The Adtran community holiday season is starting next week! The holiday period will span from December 21, 2024 to January 6, 2025. During this time, responses to feedback form submissions may be delayed. If you are encountering product issues, you can reach out to Adtran support at any time.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable

Probe/track for redundant internet where the router is not the edge device

Jump to solution

Good afternoon Adtran Support,

I have a question regarding the configuration of probe/track so that I can divert internet traffic from one location to another, across a point-to-point link. Allow me to set the background and then describe what I have, then my question will actually be at the end.

I have 3 sites - A (10.0.0.0 /24), B (10.1.0.0 /24), C (10.2.0.0 /24). Each of the sites has it's own internet circuit that connects into a firewall (IPs of X.X.X.254), which is then connected to an Adtran router (NV3305 to be precise). Site A is considered the 'main' site while both sites B and C are connected to A via point to point T1 circuits. As it stands, at each site, I have a default route in the Adtran NV3305 that points internet traffic to the LAN address of the firewall. At the request of the customer, they want to implement "internet redundancy" without purchasing additional internet circuits - which is what I had suggested. As an alternative, they want me to configure the routers to send internet traffic from one site to the other, should a particular site's internet cease working. For instance, should the internet circuit go down in site A, they want all internet traffic to stop flowing to the firewall at Site A and instead traverse the point-to-point and go out Site B's firewall.

I think that I can do this with a probe/track configuration. Below is what I will configure (IPs have been changed to protect the innocent):

probe Internet_Track icmp-echo

     period 3

     destination 4.2.2.2

     source-address 10.0.0.1

     tolerance consecutive fail 3 pass 3

     no shut

track Internet_Track

     snmp trap state-change

     test if probe Internet_Track

     no shut

My question is, do I follow that track and probe up with:

ip route 0.0.0.0 0.0.0.0 10.0.0.254 track Internet_Track

ip route 0.0.0.0 0.0.0.0 10.1.0.0.254 100

Is that correct - putting a weighted route in place to push the internet traffic to the firewall of the other site?

I greatly appreciate your assistance. I could probably pull this off by configuring some conditional routing the in firewalls - but I prefer to keep as much layer 3 functionality off of the firewall devices.

Thanks!

Brian Williams

Labels (2)
0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: Probe/track for redundant internet where the router is not the edge device

Jump to solution

Brian,

Thanks for posting your question on the forum! You are definitely on the right track with your failover configuration. However, there are a couple of suggestions that I would like to make:

1. The weighted route statement should actually point to the next-hop across the T1. In this case, that IP address should be the WAN IP address of the T1 interface at Site B. For example, let's say that that Site A's T1 WAN IP is 192.168.1.1 and Site B's T1 WAN IP is 192.168.1.2, the route statements would like like this:

ip route 0.0.0.0 0.0.0.0 10.0.0.254 track Internet_Track

ip route 0.0.0.0 0.0.0.0 192.168.2.1 100

2. You will need to add a route-map to your configuration. This route map will ensure that the ping probe is continuously testing Site A's internet connection even when internet is failed over. This will allow the internet to fail back over once Site A's internet connection is re-established. Without the route-map, the router will begin to flap between the 2 connections. Below are instructions and an example of how to set up the route-map.

- Create an access list to match the ICMP traffic being sent from the probe.

Syntax: ip access-list extended <list name>

EX: (config)# ip access-list extended pingprobe

Syntax: permit icmp any <destination IP of probe>

EX: (config-ext-nacl)# permit icmp any 4.2.2.2

- Create a route-map to force the ICMP traffic out of the primary interface.

This will be critical because if the probe fails over along with the rest of the traffic, it will pass and the failover will be negated.

Syntax: route-map <map name> permit <sequence number>

EX: (config)# route-map ICMP permit 10

Syntax: match ip address <ACL name>

EX: (config-route-map)# match IP address pingprobe

Syntax: set ip next-hop <default gateway of primary interface>

EX: (config-route-map)# set ip next-hop 208.61.209.2

- Assign the route map globally to the router.

This will force all traffic generated by the router that matches the ACL out of the primary interface.

Syntax: ip local policy route-map <route map name>

EX: (config)# ip local policy route-map ICMP

Further details on how to set up redundancy using network monitoring can be found in this guide: Configuring WAN Failover with Network Monitor in AOS

Please do not hesitate to let us know if you have any further questions.

Thanks,

Noor

View solution in original post

0 Kudos
2 Replies
Anonymous
Not applicable

Re: Probe/track for redundant internet where the router is not the edge device

Jump to solution

Brian,

Thanks for posting your question on the forum! You are definitely on the right track with your failover configuration. However, there are a couple of suggestions that I would like to make:

1. The weighted route statement should actually point to the next-hop across the T1. In this case, that IP address should be the WAN IP address of the T1 interface at Site B. For example, let's say that that Site A's T1 WAN IP is 192.168.1.1 and Site B's T1 WAN IP is 192.168.1.2, the route statements would like like this:

ip route 0.0.0.0 0.0.0.0 10.0.0.254 track Internet_Track

ip route 0.0.0.0 0.0.0.0 192.168.2.1 100

2. You will need to add a route-map to your configuration. This route map will ensure that the ping probe is continuously testing Site A's internet connection even when internet is failed over. This will allow the internet to fail back over once Site A's internet connection is re-established. Without the route-map, the router will begin to flap between the 2 connections. Below are instructions and an example of how to set up the route-map.

- Create an access list to match the ICMP traffic being sent from the probe.

Syntax: ip access-list extended <list name>

EX: (config)# ip access-list extended pingprobe

Syntax: permit icmp any <destination IP of probe>

EX: (config-ext-nacl)# permit icmp any 4.2.2.2

- Create a route-map to force the ICMP traffic out of the primary interface.

This will be critical because if the probe fails over along with the rest of the traffic, it will pass and the failover will be negated.

Syntax: route-map <map name> permit <sequence number>

EX: (config)# route-map ICMP permit 10

Syntax: match ip address <ACL name>

EX: (config-route-map)# match IP address pingprobe

Syntax: set ip next-hop <default gateway of primary interface>

EX: (config-route-map)# set ip next-hop 208.61.209.2

- Assign the route map globally to the router.

This will force all traffic generated by the router that matches the ACL out of the primary interface.

Syntax: ip local policy route-map <route map name>

EX: (config)# ip local policy route-map ICMP

Further details on how to set up redundancy using network monitoring can be found in this guide: Configuring WAN Failover with Network Monitor in AOS

Please do not hesitate to let us know if you have any further questions.

Thanks,

Noor

0 Kudos
Anonymous
Not applicable

Re: Probe/track for redundant internet where the router is not the edge device

Jump to solution

Many thanks! It makes a lot more sense now. I greatly appreciate your assistance.