Dynamic ACL

[StaplesMan]

Is it possible to change an ACL dynamically based on if an IP address can be accessed on the web.

For example I have a router-map based on source IP address and port numbers. Directing packets over two different ISPs once DSL other T1. At times the T1 will go down and I need to switch the access list around to redirect traffic to the DSL line. Or the other way around. Keep in mind that the DSL and T1 interfaces never go down. So the router things everything is OK.

My thought was if the router could attempt to ping a server on the web over both DSL and T1. if one goes down then it would switch over the other line.

Any suggestions?

CCNA, A+, HP Certified Professional

 

[burtsbees]

Just create two access-lists and put them both inbound on both interfaces. Then do a floating static route.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[StaplesMan]

Actually my access list are based on inbound on my internal interface. For example any traffic that comes from my exchange server to the web always goes over the T1 (this is directed based on the route map). Unless the T1 is down then it needs to be redirected to the DSL line. Also I did not note above but I am not using NAT because I have a PIX for the DSL and another for the T1 lines.

This past week Verizon had a fiber line cut. Because of this we had local connections but nothing outside of our Verizon's routers. I had to reconfigure the router to redirect traffic to the DSL or I could disconnect the network cable going to the T1 PIX thus allowing the floating route to take effect.

I would like to have this automatically, so if it detects that access to the internet is down on one of the ISPs it will redirect over to the other connection.


CCNA, A+, HP Certified Professional

 

[unclerico]

there's a few ways we can accomplish this. can you post your scrubbed config from the router??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[StaplesMan]

Fantastic! Below is a much edited running config I think it has enough info in it. DSL is connect to a PIX and connect to Vlan2. DSL PIX ip is 10.50.0.1. The T1 is connected on FA0/0 and the T1 PIX ip is 192.168.2.1.

access-list 150 defines the systems that go over the T1 line. 10.10.0.5,6,7 go over the T1, all other traffic goes over the DSL line.

If the cable connected to the FA0/0 is disconnected then all goes over DSL. And if Fa0/1/1 is disconnected all goes over T1.

I would like to make this switching automatic if the router can no longer communicate out to the web on the T1 all will go over DSL and the other way around also.


version 12.3

!
hostname test

ip subnet-zero
ip cef
!
!

!
interface FastEthernet0/0
description Main Network (trunk)
bandwidth 100000
no ip address
ip route-cache flow
duplex auto
speed auto
!
!
interface FastEthernet0/0.3
encapsulation dot1Q 3
ip address 10.50.1.2 255.255.255.252
ip virtual-reassembly
ip policy route-map DSL
!
interface FastEthernet0/0.5
encapsulation dot1Q 5
ip address 10.10.0.2 255.255.255.0
ip virtual-reassembly
ip policy route-map DSL
!
!
interface FastEthernet0/1
description T1 Internet
bandwidth 1536
ip address 192.168.2.2 255.255.255.0
ip access-group 104 in
ip access-group 105 out
ip nbar protocol-discovery
service-policy output T1_OUT
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet0/1/0
no ip address
!
interface FastEthernet0/1/1
description DSL
switchport access vlan 2
no ip address
!
interface FastEthernet0/1/2
no ip address
!
interface FastEthernet0/1/3
no ip address
!
!
!
interface Vlan2
description DSL Internet
bandwidth 3000
ip address 10.50.0.100 255.255.255.0
ip access-group 105 out
ip nbar protocol-discovery
ip virtual-reassembly
ip route-cache flow
!
!
!
ip classless
no ip forward-protocol udp
ip route 0.0.0.0 0.0.0.0 192.168.2.1
ip route 0.0.0.0 0.0.0.0 10.50.0.1 50
!



access-list 104 deny ip 192.168.4.0 0.0.0.255 any
access-list 104 permit ip any any

access-list 105 deny ip any host 78.159.118.144
access-list 105 deny ip any host 84.16.224.115
access-list 105 deny ip any host 78.47.248.118
access-list 105 permit ip any any

access-list 150 deny ip host 10.10.0.5 any
access-list 150 deny udp host 10.10.0.6 any eq domain
access-list 150 deny ip host 10.10.0.7 any
access-list 150 permit ip any any

route-map DSL permit 160
match ip address 150
set ip default next-hop 10.50.0.1
!
!
!


CCNA, A+, HP Certified Professional

 

[unclerico]

i have about two minutes to post a response here since i'm traveling today, but i wanted to at least post something. take a look at the following documents, they will give you a pretty good idea of how i'd tackle this problem. your requirements may be a little different, but in the end i think a variation of this may be the best way to go:

http://supportwiki.cisco.com/ViewWi...racking_Options_Feature_Configuration_Example

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtpbrtrk.html

i'll check back later tonight when i get back on the ground.

you'll probably want to track the outside interface of your PIXes or the default gateway for each ISP. When you define an IP SLA you can tell it which interface to source the pings from so you can be sure ICMP traffic destined for ISP1 uses f0/0 and ICMP traffic destined for ISP2 uses f0/1 or something similar.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)