I recently came across this scenario where a customer had two internet links terminating on his ASA from two different ISPs. If his primary link (ISP2) was unavailable, he wanted the Site-to-Site VPN to fail over to the backup link (ISP3). This post shows you how to configure a firewall having two internet links using the SLA monitoring feature to get the required redundancy for the Site-to-Site VPN.
The site having two ISPs (in this case, FW2) is the one that needs major changes. Basic site-to-site configuration remains the same and only additional configuration for the backup peer IP 126.96.36.199 is covered under this post.
188.8.131.52 is the primary peer IP for this VPN whose configuration is already in place and the tunnel is up and working.
1. Create tunnel group for the backup peer IP.tunnel-group 184.108.40.206 type ipsec-l2l tunnel-group 220.127.116.11 ipsec-attributes ikev1 pre-shared-key cisco
2. Add the backup peer IP to the existing crypto map for 18.104.22.168 and make sure the connection-type is set to bi-directional (which is the default).crypto map outside_map 10 set peer 22.214.171.124 126.96.36.199 crypto map outside_map 10 set connection-type bi-directional
Interface configuration on FW2 firewall.interface GigabitEthernet0 description Connected to ISP2 - Primary link nameif outside security-level 0 ip address 188.8.131.52 255.255.255.0 ! interface GigabitEthernet1 description Connected to ISP3 - Backup link nameif outside2 security-level 0 ip address 184.108.40.206 255.255.255.0
1. Create an SLA monitor to monitor the gateway IP of ISP2 (primary link). Add a default route pointing towards the gateway IP of ISP3 (secondary link) with an AD value 254. Track it using the SLA monitor.sla monitor 10 type echo protocol ipIcmpEcho 220.127.116.11 interface outside frequency 5 sla monitor schedule 10 life forever start-time now ! track 1 rtr 10 reachability ! route outside 0.0.0.0 0.0.0.0 18.104.22.168 1 track 1 route outside2 0.0.0.0 0.0.0.0 22.214.171.124 254
2. IKEv1 and ‘crypto map outside_map’ is already enabled and applied on the outside interface. When the ISP2 link goes down, the outside2 interface will be terminating the VPN and the following needs to be done for the VPN to establish. Also check for the connection-type which should be set to bi-directional (be default).
Enable ‘crypto ikev1’ and apply the ‘outside_map’ on the outside2 interface;
Existing config:crypto ikev1 enable outside crypto map outside_map interface outside crypto map outside_map 10 set connection-type bi-directional
Additional config:crypto ikev1 enable outside2 crypto map outside_map interface outside2
3. Create additional NAT statements for outside2 interface mirroring with your existing NAT.
Existing NAT:nat (inside,outside) source static 10.2.2.0-24 10.2.2.0-24 destination static 10.1.1.0-24 10.1.1.0-24 no-proxy-arp route-lookup nat (inside,outside) after-auto source dynamic any interface
Additional NAT:nat (inside,outside2) source static 10.2.2.0-24 10.2.2.0-24 destination static 10.1.1.0-24 10.1.1.0-24 no-proxy-arp route-lookup nat (inside,outside2) after-auto source dynamic any interface
Generally Cisco ASA has one Management interface and four Gigabit Interfaces, but in modern systems and scalable Infrastructures you will need more than four Interfaces. To overcome this limitation you can configure some VLANs and trunk them to an Interfaces. This was a standard solution to this problem, however since ASA version 8.4.2 you are able to use Ether Channel to solve this problem.
The benefit of Ether Channel or Port Channel is that you are able to configure redundancy and load balancing in the same time; all four ASA Interfaces will be bundle to a link in the Layer 2 then you assign all VLANs directly to the Port Channel and so they applied to all Interfaces of ASA .
The ASA distributes the traffics to all Interfaces, which means you have the functioning Load balancing, furthermore if you lost one or two Interface the whole traffics will be distribute to the Interfaces which are available.
If you run the Port Channel on the ASA then you are permitted to make up to 200 VLANs.
The Port Channel’s configuration is not really tricky but it is a little bit complex and it will be best if you keep the history of what you have changed to not lose overview of what and why you actually configured.
Here you can see the Port Channel configuration on an ASA 5540 and a Catalyst 2960.
OK, first of all you have the configure the Port Channel on the Catalyst; it is very simple something like that:
! interface Port-channel1 switchport mode trunk !
Then I apply the Port Channel configuration, to four catalysts Interfaces which are connected to the ASA (in this case GigabitEthernet1/12 till GigabitEthernet1/15 :
! interface GigabitEthernet1/12 description UpLink to ASA switchport mode trunk channel-group 1 mode on ! interface GigabitEthernet1/13 description UpLink to ASA switchport mode trunk channel-group 1 mode on ! interface GigabitEthernet1/14 description UpLink to ASA switchport mode trunk channel-group 1 mode on ! interface GigabitEthernet1/15 description UpLink to ASA switchport mode trunk channel-group 1 mode on !
Ok we are finish with catalyst configuration; now let’s go to the ASA
Now we have to create the Port Channel:
! interface Port-channel1 no nameif no security-level no ip address !
! interface GigabitEthernet0 channel-group 1 mode on no nameif no security-level no ip address ! interface GigabitEthernet1 channel-group 1 mode on no nameif no security-level no ip address ! interface GigabitEthernet2 channel-group 1 mode on no nameif no security-level no ip address ! interface GigabitEthernet3 channel-group 1 mode on no nameif no security-level no ip address !
! interface Port-channel1.10 vlan 10 nameif inside security-level 100 ip address 192.168.XX.XXX 255.255.255.0 !
! interface Port-channel1.1000 vlan 1000 nameif OUTSIDE security-level 0 ip address dhcp setroute !
It is important to have the same VLAN’s number and VLAN’s ID of both side, there when you have a new VLAN you should apply that configuration in Catalyst first. For debugging and control the Port Channels you can use the :
show port-channel summary Number of channel-groups in use: 1 Group Port-channel Protocol Ports ------+-------------+-----------+------------------------------------- 1 Po1(U) LACP Gi0/0(P) Gi0/1(P) Gi0/2(P) Gi0/3(P)
The command displays the number of Port Channel group and which Interfaces are member to this ; furthermore you can see the Channel-Group Protocol LACP ( Link Aggregation Control Protocol) ;you have to consider that Cisco ASA support LACP only (no PAgP ) ; you get more useful information by using :
Show port-channel detail
Group: 1 ---------- Ports: 4 Maxports = 16 you see we use four Interfaces (Ports 4) you can extend that up to 16 Physical Interfaces Port-channels: 1 Max Port-channels= 48 you can configure 48 different Port Channel group Protocol: LACP/ active Minimum Links: 2 this is the minimum number of physical Interfaces for a Port Channel Group Maximum Bundle: 8 you can put maximal 8 physical Interface to a Port Channel Load balance: src-dst-ip Ports in the group: -------------------
For the Catalyst I prefer to use the :
sho etherchannel port-channel
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
sho etherchannel port-channel Channel-group listing: ---------------------- Group: 1 ---------- Port-channels in the group: --------------------------- Port-channel: Po1 (Primary Aggregator) ------------ Age of the Port-channel = 761d:02h:50m:21s Logical slot/port = 5/1 Number of ports = 4 HotStandBy port = null Port state = Port-channel Ag-Inuse Protocol = LACP Port security = Disabled Ports in the Port-channel: Index Load Port EC state No of bits ------+------+------+------------------+----------- 0 00 Gi1/0/45 Active 0 0 00 Gi1/0/46 Active 0 0 00 Gi1/0/47 Active 0 0 00 Gi1/0/48 Active 0 Time since last port bundled: 749d:02h:28m:31s Gi1/0/46
Just as the commands in the ASA , the catalyst will show you now the number of Port Channel , port channel status and the physical Interfaces which are applied to this Port Channel group .
Don’t worry about the Spanning-tree Protocol (STP ) on the Catalyst , the STP counts the four EtherChannel’s Interfaces as “one” link like a single port so no member of the EtherChannel will be blocked from STP to prevent looping , I personally use the portfast for each Port Channel member Interface but you have to modify the command for a trunk interface :
spanning-tree portfast trunk
Have you ever heard the terms “four nines” or “five nines” when dealing with customers or providers? It’s commonplace to hear these phrases which describe availability or uptime within various pieces of a network. Four nines means a network will be available for service 99.99% of the time within the Service Level Timeframe (SLT). Four nines equates to approximately 1 hour (53 minutes) of downtime per year. That’s not an easy number to make in a lot of networks! There are many things that you can do to help you reach your “uptime” goals like putting in physical redundancy, using battery backups and having staff no more than a minute away to fix a problem. You can also configure logical redundancy or fault tolerance in the form of HSRP or VRRP on routers throughout your network. This article will go through a brief overview of each technology and show you how to configure it.
An Overview of HSRP
The Hot Standby Router Protocol (HSRP) is a Cisco protocol which, as detailed in
RFC 2281, allows multiple client gateways to be configured as one “virtual” router. This “virtual” router is configured with a single IP address which is shared among the group along with a virtual MAC address. The idea behind this is, of course, that the client sees its one gateway even if that gateway fails. HSRP elects an active router which forwards the client’s IP packets. A backup or standby router can be configured to take over the forwarding of packets in the event that the active router fails. To track each other, HSRP uses multicast to send its HSRP updates and hellos. I could go on and on about HSRP, but I said this would be brief!
An Overview of VRRP
Chances are, if you have a multi-vendor environment and desire the same benefits of HSRP, you will configure the Virtual Router Redundancy Protocol (VRRP) to do this. VRRP, detailed in RFC 3768, operates in the same manner as HSRP does by electing an Active router called the Master among a group of routers and allowing it to be the “keeper” of a virtual IP and MAC. As with HSRP a failure would trigger the standby router (backup) to then become the Master and subsequently forward the client’s traffic. VRRP also uses multicast for its hello mechanism and elections, but unlike HSRP* which uses 126.96.36.199 (This subnet) VRRP uses 188.8.131.52.
*Note: HSRPv2 uses 184.108.40.206
Now that you have a basic understanding on how each protocol works, let’s look at how to configure them on your Cisco router.
Diagram – 1
Using the diagram above we are going to configure R1 and R2 for HSRP using the virtual IP address of 220.127.116.11 using an authentication key of cisco.
R1 R1(config)# interface e0 R1(config-if)# description R1 Ethernet interface for HSRP example – Active R1(config-if)# ip address 18.104.22.168 255.255.255.0 R1(config-if)# standby 1 ip 22.214.171.124 R1(config-if)# standby 1 priority 110 R1(config-if)# standby 1 preempt R1(config-if)# standby 1 authentication cisco R1(config-if)# no shut R1(config)# router ospf 1 R1(config-router)# network 126.96.36.199 0.0.0.255 area 188.8.131.52 R1(config-router)# network 184.108.40.206 0.0.0.3 area 0.0.0.0 R2 R2(config)# interface e0 R2(config-if)# description R2 Ethernet interface for HSRP example – Standby R2(config-if)# ip address 220.127.116.11 255.255.255.0 R2(config-if)# standby 1 ip 18.104.22.168 R2(config-if)# standby 1 preempt R2(config-if)# standby 1 authentication cisco R2(config-if)# no shut R2(config)# router ospf 1 R2(config-router)# network 22.214.171.124 0.0.0.255 area 126.96.36.199 R2(config-router)# network 188.8.131.52 0.0.0.3 area 0.0.0.0
We have now configured R1 and R2 for HSRP using the virtual IP address of 184.108.40.206 and the authentication key of cisco. Now let’s take a look at how to configure VRRP using Diagram 1.
R1 R1(config)# interface ethernet0 R1(config-if)# description R1 Ethernet interface for VRRP example – Master R1(config-if)# ip address 220.127.116.11 255.255.255.0 R1(config-if)# vrrp 1 ip 18.104.22.168 R1(config-if)# vrrp 1 priority 110 R1(config-if)# vrrp 1 authentication cisco R1(config-if)# no shut R1(config)# router ospf 1 R1(config-router)# network 22.214.171.124 0.0.0.255 area 126.96.36.199 R1(config-router)# network 188.8.131.52 0.0.0.3 area 0.0.0.0 R2 R2(config)# interface e0 R2(config-if)# description R2 Ethernet interface for VRRP example – Backup R2(config-if)# ip address 184.108.40.206 255.255.255.0 R2(config-if)# vrrp 1 ip 220.127.116.11 R2(config-if)# vrrp 1 authentication cisco R2(config-if)# no shut R2(config)# router ospf 1 R2(config-router)# network 18.104.22.168 0.0.0.255 area 22.214.171.124 R2(config-router)# network 126.96.36.199 0.0.0.3 area 0.0.0.0
We have now configured both HSRP and VRRP on R1 and R2. Notice in the VRRP example that I did not use the vrrp group preempt command as I did in the HSRP example. This is because preempt is enabled by default for VRRP. If there’s a case when you need to turn preempting off, use the command no vrrp group preempt.