Hour 178: Troubleshooting in a DMZ environment with IP SLA’s

It can be difficult to troubleshoot in a DMZ environment where you don’t have access to the firewalls if the routing for servers and hosts is done on them. Also, most of the time ICMP will be blocked and sometimes the firewalls are going to be the only ones holding the ARP cache tables for parts of the DMZ. When a lot of the tools to troubleshoot a network is taken away from you, we must use out of the box thinking to identify and resolve network problems. Today, I will be talking about how you can use IP SLA’s to verify reachability and RTT for devices by generating traffic that isn’t blocked by the firewall.

IP SLA or IP Service Level Agreement is a built in tool in Cisco routers and switches for testing and analyzing various network parameters like overall health of the network or to verify if QoS is working properly. IP SLA can generate traffic for network testing depending on what you want to test. It can run sampling against defined IP SLA traffic and results can be seen using the CLI. IP SLA can also store information on the syslog servers or it can be also accessed via SNMP.

Continue reading