Menu

Cisco FTD || PBR configuration with failover

Needed to setup policy based routing (PBR) on FTD with failover capabilities and could not find any reference but only bits and pieces. Some of the Cisco docs were even misleading, so it took a bit to get it to work.

Setup: 2 ISPs, primary to be used by Production traffic and secondary to be used by Guest. In case of either circuit failure, routing is expected to dynamically switch to the other ISP.

Production setup is straightforward, set tracking on the primary default route, and in case of a failure waited secondary default route becomes active.

Guest setup required PBR to force traffic to the secondary ISP; however failover mechanism setup was tricky.

First, I’ve tried setting Egress Interface > Order. That forced Guest to ISP2, but the failover was not working.

Then I’ve tried Egress Interface > Minimal Packet Loss, thinking if the ISP is down, it will detect it as packet loss and failover. However, instead it started load sharing outbound traffic across both ISPs. I also tried messing with Interface priorities and path monitoring, but no luck.

My final working config had to include the following.

  1. PBR configuration had to be set to Sent to: IP Address, IPv4 setting blank, Peer  Address set to ISP 2 gateway with Sequence and Track value. Sequence was set to 5, and I picked a random Track number (in my testing 105). When I’ve applied new PBR config PBR traffic forwarding stopped working. Looking at PBR route-map I found track 105 as [undefined]
  2. How would I define this tracking? I tried just creating it in FMC GUI, but even so Track number matched it still would not apply it to FTD.
  3. The only way of forcing a specific Track number to FTD that I knew was to associate it with a route. So what I did was attach it to the backup ISP2 default route. I could not define the track number, so I had to apply config to FTD first and then pull it from CLI to use it in PBR. I was not sure what IP to use for this tracking. It had to be a reliable, anycast IP address, and I’ve decided to use Cisco Umbrella public IPs (208.67.222.222 and 208.67.220.220)
  4. Once I had Track number value I’ve added it to my PBR Guest config. Tracking was up and PBR was working.

In case of ISP2 failure, track 3 would fail, causing PRB next-hop availability check to fail and force traffic to global default routing.

 

Post Navigation

Cisco FTD || Change ACP access-list in CLI

Leave a reply:

Your email address will not be published.

Site Footer

FINKOTEK.COM © 2019

Sliding Sidebar

Tags

4100 Alerts Anyconnect Avaya BIG-IP LTM Bridge Interface BYOD Catalyst 9k CEO fraud Certificates Cisco ASA Cisco FirePOWER Cisco ISE Cisco Nexus Cluster Configuration DNAC DUO Dynamic VPN email scam ESA eStreamer FirePOWER FMC FTD Guest License LWAP Mobility Express Policy pxGrid Reporting restore SMA SNMP SNTC Sourcefire Threat Defense Troubleshooting update upgrade User Agent VPN WLC Zone

Disclaimer

Privacy