Thursday, November 24, 2011

IP SLA Monitor Example for Fail-over Survivability of ISP

Configure ASA to allow traceroute responses


The following link is to an IP SLA configuration on a Cisco router that does not use the monitor command option:

Cisco ISP Failover IP SLA Configuration Example

IP SLA Monitor Example for Fail-over Survivability of ISP

Cisco IP SLA MONITOR example configuration. The IP address have been changed but this is a working configuration I just recently implemented. This office, actually and remote office with warehouse, has a T1 line they wanted a custom application to use exclusively but also had a DSL that was connected to a Cisco ASA 5505 (it could have been a Cisco 5510 or other). The ASA was also on the same LAN. The idea was simple, if the T1 fails, use the DSL for the custom application to connect to an online database source and server.

There are two tracker objects in a tracker list. The list uses a boolean AND,

track 10 rtr 20 reachability --> a ping to a target ip address for which there is ONLY a single static route to use the T1. This differs wit hthe IP SLA MONITOR vs. the IP SLA (with no MONITOR option available. Here, we had to use RTR instead of specifying the ip SLA number itself))
track 11 interface Serial0/1/0:0 line-protocol --> Interface status


track 20 list boolean and --> boolean AND, boolean AND means all conditions conditions have to be true , almost seems redundant but TAC did it this way on another remote office router.

object 10 --> tracker 10 shown above
object 11 --> tracker 11 shown above


ip route 4.2.2.2 255.255.255.255 192.168.1.11 track 20 --> tracked main route
ip route 4.2.2.2 255.255.255.255 192.168.1.1 100 --> alternate route is used if T1 is down

ip sla monitor 20 --> referenced in tracker 10

type echo protocol ipIcmpEcho 8.8.8.8 source-interface GigabitEthernet0/1 --> had to use the interface as source, using the ip address did not work (another bug, perhaps) , there is an explicit static route that says any traffic for 8.8.8.8 use the T1 (there are several ways to do this and you should test them on your router to be sure you can from the IOS command line ping and try all source interfaces before building this line. You can create the router using the next hop router for the T1 connection, or the route can be built by specifying the interface to source the ping from such as S0/1/0:0 on this router, or source the ping from the "inside" interface) So if there is a problem with the T1 the pings will time out.

timeout 1000 --> max ping reply time allowed in milliseconds
threshold 2
tag 20
frequency 5 --> status is checked every five seconds


ip sla monitor schedule 20 life forever start-time now --> scheduler for monitor 20


Cisco IP SLA Example for ISP failover