I have a 3448 running R10.9.0.E. There are two WANs (one on ETH 0/1, the other on ETH 0/2), and I have failover working like it should. I have admin access enabled on both WANs, but I can only get in on the secondary WAN when the primary WAN has failed. I believe this is by design and I have to set up a route-map. I'm hoping someone can confirm this or tell me if there is a better way to do it.
ip access-list extended WAN2-ADMIN-ACCESS
permit ip host X.X.X.X ip host Y.Y.Y.Y (where XXXX is where I need to access from and YYYY is the IP of my second WAN)
route-map SECOND-WAN permit 10
match ip address WAN2-ADMIN-ACCESS
set ip next-hop Y.Y.Y.Z (default gateway of WAN2)
interface eth 0/2
ip policy route-map SECOND-WAN
Since I already have the admin-access rule working when WAN2 is up, this should be all I need, correct?
Please let me know if you need any more info or if there is a better way to do this.
Thanks for your help
craig
- Thanks for posting your question on the forum!
You are definitely on the right track regarding your configuration. I'm just going to suggest a couple of changes:
- The ACL should actually reference the reverse traffic. Your traffic is hitting the router but is then being sent out the primary connection. In this case the ACL should look like this:
ip access-list extended WAN2-ADMIN-ACCESS
permit ip host Y.Y.Y.Y ip host X.X.X.X (where XXXX is where I need to access from and YYYY is the IP of my second WAN)
- Your route-map needs to be applied to the router locally. This is because admin access traffic is destined to and sourced from the router itself.
ip local policy route-map SECOND-WAN
- You will need to disable RPF check on the public WAN access-policies
no ip policy-class <policy-class Name> rpf-check
Please do not hesitate to let us know if you have any questions.
Thanks,
Noor
- Thanks for posting your question on the forum!
You are definitely on the right track regarding your configuration. I'm just going to suggest a couple of changes:
- The ACL should actually reference the reverse traffic. Your traffic is hitting the router but is then being sent out the primary connection. In this case the ACL should look like this:
ip access-list extended WAN2-ADMIN-ACCESS
permit ip host Y.Y.Y.Y ip host X.X.X.X (where XXXX is where I need to access from and YYYY is the IP of my second WAN)
- Your route-map needs to be applied to the router locally. This is because admin access traffic is destined to and sourced from the router itself.
ip local policy route-map SECOND-WAN
- You will need to disable RPF check on the public WAN access-policies
no ip policy-class <policy-class Name> rpf-check
Please do not hesitate to let us know if you have any questions.
Thanks,
Noor
Thanks, Noor, that did the trick!