RE: IPSLA

The IPSLA is on the router behind the firewall. I can't touch the firewall
:).

> Subject: Re: IPSLA
> From: chris.rae07_at_me.com
> Date: Sat, 25 Apr 2015 20:09:14 +0800
> CC: ccielab_at_groupstudy.com
> To: ebay_products_at_hotmail.com
>
> Are you using IPSLA on the firewall?
>
> Why dont u use redundant interface?
> Have both firewalls dual homed to the ISP.
> If a link fails the active firewall will fail the link over.
> If the firewall fails over the secondary firewalls redundant interface
continues to forward.
>
> Chris
>
> > On 25 Apr 2015, at 7:54 am, Cisco Fanatic <ebay_products_at_hotmail.com>
wrote:
> >
> > sorry, I am not sure why the formatting of the configuration is not coming
right. Trying one more time.
> >
> > !
> > interface Loopback5
> > ip address 10.199.199.52 255.255.255.255
> > !
> > ip sla 51
> > icmp-echo 60.22.210.210 source-ip 10.199.199.52
> > request-data-size 100
> > threshold 180
> > timeout 1000
> > frequency 12
> > ip sla schedule 51 life forever start-time now
> > !
> > ip sla 52
> > icmp-echo 54.10.14.110 source-ip 10.199.199.52
> > request-data-size 100
> > threshold 180
> > timeout 1000
> > frequency 12
> > ip sla schedule 52 life forever start-time now
> > !
> > track 51 ip sla 51 reachability
> > delay down 17
> > !
> > track 52 ip sla 52 reachability
> > delay down 17
> > !
> > ip access-list extended IGW
> > permit ip 192.136.12.0 0.0.0.255 any
> > !
> > route-map TEST permit 10
> > match ip address IGW
> > set ip next-hop verify-availability 72.100.121.81 1 track 51
> > set ip next-hop verify-availability 72.100.121.81 2 track 52
> > set ip next-hop 10.5.11.2
> > !
> > interface GigabitEthernet0/5.1
> > ip address 10.70.70.2 255.255.255.252
> > ip policy route-map TEST
> > !
> > ip route 0.0.0.0 0.0.0.0 72.100.121.81 track 51
> > ip route 0.0.0.0 0.0.0.0 58.148.120.254 50 track 52
> > !
> >
> >
> >
> > ----------------------------------------
> >> From: ebay_products_at_hotmail.com
> >> To: ccielab_at_groupstudy.com
> >> Subject: RE: IPSLA
> >> Date: Fri, 24 Apr 2015 16:49:24 -0700
> >>
> >> Configuration:
> >> !interface Loopback5 ip address 10.199.199.52 255.255.255.255!ip sla 51
> >> icmp-echo 60.22.210.210 source-ip 10.199.199.52 request-data-size 100
> >> threshold 180 timeout 1000 frequency 12ip sla schedule 51 life forever
> >> start-time now!ip sla 52 icmp-echo 54.10.14.110 source-ip 10.199.199.52
> >> request-data-size 100 threshold 180 timeout 1000 frequency 12ip sla
schedule
> >> 52 life forever start-time now!track 51 ip sla 51 reachability delay
down
> >> 17!track 52 ip sla 52 reachability delay down 17!ip access-list extended
IGW
> >> permit ip 192.136.12.0 0.0.0.255 any!route-map TEST permit 10 match ip
address
> >> IGW set ip next-hop verify-availability 72.100.121.81 1 track 51 set ip
> >> next-hop verify-availability 72.100.121.81 2 track 52 set ip next-hop
> >> 10.5.11.2!interface GigabitEthernet0/5.1 ip address 10.70.70.2
255.255.255.252
> >> ip policy route-map TEST!ip route 0.0.0.0 0.0.0.0 72.100.121.81 track
51ip
> >> route 0.0.0.0 0.0.0.0 58.148.120.254 50 track 52!
> >>
> >>
> >>> From: ebay_products_at_hotmail.com
> >>> To: ccielab_at_groupstudy.com
> >>> Subject: RE: IPSLA
> >>> Date: Fri, 24 Apr 2015 16:41:19 -0700
> >>>
> >>> Ok, I borrowed a lab setup and tried to replicate this, it is not
working
> >> the
> >>> way I expected. Not sure what is wrong in the configuration?
> >>>
> >>> !interface Loopback5 ip address 10.199.199.52 255.255.255.255!ip sla 51
> >>> icmp-echo 60.22.210.210 source-ip 10.199.199.52 request-data-size 100
> >>> threshold 180 timeout 1000 frequency 12ip sla schedule 51 life forever
> >>> start-time now!ip sla 52 icmp-echo 54.10.14.110 source-ip 10.199.199.52
> >>> request-data-size 100 threshold 180 timeout 1000 frequency 12ip sla
> >> schedule
> >>> 52 life forever start-time now!track 51 ip sla 51 reachability delay
down
> >>> 17!track 52 ip sla 52 reachability delay down 17!ip access-list
extended
> >> IGW
> >>> permit ip 192.136.12.0 0.0.0.255 any!route-map TEST permit 10 match ip
> >> address
> >>> IGW set ip next-hop verify-availability 72.100.121.81 1 track 51 set ip
> >>> next-hop verify-availability 72.100.121.81 2 track 52 set ip next-hop
> >>> 10.5.11.2!interface GigabitEthernet0/5.1 ip address 10.70.70.2
> >> 255.255.255.252
> >>> ip policy route-map TEST!ip route 0.0.0.0 0.0.0.0 72.100.121.81 track
51ip
> >>> route 0.0.0.0 0.0.0.0 58.148.120.254 50 track 52!
> >>> yuri
> >>>
> >>>> From: ebay_products_at_hotmail.com
> >>>> To: ccielab_at_groupstudy.com
> >>>> Subject: IPSLA
> >>>> Date: Fri, 24 Apr 2015 13:03:18 -0700
> >>>>
> >>>> The idea is to test Internet connectivity from 2 different
connections.
> >> If
> >>> one
> >>>> link fails, the traffic flows through the other link. I have a
firewall
> >> in
> >>>> between.
> >>>> The issue is that when I am using IPSLA, since the firewall are
stateful
> >>> the
> >>>> inbound and outbound traffic should be coming from the same interface.
> >>>> I don't have lab hours but will try to get some topology build next
> >>> weekend.
> >>>> Want to check with smart men and women if the link below can solve
this?
> >>>> Specially the traffic going out and coming back is stateful.
> >>>> https://learningnetwork.cisco.com/thread/54245?start=0&tstart=0
> >>>> yuri
> >>>>
> >>>>
> >>>> Blogs and organic groups at http://www.ccie.net
> >>>>
> >>>>
Received on Sat Apr 25 2015 - 09:56:37 ART