Cisco VPN :: Dynamic Routing For Failover L2L VPN?
May 29, 2012
Overview Firewall is ASA 5510 running 8.4(9)Core network at Head Office uses OSPFStatic routes on ASA are redistributed into OSPFStatic routes on ASA for VPN are redistributed into OSPF with Metric of 130 so redistributed BGP routes are preferredCore network has a static route of 10.0.0.0/8 to Corporate WAN, which is redistributed into OSPFBranch Office WAN uses BGP - Routes are redistributed into OSPFThe routers at the Branch Office use VRRP for IP redundancy for the local clients default gateway.Primary Branch Office router will pass off VRRP IP to backup router when the WAN interface is downBackup BO router (.253) only contains a default route to internetUnder normal operation, traffic to/from BO uses Local Branch Office WANIf local BO WAN link fails, traffic to/from BO uses IPSec VPN across public internet I'm trying to configure dynamic routing on our network for when a branch office fails over to the IPsec VPN. What I would like to happen (not sure if it's possible) is for the ASA to advertise the subnet at the remote end of the VPN back into OSPF at the Head Office.
I've managed to get this to work using RRI, but for some reason the VPN stays up all the time when we're not in a failover scenario. This causes the ASA to add the remote subnet into it's routing table as a Static route, and not use the route advertised from OSPF from the core network. This prevents clients at the BO from accessing the Internet. If I remove the RRI setting on the VPN, the ASA learns the route to the subnet via the BO WAN - normal operation is resumed.I have configured the metric of the static routes that get redistributed into OSPF by the ASA to be higher than 110. This is so that the routes redistributed by BGP from the BO WAN into OSPF, are preferred. The idea being, that when the WAN link is available again, the routing changes automatically and the site fails back to the BO WAN.
I am trying to configure a dynamic failover with IP SLA on a Cisco 7200 using 12.2(33) IOS. I would like to have something similar as the following configuration:
ip sla monitor 1type echo protocol ipIcmpEcho x.x.x.xfrequency 3ip sla monitor schedule 1 life forever start-time now!!track 10 rtr 1 reachability access-list 101 permit icmp any host X.X.X.X echo!route-map LOCAL_POL permit 10 match ip address 101 set ip next-hop Y.Y.Y.Y set interface Null0!ip local policy route-map LOCAL_POL ! ip route XX.XX.XX.XX 255.255.255.0 YY.YY.YY.YY track 10ip route XX.XX.XX.XX 255.255.255.0 ZZ..ZZ.ZZ.ZZ 254
My questions are the following
Question 1: What is the equivalent of ip sla monitor in 12.3 for dynamic failover with IPsla Should I used
ip sla ethernet-monitor 1 type echo domain name ?
or
ip sla 1 path echo X.X.X.X or ethernet mpid echo domain name or icmp-echo time out 1000 frequency 3 threhsold 2
I do not know if I have to used ethernet-monitor or ip sla. What is the domain name and the mpid associated to the ethernet-monitor ip sla.In the case where I have to used ip sla 1, shoud I used a path-echo, ethernet mpdi or icmp-echo for dynamic failover
Question 2: In 12.3, what is the equivalent to ip sla monitor schedule 1 life forever start-time now.I have found thec command ip sla schedule 1 start now but it does not seems that we could configure the duration.
We have two Cisco 3560E layer 3 switches at the core of our network. The switches are configured as an HSRP pair and the clients on our network point to the HSRP address as their default gateway. So if CORE-A dies, then CORE-B will pick up the address and the default route for the clients will continue to be available.We also need to specify a few static routes on the core switch to allow us to get to specific networks. Is there a way to do this so that the routes failover in the same way that the default gateway does?
We're in the process of swapping in a new pair of ASA5520s and Catalyst 3750s to support two separate business units. We want Firewall A and Switch A to handle traffic for Org A (VLAN 100). Similarly, firewall B and Switch B should handle traffic for Org B (VLAN200). But we want to be able to fail traffic over in case of firewall or switch failure. Traffic between the two Orgs is being routed at the switch level. [code]
The uplink interface on each switch is currently a routed port with a static address on the uplink subnet. This works fine in a normal state. However, when we fail over one of the firewall contexts to the other chassis, this results in the inability to route internal traffic because the internal interface is now physically connected to a different switch with a different IP port address (obvious in hindsight). The question is, rather than a routed port, what would be the proper way to handle traffic between the switches and firewalls in a failover scenario? If I make the uplink ports into trunks, won't this cause all packets destined for either firewall to hit both both? Seems like that's not the way to go either? [code]
There are three different sites, two are composed of Multilayer switches cisco 3560 and 3570 as core switches (a 3560 in one site and a 3570 in another site), the last site doesn't have any routers just a 2950 switch. Each site has two asa 5505 as firewalls. Two Internet connexions are connected to every site, one on every firewall. One Internet line is used to connect the different sites together using VPN crypted with IPsec and the other line is just for Internet access. The line that is used to interconnect sites contains voice and data traffic.At the moment all the routes are static routes, the network isn't too big for now and counts not more than 20 subnets.But it is evolving, and I want to use dynamic routing, EIGRP to be more accurate. I've looked into it and I'm not sure how to make it work. The VPNs active on the ASAs don't support dynamic routing, so I thought about GRE tunnels but the ASAs don't seem to allow it either.
connected DSL directly to 2900 series router , but as DSL public IP is not static (dynamic) its difficult to access Router when out of home, any other means to access router without static IP
They have a /28 wan adress coming from ISP, that gives out 100Mbps, going to a Cisco 2960S switch (ver. 12.2) the switch is only holding 1 vlan. Connected to the 2960 are 3 firewalls/routers from other manifactors, each creating their own network. The customer wishes for a solution where each final FW/router gets minimum 33% and maximum 100% of the bandwidth, depending on how much each final Fw/router are in use.
Im new to cisco routes, Im traing to configure a 1711 routes with a dsl 2wire routes, my problem is that Im able to ping anywhere in the routes, but when Im on my computer I can only ping the interfaces on the router but no the 2wire route that gives me access to the internet.
My computer is getting ip addres 192.168.200.100 when I ping th 192.168.1.76 is fine, but when I try to ping the 192.168.1.254 does not work, Im assuming the cisco has activated a dinamic route from .76 to .254, but it is not working, why?
Here is the router configuration
Router#show runBuilding configuration... Current configuration : 1183 bytes!version 12.3service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname Router!boot-start-markerboot-end-marker!!no aaa new-model!resource policy!memory-size iomem 25ip subnet-zero!!no ip dhcp [Code]....
how to redistribute routes between three independently managed private networks.
Currently: See attachment The two buildings managed by Company 1 are connected by 4x1GB fibre channel ports on Cisco 3750G Standard Image switches. Static routing is used between the two building and static routes are used to direct traffic to Company 2 and Company 3 via routers managed by their respective companies. No NAT is required as all three companies use separate private address schemes.
Network Improvements: See attachment To increase network resilience Companies 2 and Company 3 are planning on installing new routers in building 2. Companies 2 and 3 use Dynamic routing protocols on their internal network. Incoming and outgoing resilience is required in all three companies. There is no direct connectivity between Company 2 and 3.
I would like the following questions answered:
1. Is dynamic routing needed in Company 1?
2. Given that only 4 devices are managed by Company 1 will RIPv2 work? NB. Company 2 and 3 have very large networks (3000+ sites).
3. Would route redistribution be best performed on Company 2 and 3’s CE routers?
4. How can route redistribution be controlled by Company 1?
I have a ASA5510 with 2 internal interfaces (inside1 and inside2 same security level) configured with OSPF for dynamic routing with 2 routers to corporate subnets. I have a server in a private subnet that needs to be accessed from Internet. So static pat is used in ASA with the command
As OSPF is in use, the subnet 192.168.1.0/24 may be reachable from interface inside2. When I tried to configure the static command for inside2,
static (inside2, outside) tcp interface www 192.168.1.1 www netmask 255.255.255.255.the error message came out "WARNING: mapped-address conflict with existing static...". Is this just a warning, or this is not possible in ASA.
If dynamic IP addresses are those which change frequently and a person does not keep the same one for very long, how can websites still block somebody from their service, surely as soon as the IP refreshes, the person will have access again. Lets take the case of Wikipedia. If you do bad edits on some of their pages, they will ban your IP address for months to even years, how can they possibly do this if the persons IP address may change hundreds of times within this period?
I have a Home Virgin media cable connection at home. the only way to get this working with my Cisco gear is by putting the superhub on modem mode.On modem mode, it becomes just a dumb modem assigning and IP via DHCPI can get the switch to get an IP address from the modem with
no switchport ip address dhcp
then I have created
0.0.0.0 0.0.0.0 fa0/48
to route traffic to the port connected to the mode,The switch gets the assigned Ip address from the modem but it does not route internet traffic.
From the different vlans and subnets on the switch, I can ping the modem. From the switch I can ping 8.8.8.8 From the machines, i cannot ping 8.8.8.8
On my machines, what should be the gateway? the vlan SVI, the modem's IP address, The fa0/48 ip address? I have tried them all with no success.
I live in a condo building that uses 3 Cisco Catalyst 3550 switches connected to a Comcast router with 100 Mbps download. Currently we regulate bandwidth by providing each user with 3 Mbps download. Even if only two people are active they still only get 3 Mbps download. I would like to set it up so if two people are using they each get 50 Mbps; a sort of 'dynamic qos. Is this possible with these switches? Would we have to purchase a Cisco router in order to provide this feature?
I have enabled IP DHCP snooping on a 24 port 3560 switch (v small office) and let the database fill up, now I have added dynamic arp inspection on the single vlan and I amd getting these errors.
I've got a setup where we have a wireless connection coming in and using mikrotik router. We have multiple stores coming in via the wireless with a dmvpn.
The vpn's terminate on the cisco c870 and can be seen when running: show dmvpn.The cisco has a default route to the fibre router (10.0.0.252). The wireless router is the default gateway for the network. The failover from wireless to adsl fails. (due to the cisco routing traffic back to the wireless router when wireless fails)
If I change the default route on the cisco to dialer1, the failover works, but none of the vpn's connect. The Branches all have dynamic ip addresses. The HO has a static ip.
My goal: I want to achieve adsl failover for when the wireless goes down and still have the vpn's connected.
Can I have some sort of "Dynamic" route on the cisco. So when the vpn traffic comes in via wireless and hits the cisco, the vpn traffic can then go back out that way via the wireless router, but still have a default gateway on the dialer interface for failover?
I'm working on setting up a template configuration for the Cisco ASA 5505 device that we'll use to configure more routers for various client needs. One of the requirements requested of me is the following: Internal hosts assigned a DHCP address are blocked from the internet Internal hosts with a static IP are permitted access to internet All internal hosts can communicate regardless of state
Now, I'm fairly new to this and I'm certain my terminology isn't correct so googling the problem has been fruitless. I have followed basic configuration guides and have configured the device to hand out DHCP addresses to hosts plugged in ports 1-7. If I'm plugged in and specify my address manually in the OS I am blocked from any access so I can only assume there is an access policy or some rule preventing me from authenticating against the router despite having set up VLAN1 to be the entire class C subnet. What sort of steps would I need to do to configure this? New access lists. For the record, the dhcp addresses are in the range of 10.100.31.64-10.100.31.95. VPN users are assigned an address from 10.100.31.220-10.100.31.240 and there seems to be no issues with that configuraiton. I don't wish to constrain what addresses a user can use should they specify a static IP (10.100.31.5 should be just as valid as 10.100.31.100).
I have connected a 10BaseT device to a CISCO Catalyst 3560xPOE switch with dynamic port security. All seems to work fine when the distance between the two devices is closer then 200ft. When I connect to 10BaseT devices farther out near 300ft the response from the attached device is lost. It works ok on unmanaged switches at the longer distance. Is there a minimum response time from attached devices for dynamic port security to work properly? Is there any other explanation why it would work on cheaper switches, but not on the Port Secured Switch?
I need to configure an existing 2600 router to use dynamic NAT for access to the web and ALSO I have (5) fixed IP addresses for use with an email server, a web server, and (3) future servers. I do not know the concept of how to set this up. I'm currently using dynamic NAT for the web and this seems OK but I dont know how to map my fixed servers. I assume this is done with static NAT. Do I need to add sub interfaces on the S0/0 T1 interface for each of these fixed IPs? Then do I somehow do static NAT on these fixed IPs to their respective servers?
Does the 22xx Series FEX support static or dynamic LAGs between itself and a server?Imagine a server with dual 10G NICs, and I need to connect them to the SAME 22xx FEX....can I set up a LAG between the two 10G NIC ports and two 22xx FEX Host ports? Does it depend on how the FEX is connected to the parent 55xx?
We have Cisco Cat4503 series L3 Switch and Cisco L2 2560 Series Switches, some of the users want to have a dynamic VLAN membership, and connecting with the network as mobile users,
can it possible and create dynamic VLAN for specific group of users.
The MPLS connection is currently down, I'm trying to run a failover Site-to-Site VPN over the internet. All of the examples I've read have both connections involved in the failover coming out of one device. Since I'm not working that way, what is going to be the best way to failover? Do I need to set up some sort of IP SLA in the config? Or can I somehow weight routes in EIGRP in a way that the connection will failover from Internet to MPLS when the MPLS goes down and vice versa when the MPLS connection comes back up?
Here iis a diagram of my current lab where I am using IP SLA to automatically switch from ISP 1 to ISP 2 should the connection go down (and vice versa)
My switches are C3550 Layer 3 switches. Both ISP's do work so connectivity is not the problem.
If I shutdown the fa0/19 port on SW1 the SLA kicks in and changes my defualt route out 10.0.1.0 without a problem. And when I do a no shut it comes back to tge 192.168.10.0 netowrk just as we would expect. No problem there.
When I disconnect the ISP 1 cell phone the SLA does switch the defualt route to the 10.0.1.0 netowrk. Okay, just fine so far. Here isthe problem, when i reconnect the cell phone the SLA does not come back to the 192.168.10.0 netowrk without first having to delete the SLA and then recresting it (both switches).
I've two Cisco 4500 running as core switches for huge and complex network. The two 4500 are going to act as dhcp server for several subnets. The easiest solution would be to split each DHCP pool in two, and assign the first half of the pool to one of the core switch and the second half of the pool to the second core switch. This would be a partial solution since if one of the two fails, the second core switch would not have enough dhcp leases available for all the devices connected for each subnet.For such a reason, I'm wondering if it the 4500 switches support a stateful redundant DHCP servers, so that the two switches can synchronize their DHCP lease tables. If this feature is available, I could define the same pools for both the switches without the risk of having duplicate ip addresses within the network.
Below is a basic image of the HSRP and backup link setup for our LAN.
The virtual IP 192.168.178.50 resides on the primary router and fails over to the backup router. Internal default gateways for the switches are set to 178.50.
Switch1 is Layer3 and has two static default routes configured as:
ip route 0.0.0.0 0.0.0.0 192.168.179.50 track 1 - - - (interface line-protocol track) ip route 0.0.0.0 0.0.0.0 192.168.178.50 2
And the primary router has a static route out 179.50 which tracks the interface (route goes down if interface is down), and a backup static route.
ip route (internal LAN) Gi0/1 track 1 - - - (interface line-protocol track) ip route (internal LAN) Gi0/2 2
Everything works fine. If the primary router fails, Switch1 tears down the route across Vlan179, HSRP fails over the IP to the backup router and routing continues as normal. If the link across Vlan179 fails, the routers tear down the primary routes and again, things continue as normal.
The problem comes when the primary WAN link fails but the router remains up. This means the default route is still across Vlan179. Normally, Id set an IP SLA on Switch1 to track the WAN link BUT Switch1 only has the BASE IOS and the company wont pay for the Advanced IP IOS so I dont have IP SLA as an option.
How can I get the static default route to failover in the event that only the primary WAN link goes down?
Our servers are hosted at the Main site, site office A access to the Main site for Internet and servers. We are thinking NextG to take over when the link between sites goes down.
To start with, what is the configuration for 3750 at Site A and the Main site:
1) Trunking for both switches
2) Routing
3) the automatic failover configuration for the switch at Site A.
