There are often requests for information regarding Cisco failovers. The following seems to work with 12.4 and higher. It should also work with 12.3, but this has not been tested.
Cisco provides a little known item called a tracking object. None of the following can be done through the SDM. It must be done through the CLI, however, it's recommended that you do everything through the CLI. The SDM has some interesting inadequacies (for another article).
You will need at least two remote IPs to use as a test. For example, you can use 4.2.2.1 for the first and 4.2.2.2 for the second. These two IPs are never down. You will need to create a host static route for each of the IPs going out the interface to test. There is an example of this in the config. Also included are the overload statements.
Hopefully the following helps. If you know if a better way to do this, please share it here. This was created using a known good configuration of a real client.
LEGEND
- your_first_test_ip = the ip you will use to test your primary connection.
- your _second_test_ip = the ip you will use to test your secondary connection.
- your_primary_firsthop_ip = the first outside hop of your primary connection. Default route for primary connection.
- your_secondary_firsthop_ip = the first outside hop of your secondary connection. Default route for secondary connection.
- primary_interface = the interface name of your primary Internet connection.
- secondary_interface = the interface name of your secondary Internet connection.
- internal_ip_range = ip range of your internal devices.
This sample config assumes 2 connections. Once secondary and one primary.
Config:
IP sla monitor 1
type echo protocol ipIcmpEcho your_first_test_ip source-ipaddr your_source_ip
timeout 2000
threshold 2000
frequency 3
IP sla monitor schedule 1 life forever start-time now
IP sla monitor 2
type echo protocol ipIcmpEcho your_second_test_ip source-ipaddr your_source_ip
timeout 2000
threshold 2000
frequency 3
IP sla monitor schedule 2 life forever start-time now
track 100 rtr 1 reachability
track 200 rtr 2 reachability
IP route 0.0.0.0 0.0.0.0 your_primary_firsthop_ip track 100
IP route 0.0.0.0 0.0.0.0 your_secondary_firsthop_ip track 200
IP route your_first_test_ip 255.255.255.255 your_primary_firsthop_ip
IP route your_second_test_ip 255.255.255.255 your_secondary_firsthop_ip
IP nat inside source route-map primary interface primary_interface overload
IP nat inside source route-map secondary interface secondary_interface overload
IP access-list extended primary-route
10 permit ip internal_ip_range 0.0.0.255 any
IP access-list extended secondary-route
10 permit ip internal_ip_range 0.0.0.255 any
route-map primary permit 10
match ip address primary-route
set ip next-hop your_primary_firsthop_ip
route-map secondary permit 10
match ip address secondary-route
set ip next-hop your_secondary_firsthop_ip
Two notes for troubleshooting.
Sh track
- This will show you what state your tracking objects are in.
sh ip access-list
- Watch for hits to your acl's. This way you can verify your natting.
