Re: Redundancy & Failover

Guys - I have had issues with fortinet and that fortinet config...

Redistribute tracked default route via the cisco's. They atleast work with a pinging sla of the def route...

From: Karim Jamali [mailto:karim.jamali_at_gmail.com]
Sent: Friday, January 13, 2012 02:02 PM
To: Aaron <aaron1_at_gvtc.com>
Cc: Cisco certification <ccielab_at_groupstudy.com>; Joseph L. Brunner
Subject: RE: Redundancy & Failover

Thanks Aaron..This is exactly what I am looking for.

On Jan 13, 2012 9:54 PM, "Aaron" <aaron1_at_gvtc.com<mailto:aaron1_at_gvtc.com>> wrote:
I found this link....looks like you could perhaps make 0.0.0.0 0.0.0.0 def
route to be tracked on pining that outside dns server you mentioned....then
the default info orig (NOT ALWAYS) will only generate def rt to firtigate
when that cisco router can ping that dns

http://www.velocityreviews.com/forums/t670045-setting-routes-w-set-next-hop-
verify-availability-in-ios-12-2-a.html

-----Original Message-----
From: nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com> [mailto:nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>] On Behalf Of
Karim Jamali
Sent: Friday, January 13, 2012 12:04 PM
To: Joseph L. Brunner
Cc: Cisco certification
Subject: RE: Redundancy & Failover

Hi Joseph,

The problem I am trying to sort out is how to generat a default route to
the fortinet only when internet is actually there, and to stop it's
generation when internet is down..This is where the second router will
generate the default route.

Hope this clarifies it.

Thanks
On Jan 13, 2012 8:56 PM, "Joseph L. Brunner" <joe_at_affirmedsystems.com<mailto:joe_at_affirmedsystems.com>>
wrote:

> Fortinet's don't do failover well between candidate next hops on static
> routes with health checks....
>
> You need to use OSPF/RIP all around... forget sla's
>
> -Joe
>
> -----Original Message-----
> From: nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com> [mailto:nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>] On Behalf Of
> Karim Jamali
> Sent: Friday, January 13, 2012 12:05 PM
> To: Cisco certification
> Subject: OT: Redundancy & Failover
>
> Dear Experts,
>
> I need your support on the following scenario. I have a fortigate firewall
> which is connected to 2 internet routers (Cisco Routers). Now the
objective
> I am trying to reach is to have full redundancy in terms of internet
> connection. I have thought of doing HSRP/VRRP and putting both routers on
> the same subnet and using tracking IP addresses to control pre-emption
> however this is not valid as the customer wants to keep his IP addressing
> the same. Thus each router is connected to the firewall on a seperate
> subnet (public subnet) where the firewall is doing the PAT/NAT..etc
>
> The Fortigate firewall only seems to have a static route which can point
> to a single next-hop, and there is no tracking functionality for those
> static routes. I have thought of configuring OSPF between the
> fortigate/Cisco routers, and using default-information originate attached
> to a route-map on both Cisco Routers with different metrics. However, when
> I am using the route-map I am trying to search for an SLA to match because
> i don't want to match the outside interface being "UP" as this doesn't
mean
> that internet will be UP. Can anyone elaborate/help me find a better
> mechanism? So the whole line of thought is that if internet is available
on
> router A by pinging a public DNS server for instance, I will generate this
> default route into OSPF, else i will remove it and Router B will be used
> for internet connectivity.
>
> Thanks
>
> --
> KJ
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Jan 13 2012 - 19:18:17 ART