If the link from one ISP goes down, the ASA will still use its default route and effectively sending some of the outbound traffic into a black hole. We can avoid this by leveraging the static route tracking feature called the SLA monitor. This allows you to configure multiple static default routes without worrying whether the ISP connection is working or not.
Use the following configuration steps to define an SLA process and bind it to a static route:
Step 1: Define an SLA monitor process and an arbitrary process number:
ciscoasa(config)# sla monitor <sla-id>
Step 2: Define the reachability test:
ciscoasa(config-sla-monitor)# type echo protocol ipIcmpEcho <target> interface <interface-name>
Step 3: Tune optional test parameters.
Step 4: Schedule the SLA monitor test to run.
ciscoasa(config)# sla monitor schedule <sla-id> [life <forever | seconds>] [start-time <hh:mm:ss> <month day | day month> | pending | now | after <hh:mm:ss>] ageout <seconds> [recurring]
Step 5: Enable reachability tracking.
ciscoasa(config)# track <track-id> rtr <sla-id> reachability
Step 6: Apply tracking to a static route.
ciscoasa(config)# route <if-name> <ip-address> <netmask> <gateway-ip> [distance] track <track-id>
Step 7: Define a backup static route (using a higher AD).
ciscoasa(config)# route <if-name> <ip-address> <netmask> <gateway-ip> <distance>
configure mode commands/options:
monitor IP Service Level Agreement Monitor
ciscoasa(config)# sla monitor ?
configure mode commands/options:
<1-2147483647> Entry Number
schedule IP SLA Monitor Entry Scheduling
ciscoasa(config)# sla monitor 1
ciscoasa(config-sla-monitor)# ?
IP SLA Monitor entry configuration commands:
exit Exit operation configuration
type Type of entry
ciscoasa(config-sla-monitor)# type ?
sla-monitor mode commands/options:
echo Echo Operation
ciscoasa(config-sla-monitor)# type echo ?
sla-monitor mode commands/options:
protocol Protocol to Use for Operations
ciscoasa(config-sla-monitor)# type echo protocol ?
sla-monitor mode commands/options:
ipIcmpEcho Use IP/ICMP
ciscoasa(config-sla-monitor)# type echo protocol ipicmpecho ?
sla-monitor mode commands/options:
Hostname or A.B.C.D IP address or hostname
ciscoasa(config-sla-monitor)# type echo protocol ipicmpecho 1.1.1.1 ?
sla-monitor mode commands/options:
interface Interface keyword
ciscoasa(config-sla-monitor)# type echo protocol ipicmpecho 1.1.1.1 interface ?
sla-monitor mode commands/options:
Current available interface(s):
outside1 Name of interface GigabitEthernet0
outside2 Name of interface GigabitEthernet1
ciscoasa(config-sla-monitor)# type echo protocol ipicmpecho 1.1.1.1 interface outside1
ciscoasa(config-sla-monitor)# exit
ciscoasa(config)# sla monitor schedule ?
configure mode commands/options:
<1-2147483647> Entry number
ciscoasa(config)# sla monitor schedule 1 ?
configure mode commands/options:
ageout How long to keep this Entry when inactive
life Length of time to execute in seconds
recurring Probe to be scheduled automatically every day
start-time When to start this entry
<cr>
ciscoasa(config)# sla monitor schedule 1 life ?
configure mode commands/options:
<0-2147483647> Life seconds
forever continue running forever
ciscoasa(config)# sla monitor schedule 1 life forever ?
configure mode commands/options:
ageout How long to keep this Entry when inactive
recurring Probe to be scheduled automatically every day
start-time When to start this entry
<cr>
ciscoasa(config)# sla monitor schedule 1 life forever start-time ?
configure mode commands/options:
after Start after a certain amount of time from now
hh:mm Start time (hh:mm)
hh:mm:ss Start time (hh:mm:ss)
now Start now
pending Start pending
ciscoasa(config)# sla monitor schedule 1 life forever start-time now
ciscoasa(config)# track ?
configure mode commands/options:
<1-500> Tracked object
ciscoasa(config)# track 1 ?
configure mode commands/options:
rtr Response Time Reporter (RTR) entry
ciscoasa(config)# track 1 rtr ?
configure mode commands/options:
<1-2147483647> Entry number
ciscoasa(config)# track 1 rtr 1 ?
configure mode commands/options:
reachability Reachability
ciscoasa(config)# track 1 rtr 1 reachability
ciscoasa(config)# route ?
configure mode commands/options:
Current available interface(s):
outside1 Name of interface GigabitEthernet0
outside2 Name of interface GigabitEthernet1
ciscoasa(config)# route outside1 ?
configure mode commands/options:
Hostname or A.B.C.D The foreign network for this route, 0 means default
ciscoasa(config)# route outside1 0.0.0.0 ?
configure mode commands/options:
A.B.C.D The netmask for the destined foreign network
ciscoasa(config)# route outside1 0.0.0.0 0.0.0.0 ?
configure mode commands/options:
Hostname or A.B.C.D The address of the gateway by which the foreign network
is reached.
ciscoasa(config)# route outside1 0.0.0.0 0.0.0.0 1.1.1.1 ?
configure mode commands/options:
<1-255> Distance metric for this route, default is 1
track Install route depending on tracked item
tunneled Enable the default tunnel gateway option, metric is set to 255
<cr>
ciscoasa(config)# route outside1 0.0.0.0 0.0.0.0 1.1.1.1 track ?
configure mode commands/options:
<1-500> Tracked object number
ciscoasa(config)# route outside1 0.0.0.0 0.0.0.0 1.1.1.1 track 1
ciscoasa(config)# route outside2 0 0 2.2.2.2 ?
configure mode commands/options:
<1-255> Distance metric for this route, default is 1
track Install route depending on tracked item
tunneled Enable the default tunnel gateway option, metric is set to 255
<cr>
ciscoasa(config)# route outside2 0 0 2.2.2.2 255
ciscoasa# show track ?
exec mode commands/options:
<1-500> Track number
| Output modifiers
<cr>
ciscoasa# show track 1
Track 1
Response Time Reporter 1 reachability
Reachability is Up
1 change, last change 00:04:40
Latest operation return code: OK
Latest RTT (millisecs) 220
Tracked by:
STATIC-IP-ROUTING 0
ciscoasa# show sla ?
exec mode commands/options:
monitor Service Level Agreement (SLA) Monitor
ciscoasa(config)# show sla monitor ?
exec mode commands/options:
configuration IP SLA Monitor Configuration
operational-state IP SLA Monitor Operational State
ciscoasa# show sla monitor configuration
SA Agent, Infrastructure Engine-II
Entry number: 1
Owner:
Tag:
Type of operation to perform: echo
Target address: 1.1.1.1
Interface: outside1
Number of packets: 1
Request size (ARR data portion): 28
Operation timeout (milliseconds): 5000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 60
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:
ciscoasa# show sla monitor operational-state
Entry number: 1
Modification time: 15:49:47.686 UTC Sat Jun 1 2013
Number of Octets Used by this Entry: 1480
Number of operations attempted: 6
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: FALSE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): 10
Latest operation start time: 15:54:47.702 UTC Sat Jun 1 2013
Latest operation return code: OK
RTT Values:
RTTAvg: 10 RTTMin: 10 RTTMax: 10
NumOfRTT: 1 RTTSum: 10 RTTSum2: 100
ciscoasa# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 1.1.1.1 to network 0.0.0.0
C 1.1.1.0 255.255.255.0 is directly connected, outside1
C 2.2.2.0 255.255.255.0 is directly connected, outside2
S* 0.0.0.0 0.0.0.0 [1/0] via 1.1.1.1, outside1
We simulate an outage on ISP-A by shutting down its WAN interface (1.1.1.1).
ISP-A(config)#interface fastethernet0/0
ISP-A(config-if)#shutdown
ISP-A(config-if)#
*Mar 1 00:19:36.807: %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down
*Mar 1 00:19:37.807: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down
ciscoasa# debug sla monitor trace
IP SLA Monitor TRACE debugging for all operations is on
ciscoasa# IP SLA Monitor(1) Scheduler: Starting an operation
IP SLA Monitor(1) echo operation: Sending an echo operation
IP SLA Monitor(1) echo operation: Timeout
IP SLA Monitor(1) Scheduler: Updating result
ciscoasa# ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ciscoasa# ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/28/70 ms
ciscoasa# show track 1
Track 1
Response Time Reporter 1 reachability
Reachability is Down
1 change, last change 00:03:48
Latest operation return code: Timeout
Tracked by:
STATIC-IP-ROUTING 0
We can verify if the the default route to ISP-B has reflected by using the show route command on the ASA.
ciscoasa# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 2.2.2.2 to network 0.0.0.0
C 1.1.1.0 255.255.255.0 is directly connected, outside1
C 2.2.2.0 255.255.255.0 is directly connected, outside2
S* 0.0.0.0 0.0.0.0 [255/0] via 2.2.2.2, outside2
No comments:
Post a Comment