider
10.10.10.14 - 3560X switch

Our config looks like this:
ip sla 1
 ! Rather than ping provider gateway, you might want to ping the next hop
 ! from the service provider router, if that remains constant.
 icmp-echo 10.10.10.1
 frequency 30
ip slap schedule 1 life forever start-time now
ip sla enable reaction-alerts

track 1 ip sla 1 reachability

! Static routes:
ip route 0.0.0.0 0.0.0.0 10.10.10.1 track 1
! Some versions we have trouble mixing name and track:
ip route 0.0.0.0 0.0.0.0 10.10.10.8 250 name BROADBAND
LambtonAuthor Commented:
Excellent!  Thanks!  I'm going to give that a try - I think our syntax wasn't quite right, it's a bit different than what we had in our routers.  I'll let you know how it works - thanks!
LambtonAuthor Commented:
So I believe the commands were correct, and the IP SLA Failover is configured and working, however I'm trying to test this on my bench connecting to a small xtm25 watchguard firewall as my backup ISP.  this is the same as what we have in production, however on our router in production we have bridge groups setup and using ip nat on the BVI interfaces - it doesn't seem this switch or IOS version accepts these commands.  

This is the first time I've attempted to setup a layer 3 switch as a router, and I assumed it would carry over the same if not close to the same configuration as the router does, but I guess I should not have assumed this.

Is IP NAT and/or bridge groups going to be required for what I'm trying to do?  
again, this is a WS-C3560X-48  with software version 15.0(2)SE8.

just some more info that may help:
Our internal network data vlan at this particular site is 10.11.13.0/24
the internal interface on the backup internet firewall is 10.0.1.1
the interface on the switch that connects to the backup FW int is 10.0.1.2

Here is what we have on the router right now, that we are trying to convert to the new L3 Switch:
ip sla monitor 1
 type echo protocol ipIcmpEcho 10.10.10.1 source-interface BVI15
 frequency 5
ip sla monitor schedule 1 life forever start-time now
!
track 1 rtr 1 reachability
!
interface FastEthernet0/0/0
 description BackupInternet
 switchport access vlan 99
 no snmp trap link-status
!
!
interface Vlan99
 description BackupInternet
 no ip address
 bridge-group 99
!
interface BVI99
 description BackupInternet
 ip address 10.0.1.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 172.26.208.25 track 1
ip route 0.0.0.0 0.0.0.0 10.0.1.1 200
ip route 10.10.10.1 255.255.255.255 172.26.208.25
!

Open in new window


Anyway, this is what I'm trying to achieve with the new switch and it's a newer IOS as well, and well they just don't simply convert over - hopefully it's possible.

Thanks again!
/Steve
rkrug8421Commented:
I don't think you can NAT in the 3560X. The 3850 had the "ip nat" commands, but I don't think it actually worked. You will probably need an actual router for NAT support. Even if it did support NAT, you would need stateful firewall filtering.

Assuming you have the following at the site:
1) Watchguard firewall, performing NAT and stateful inspection, connected to DSL
2) LAN 3560X switch
3) Ethernet handoff from MPLS service provider, no NAT required.

We would configure the 3560X like this:

! [i]Also include modified IP SLA commands[/i]
Interface Vlan 13
 description LAN
 ip address 10.11.13.1 255.255.255.0

interface Vlan 300
 description WAN transit
 ip address 10.0.1.254 255.255.255.0

interface Gi0/48
 description MPLS Handoff (assume SP has used 10.0.1.2)
 switchport access vlan 300

interface Gi0/47
 description Watchguard (10.0.1.1)
 switchport access vlan 300

! Service provider will need to static route 10.11.13.0/24 to 10.0.1.254
! We send everything to MPLS while it is up, Watchguard when down:
ip route 0.0.0.0 0.0.0.0 10.0.1.2 track 1
ip route 0.0.0.0 0.0.0.0 10.0.1.1 250

Open in new window


In our environments, the service provider provides a managed router on site, which we point to. We also run OSPF between the backup router and the MPLS router (IP Base on switches, so while OSPF could work, it might be licensed for non-routed link). The service provider accepts and uses the default route advertised by the backup router and will send Internet bound traffic to the local backup Internet router. If the local backup router stops advertising, the service provider's default route gets used.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
LambtonAuthor Commented:
Thanks very much rkrug8421; I got it working with your help!  :-)

Much appreciated!
/Steve
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.