How to configure IP SLA along with PBR

Can anyone please tell me how to configure IP SLA with PBR already configured. I have a sample IP SLA config. Is it compatible with my conf

SAMPLE CONF======================================
ip sla monitor 1
 type echo protocol ipIcmpEcho 203.81.192.1 source-interface fa 0
 frequency 60
 threshold 500
 timeout 1000
ip sla monitor schedule 1 life forever start-time now
ip sla monitor 2
 type echo protocol ipIcmpEcho 203.81.192.1 source-interface Fa 1
 frequency 60
 threshold 500
 timeout 1000
ip sla monitor schedule 2 life forever start-time now

track 1 rtr 1 reachability
 delay down
 15 up 60

ip route 68.94.156.1 255.255.255.255 12.91.83.81 permanent
ip route 209.234.129.6 255.255.255.255 192.168.0.1 permanent

ip route 0.0.0.0 0.0.0.0 ISP2_Gtwy track 1
ip route 0.0.0.0 0.0.0.0 ISP1_Gtwy track 2
===================================================

interface FastEthernet0
 description $FW_OUTSIDE$$ETH-WAN$
 ip address 192.168.5.55 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet1
 description $ETH-WAN$
 ip address 192.168.1.128 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet2
 switchport access vlan 500
!
interface FastEthernet3
 switchport access vlan 100
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
 switchport access vlan 100
 switchport mode trunk
!
interface FastEthernet7
 switchport access vlan 200
!
interface FastEthernet8
 switchport access vlan 700
 switchport mode trunk
!
interface FastEthernet9
 switchport access vlan 500
 switchport mode trunk
!
interface Vlan1
 no ip address
!
interface Vlan500
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip policy route-map www
!
interface Vlan700
 ip address 192.168.0.3 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip policy route-map www
!
interface Vlan200
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip policy route-map www
!
interface Vlan100
 ip address 192.168.4.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Async1
 no ip address
 encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map isp1 interface FastEthernet0 overload
ip nat inside source route-map isp2 interface FastEthernet1 overload
!
access-list 110 permit ip any any
access-list 160 permit ip 192.168.2.0 0.0.0.255 any
access-list 160 permit ip 192.168.0.0 0.0.0.255 any
access-list 160 permit ip 192.168.10.0 0.0.0.255 any
snmp-server community public RO
no cdp run
!
!
!
route-map isp2 permit 10
 match ip address 110
 match interface FastEthernet1
!
route-map isp1 permit 10
 match ip address 110
 match interface FastEthernet0
!
route-map www permit 10
 match ip address 160
 set ip default next-hop 192.168.5.1
!
!
LVL 4
nasirshAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JFrederick29Commented:
Yes, close:

x.x.x.x is an IP address on the Internet you want to ping via the Fa1 ISP.
y.y.y.y is an IP address on the Internet you want to ping via the Fa0 ISP.

ip sla monitor 1
 type echo protocol ipIcmpEcho x.x.x.x source-interface fa1
 frequency 60
 threshold 500
 timeout 1000
ip sla monitor schedule 1 life forever start-time now
ip sla monitor 2
 type echo protocol ipIcmpEcho y.y.y.y source-interface Fa0
 frequency 60
 threshold 500
 timeout 1000
ip sla monitor schedule 2 life forever start-time now

track 1 rtr 1 reachability
 delay down
 15 up 60

track 2 rtr 2 reachability
 delay down
 15 up 60

ip route x.x.x.x 255.255.255.255 192.168.1.1
ip route y.y.y.y 255.255.255.255 192.168.5.1

ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 1
ip route 0.0.0.0 0.0.0.0 192.168.1.5 10 track 2

route-map www permit 10
set ip next-hop verify-availability 192.168.5.1 10 track 2
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nasirshAuthor Commented:
OK configured it. Now this is happening

When 192.168.5.1 does down it shifts to 192.168.1.1
but when 192.168.1.1 goes down it doesn't shift to 192.168.5.1.

Like when i am pinging 117.102.4.71 and it does down it shifts to failover.
But then i am pinging 203.81.192.1 and it goes down it doesnt shift to failover.

My complete conf is given.

ip domain name sequel4pak.com
ip name-server 202.59.80.10
ip name-server 202.59.80.17
ip name-server 203.99.163.240
ip name-server 203.99.163.243
ip sla 1
 icmp-echo 203.81.192.1 source-interface FastEthernet1
 timeout 1000
 threshold 500
ip sla schedule 1 life forever start-time now
ip sla 2
 icmp-echo 117.102.4.71 source-interface FastEthernet0
 timeout 1000
 threshold 500
ip sla schedule 2 life forever start-time now
!
!
!
username nasir privilege 15 password 7 13041B1318070539
username admin privilege 15 secret 5 $1$JPPR$cbjvNz02VzxFHCll3edYj0
!
!
track 1 rtr 1 reachability
 delay down 15 up 60
!
track 2 rtr 2 reachability
 delay down 15 up 60
!
!
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
 description $FW_OUTSIDE$$ETH-WAN$
 ip address 192.168.5.55 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet1
 description $ETH-WAN$
 ip address 192.168.1.128 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet2
 switchport access vlan 500
!
interface FastEthernet3
 switchport access vlan 100
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
 switchport access vlan 100
 switchport mode trunk
!
interface FastEthernet7
 switchport access vlan 200
!
interface FastEthernet8
 switchport access vlan 700
 switchport mode trunk
!
interface FastEthernet9
 switchport access vlan 500
 switchport mode trunk
!
interface Vlan1
 no ip address
!
interface Vlan500
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip policy route-map www
!
interface Vlan700
 ip address 192.168.0.3 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip policy route-map www
!
interface Vlan200
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip policy route-map www
!
interface Vlan100
 ip address 192.168.4.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Async1
 no ip address
 encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 1
ip route 0.0.0.0 0.0.0.0 192.168.1.5 10 track 2
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 117.102.4.71 255.255.255.255 192.168.5.1
ip route 203.81.192.1 255.255.255.255 192.168.1.1
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map isp1 interface FastEthernet0 overload
ip nat inside source route-map isp2 interface FastEthernet1 overload
!
access-list 110 permit ip any any
access-list 160 permit ip 192.168.2.0 0.0.0.255 any
access-list 160 permit ip 192.168.0.0 0.0.0.255 any
access-list 160 permit ip 192.168.10.0 0.0.0.255 any

no cdp run
!
!
!
route-map isp2 permit 10
 match ip address 110
 match interface FastEthernet1
!
route-map isp1 permit 10
 match ip address 110
 match interface FastEthernet0
!
route-map www permit 10
 match ip address 160
 set ip next-hop verify-availability 192.168.5.1 10 track 2
 set ip default next-hop 192.168.5.1
!
!
!
!
control-plane
!
!
line con 0
 login local
 transport output telnet
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
 login local
 --More--
0
nasirshAuthor Commented:
SOrry my typo mistake.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

nasirshAuthor Commented:
OK configured it. Now this is happening

When 192.168.5.1 does down it shifts to 192.168.1.1
but when 192.168.1.1 goes down it doesn't shift to 192.168.5.1.

Like when i am pinging 117.102.4.71 and it does down it shifts to failover.
But then i am pinging 203.81.192.1 and it goes down it doesnt shift to failover.

My complete conf is given.

ip domain name sequel4pak.com
ip name-server 202.59.80.10
ip name-server 202.59.80.17
ip name-server 203.99.163.240
ip name-server 203.99.163.243
ip sla 1
 icmp-echo 203.81.192.1 source-interface FastEthernet1
 timeout 1000
 threshold 500
ip sla schedule 1 life forever start-time now
ip sla 2
 icmp-echo 117.102.4.71 source-interface FastEthernet0
 timeout 1000
 threshold 500
ip sla schedule 2 life forever start-time now
!
!
!
username nasir privilege 15 password 7 13041B1318070539
username admin privilege 15 secret 5 $1$JPPR$cbjvNz02VzxFHCll3edYj0
!
!
track 1 rtr 1 reachability
 delay down 15 up 60
!
track 2 rtr 2 reachability
 delay down 15 up 60
!
!
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
 description $FW_OUTSIDE$$ETH-WAN$
 ip address 192.168.5.55 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet1
 description $ETH-WAN$
 ip address 192.168.1.128 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet2
 switchport access vlan 500
!
interface FastEthernet3
 switchport access vlan 100
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
 switchport access vlan 100
 switchport mode trunk
!
interface FastEthernet7
 switchport access vlan 200
!
interface FastEthernet8
 switchport access vlan 700
 switchport mode trunk
!
interface FastEthernet9
 switchport access vlan 500
 switchport mode trunk
!
interface Vlan1
 no ip address
!
interface Vlan500
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip policy route-map www
!
interface Vlan700
 ip address 192.168.0.3 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip policy route-map www
!
interface Vlan200
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip policy route-map www
!
interface Vlan100
 ip address 192.168.4.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Async1
 no ip address
 encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 1
ip route 0.0.0.0 0.0.0.0 192.168.5.1 10 track 2
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 117.102.4.71 255.255.255.255 192.168.5.1
ip route 203.81.192.1 255.255.255.255 192.168.1.1
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map isp1 interface FastEthernet0 overload
ip nat inside source route-map isp2 interface FastEthernet1 overload
!
access-list 110 permit ip any any
access-list 160 permit ip 192.168.2.0 0.0.0.255 any
access-list 160 permit ip 192.168.0.0 0.0.0.255 any
access-list 160 permit ip 192.168.10.0 0.0.0.255 any

no cdp run
!
!
!
route-map isp2 permit 10
 match ip address 110
 match interface FastEthernet1
!
route-map isp1 permit 10
 match ip address 110
 match interface FastEthernet0
!
route-map www permit 10
 match ip address 160
 set ip next-hop verify-availability 192.168.5.1 10 track 2
 set ip default next-hop 192.168.5.1
!
!
!
!
control-plane
!
!
line con 0
 login local
 transport output telnet
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
 login local
 --More--
0
JFrederick29Commented:
Make these changes also:

conf t
no ip route 0.0.0.0 0.0.0.0 192.168.1.1

route-map www permit 10
no set ip default next-hop 192.168.5.1
0
nasirshAuthor Commented:
If i do this then both network route to 192.168.1.1
0
JFrederick29Commented:
But you left this within the route-map, right?

route-map www permit 10
 set ip next-hop verify-availability 192.168.5.1 10 track 2

117.102.4.71 is reachable, right?
0
nasirshAuthor Commented:
Yes it is reachible from 192.168.5.1
0
JFrederick29Commented:
Can you post the current config...
0
nasirshAuthor Commented:
Now at this time. New conf and snapshots

uilding configuration...

Current configuration : 3843 bytes
!
version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Sequel_RTR_PK
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$7FFr$RDX7fVudbKSALggLINHlL/
enable password 7 040B0A021C75195E47
!
no aaa new-model
!
resource policy
!
!
!
ip cef
!
!
ip domain name sequel4pak.com
ip name-server 202.59.80.10
ip name-server 202.59.80.17
ip name-server 203.99.163.240
ip name-server 203.99.163.243
ip sla 1
 icmp-echo 203.81.192.1 source-interface FastEthernet1
 timeout 1000
 threshold 500
ip sla schedule 1 life forever start-time now
ip sla 2
 icmp-echo 117.102.4.71 source-interface FastEthernet0
 timeout 1000
 threshold 500
ip sla schedule 2 life forever start-time now
!
!
!
username nasir privilege 15 password 7 13041B1318070539
username admin privilege 15 secret 5 $1$JPPR$cbjvNz02VzxFHCll3edYj0
!
!
track 1 rtr 1 reachability
 delay down 15 up 60
!
track 2 rtr 2 reachability
 delay down 15 up 60
!
!
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
 description $FW_OUTSIDE$$ETH-WAN$
 ip address 192.168.5.55 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet1
 description $ETH-WAN$
 ip address 192.168.1.128 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet2
 switchport access vlan 500
!
interface FastEthernet3
 switchport access vlan 100
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
 switchport access vlan 100
 switchport mode trunk
!
interface FastEthernet7
 switchport access vlan 200
!
interface FastEthernet8
 switchport access vlan 700
 switchport mode trunk
!
interface FastEthernet9
 switchport access vlan 500
 switchport mode trunk
!
interface Vlan1
 no ip address
!
interface Vlan500
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip policy route-map www
!
interface Vlan700
 ip address 192.168.0.3 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip policy route-map www
!
interface Vlan200
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip policy route-map www
!
interface Vlan100
 ip address 192.168.4.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Async1
 no ip address
 encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 1
ip route 0.0.0.0 0.0.0.0 192.168.5.1 10 track 2
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 117.102.4.71 255.255.255.255 192.168.5.1
ip route 203.81.192.1 255.255.255.255 192.168.1.1
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map isp1 interface FastEthernet0 overload
ip nat inside source route-map isp2 interface FastEthernet1 overload
!
access-list 110 permit ip any any
access-list 160 permit ip 192.168.2.0 0.0.0.255 any
access-list 160 permit ip 192.168.0.0 0.0.0.255 any
access-list 160 permit ip 192.168.10.0 0.0.0.255 any
no cdp run
!
!
!
route-map isp2 permit 10
 match ip address 110
 match interface FastEthernet1
!
route-map isp1 permit 10
 match ip address 110
 match interface FastEthernet0
!
route-map www permit 10
 match ip address 160
 set ip next-hop verify-availability 192.168.5.1 10 track 2
!
!
!
!
control-plane
!
!
line con 0
 login local
 transport output telnet
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
 login local
 transport output telnet
line vty 0 4
 access-class 23 in
 login local
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 login local
 transport input telnet ssh
!
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

pc1.JPG
pc2.JPG
0
nasirshAuthor Commented:
If i remove the line ip route 0.0.0.0 0.0.0.0 192.168.1.1 there is no traffic from noth pcs
0
nasirshAuthor Commented:
If i remove the line ip route 0.0.0.0 0.0.0.0 192.168.1.1 there is no traffic from noth pcs
0
nasirshAuthor Commented:
If i remove the line ip route 0.0.0.0 0.0.0.0 192.168.1.1 there is no traffic from noth pcs
0
nasirshAuthor Commented:
If i remove the line ip route 0.0.0.0 0.0.0.0 192.168.1.1 there is no traffic from noth pcs
0
nasirshAuthor Commented:
show route-map
route-map isp2, permit, sequence 10
  Match clauses:
    ip address (access-lists): 110
    interface FastEthernet1
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map isp1, permit, sequence 10
  Match clauses:
    ip address (access-lists): 110
    interface FastEthernet0
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map www, permit, sequence 10
  Match clauses:
    ip address (access-lists): 160
  Set clauses:
    ip next-hop verify-availability 192.168.5.1 10 track 2  [down]
    ip default next-hop 192.168.5.1
  Policy routing matches: 59775 packets, 14302177 bytes
0
JFrederick29Commented:
Okay, so that indicates both SLA monitors are failing.  Please post:

sh ip sla stat
0
nasirshAuthor Commented:
Sequel_RTR_PK#sh ip sla stat

Round Trip Time (RTT) for       Index 1
        Latest RTT: 36 milliseconds
Latest operation start time: *15:36:36.850 UTC Thu May 21 2009
Latest operation return code: OK
Number of successes: 2
Number of failures: 1
Operation time to live: Forever



Round Trip Time (RTT) for       Index 2
        Latest RTT: NoConnection/Busy/Timeout
Latest operation start time: *15:36:38.846 UTC Thu May 21 2009
Latest operation return code: Timeout
Number of successes: 0
Number of failures: 3
Operation time to live: Forever
0
JFrederick29Commented:
IP SLA monitor 2 isn't working so you might want to try a different host target to ping.
0
nasirshAuthor Commented:
I will try that but both IPs are being pinged from the router
0
JFrederick29Commented:
Hmm, strange.

Try this for the fun of it:

conf t
ip access-list ext 110
permit ip 192.168.0.0 0.0.255.255 any
no permit ip any any
0
nasirshAuthor Commented:
That + i added a command of ip route 0.0.0.0 0.0.0.0 192.168.5.1 10 and it worked. I dont know the logic but it worked
0
nasirshAuthor Commented:
But in ip sla atat i c

Sequel_RTR_PK#show ip sla stat

Round Trip Time (RTT) for       Index 1
        Latest RTT: NoConnection/Busy/Timeout
Latest operation start time: *16:18:46.478 UTC Thu May 21 2009
Latest operation return code: Timeout
Number of successes: 4
Number of failures: 12
Operation time to live: Forever



Round Trip Time (RTT) for       Index 2
        Latest RTT: NoConnection/Busy/Timeout
Latest operation start time: *16:17:58.094 UTC Thu May 21 2009
Latest operation return code: Timeout
Number of successes: 3
Number of failures: 12
Operation time to live: Forever
0
JFrederick29Commented:
Try changing the IP SLA target to the next hop (192.168.1.1 and 192.168.5.1) and see if you get consistent results.
0
nasirshAuthor Commented:
ok Thnx. Now here is the final version. If there are any mistakes then please feel free to tell me.

Rtr.txt
0
JFrederick29Commented:
Remove this:

conf t
route-map www permit 10
no set ip default next-hop 192.168.5.1

And then ultimately, you'll want to remove the two "non track" default routes when the IP SLA monitors are stable.
0
nasirshAuthor Commented:
Well take care. Thnx so much for your help. I am now going home. See ya. I will surely look forward to help from you.,

With Best Regards,
Nasir
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.