I was working on a project which involved with 2 routers which also act as a firewall. The reason for that is because someone want to replace a standalone Cisco PIX firewall with 2 x routers to improve the availability as well as security.
I really not sure who come up with this idea. It gave me enough headache during the implementation process. The challenges are :
– The zone base firewalls on the routers cannot work in a cluster mode like a Cisco ASA
– The multiple WAN interfaces with EIGRP/OSPF routing process will break the data throw direction
– A stateful failover cannot be setup.
To achieve this setup, I have use EEM script to detect HSRP syslog message for a failure and the EEM script to remove the routing process on the route which the link is failed and enable the routing process on the router that become active.
I have spent a lot of time to work out this “solution”. Provided I have to use the pre-selected hardware to reach the high availability requirement. I believe what I have done is good enough to meet the client’s expectation while they don’t need to buy new hardware. To be honest, they should really get a firewall instead of 2 3900 series routers to work as a firewall.
When I was working one of the budget ISP in Australia, the CTO suggested to use mailing list for change control. Which is any change you made to the router need to send an email to [email protected]
I was speaking to my friend yesterday. He told me that Cisco has a built-in scripting thing which can send out email automantically when the configuration is changed. It is more convenience than manually sending an email. And sometime, some people would try to cover their ass when they did the configuration wrong, they just said – “I have never tough the router configuration”. To eliminate this kind of people telling shXt, cisco EEM will do a better job in change control in my opinion.
Using Cisco EEM scirpt all changes will be sent out automantically with who did the changes. Below is the script that i have on my router.
event manager environment _Email_Server smtp.howardtang.com
event manager environment _Email_To [email protected]
event manager environment _Email_From [email protected]dtang.com
event manager applet mail_cfg_chg
event syslog pattern ".*%SYS-5-CONFIG_I.*"
action 1.0 info type routername
action 1.1 cli command "enable"
action 1.2 cli command "show archive log config all"
action 1.3 mail server "$_Email_Server" to "$_Email_To" from "$_Email_From" subject "Config change on router: $_info_routername" body "$_cli_result"
action 1.4 cli command "clear archive log config force"
Before adding the EEM script we need to enable log for configuration change on the router.
notify syslog contenttype plaintext
Each configuration change will be then send to the email address as soon as you exit the enable mode. You may do more research on google and you will find more useful EEM Script that written by others.