Cisco IP SLA

I did a IP SLA configuration on two Cisco 4500s the other day.  Its really a great solution for multi path or dual-ISP, if you dont run a routing protocol.  See below, the config and some notes.

Topology:

Config for Site 1:
ip sla 1
icmp-echo 10.15.0.2 source-ip 10.15.0.1
threshold 2
timeout 1000
frequency 3
ip sla schedule 1 life forever start-time now

track 1 ip sla 1 reachability

ip route 10.2.3.0 255.255.255.0 10.15.0.2 track 1
ip route 10.2.3.0 255.255.255.0 10.0.10.5 10

Config for Site 2:
ip sla 1
icmp-echo 10.15.0.1 source-ip 10.15.0.2
threshold 2
timeout 1000
frequency 3
ip sla schedule 1 life forever start-time now

track 1 ip sla 1 reachability

ip route 10.20.15.0 255.255.255.0 10.15.0.1 track 1
ip route 10.20.15.0 255.255.255.0 10.20.3.253 10


Notes:
10.15.0.2 is the IP address on Site 2 fiber port.
10.15.0.1 is the IP address on Site 1 fiber port.
10.0.10.5 is the IP address on Site 1 LAN Firewall port.
10.20.3.253 is the IP address on Site 2 LAN Firewall port.
Basically, if the fiber goes down, then change the routing table to go across the VPN to the remote site, is the idea here.

Site 1 4500:
Switch#sh track
Track 1
  IP SLA 1 reachability
  Reachability is Up
    1 change, last change 00:02:09
  Latest operation return code: Over threshold
  Latest RTT (millisecs) 4
  Tracked by:
    Static IP Routing 0
Admin_Switch#sh ip route
...
S        10.20.3.0/24 [1/0] via 10.15.0.2

Switch# config t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#int vlan 99
Switch(config-if)#shut
Switch(config-if)#exit
Switch(config)#exit
Switch#sh track
Track 1
  IP SLA 1 reachability
  Reachability is Down
    2 changes, last change 00:00:02
  Latest operation return code: Timeout
  Tracked by:
    Static IP Routing 0
Switch#sh ip route
...
S        10.20.3.0/24 [10/0] via 10.0.10.5

Switch(config)#int vlan 99
Switch(config-if)#no shut
Switch(config-if)#exit
Switch(config)#exit

Switch#sh track

Track 1

  IP SLA 1 reachability

  Reachability is Up

    3 changes, last change 00:00:03

  Latest operation return code: Over threshold

  Latest RTT (millisecs) 4

  Tracked by:

    Static IP Routing 0

Switch#sh ip route

...

S        10.20.3.0/24 [1/0] via 10.15.0.2

Switch#

VPN: IKEv1 And IKEv2

While configuring some VPNs today, the question came up about using IKEv1 vs IKEv2. I don't want to get into the technical details about the differences in the two (I'll do that in the next post), but I do want you to know that the two are not compatible with each other. So if you use IKEv2 on one side, you have to use it in the other side.

Pic Of The Week: Shotgun Shells

Cisco ASR920 Problem

This was an interesting evening. I went onsite to a customer and put in one of those TZ600 SonicWall firewalls I just configured. Once I got it in place, I noticed the normal ARP issue that you have on the next hop router. So I rebooted the ISP router.  As it turns out, there is a firmware issue on these Cisco ASR920 routers that when you reboot the system, if you have fiber modules in the ASR, it can cause an issue forwarding traffic, even though the interfaces are up. The fix? Literally, pull out the Gbic modules and re-seat them.  All OK after that. 

Two SonicWall TZ600s

This week, I have two SonicWall TZ600 firewalls to get setup for a company. They will have site to site VPN and will provide these small offices with some security.  It's certainly not an enterprise solution, but OK for a small office like these.

Sunday Thought: Make Me New On The Inside

This is an interesting passage. Highlighted in yellow below...

Sunday Thought: Philippians 1:9-10