Solved

CISCO PBR with SLA Monitor

Posted on 2014-10-21
57
353 Views
Last Modified: 2014-10-29
Hi,

I been tasked with creating a failover system between 2 ISPs with the following expectations:
 - VLAN 2 has to flow through their new Internet line
 - All other VLANS should flow through their original Internet line
 - Both Internet lines should be able to failover to one another

VLAN 2 IP Range 172.2.0.0 /24
They have a total of 5 VLANS

The following is what I am thinking of configuring and would like advise if it would work correctly

Configure SLA Monitoring
Conf
Ip sla 1
Icmp-echo 4.2.2.1 source-interface Gi1/0/43
Frequency 5
Timeout 5000
Threshold 100
Ip sla schedule 1 life forever start-time now
End
Track 1 ip sla 1 reachability

Ip sla 2
Icmp-echo 4.2.2.1 source-interface Gi2/0/39
Frequency 5
Timeout 5000
Threshold 100
Ip sla schedule 2 life forever start-time now
End
Track 2 ip sla 2 reachability

Configure PBR
Conf
access-list 10 permit extended 172.2.0.0 255.255.0.0 any
route-map NewdASA permit 10
match ip address 10
set Ip Next-hop verify-availability 172.16.0.24 track 1
int vlan 2
ip policy route-map NewASA
end
sdm prefer routing
wr mem
reload

Configure 2 Gateways
Conf
ip route 0.0.0.0 0.0.0.0 172.16.0.23 track 2
ip route 0.0.0.0 0.0.0.0 172.16.0.24 10
0
Comment
Question by:thomasm1948
  • 34
  • 23
57 Comments
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40396241
Looks good to me. That should work correctly.
0
 

Author Comment

by:thomasm1948
ID: 40402250
I have ran into an issue

I do not see the option for Icmp-echo 4.2.2.1 source-interface Gi2/0/39.  I only see source-ip.  I figured that it was for the gateway to use but for some reason that is not working
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40402296
You can set source ip address of interface Gi2/0/39, but then you should set
ip route 4.2.2.1 255.255.255.255 next-hop (other end of interface Gi2/0/39)

ping should not go through other interfaces on it's way to destination - or tracking won't have any value.
0
 

Author Comment

by:thomasm1948
ID: 40402457
I just tried source ip address of interface Gi2/0/39 and I get an invalid marker
0
 

Author Comment

by:thomasm1948
ID: 40402463
when I try ip route 4.2.2.1 255.255.255.255 Gi2/0/39  I get an error saying that it needs a next hop
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40402485
IP address of other end of Gi2/0/39 instead of interface

Put source IP address of routers Gi2/0/39 interface, create static route to 4.2.2.1 with next-hop IP address of other side Gi2/0/39 interface of as long as ping goes right through that interface and  can't go back through other interfaces, that's OK. You can filter icmp-echo if you want to, for that destination on other interfaces, so, if that ping comes back - it must be through Gi2/0/39. If ping can go out of that interface and go back on the same interface - it serves it's purpose. Otherwise ping dies for cause.
0
 

Author Comment

by:thomasm1948
ID: 40402507
ok, I went into gi/2/0/39 and set it no switchport and that allows the ping


So from here if I do SLA Monitoring on 4.2.2.1 without specifying and source-ip, will it still work
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40402520
Good, that's it.
0
 

Author Comment

by:thomasm1948
ID: 40402533
ok, so I will have to do this on both interfaces so that the failover work correctly.  is that correct?
0
 

Author Comment

by:thomasm1948
ID: 40402550
when do an sh ip route I do not see the route there
0
 

Author Comment

by:thomasm1948
ID: 40402569
when I input the ip route the switch seems to take it but when I do a sh ip route it does not display
0
 

Author Comment

by:thomasm1948
ID: 40402607
I also cannot ping the firewall now
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40402772
Did you put IP address on interface Gi2/0/39?
0
 

Author Comment

by:thomasm1948
ID: 40402948
yes, I tried something else that I would work

I changed the port back to switchport mode on the proper vlan

also added: access-list PERMIT_IN permit icmp any any echo-reply to the new firewall

added the following routes to the router

ip route 4.2.2.1 255.255.255.255 172.16.0.24
ip route 4.2.2.2 255.255.255.255 172.16.0.23

then I created the sla and tacking

I think everything should be going out the right path now for the sla monitor
0
 

Author Comment

by:thomasm1948
ID: 40403089
ok,

another issue.  it seems that pbr is not working

access-list 100 permit ip 172.18.0.0 0.0.255.255 any
route-map NewASA permit 10
 match ip address 10
 set ip next-hop verify-availability 172.16.0.24 1 track 1
!
route-map NewASA permit 100
 match ip address 100
 set ip next-hop verify-availability 172.16.0.4 1 track 1

I applied it to vlan 18 but it is not routing through the correct firewall
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40403616
For VLAN 2 works OK?

Is this how it should be
next hop for VLAN 18
 set ip next-hop verify-availability 172.16.0.4 1 track 1
next hop for VLAN 2
 set ip next-hop verify-availability 172.16.0.24 1 track 1
0
 

Author Comment

by:thomasm1948
ID: 40406383
All VLANS are working correctly besides VLAN 18 is using the same routes as the rest of the VLANS.  SLA Monitoring seems to be working

For PBR do I just need to add

next hop for VLAN 18
  set ip next-hop verify-availability 172.16.0.4 1 track 1
 next hop for VLAN 2
  set ip next-hop verify-availability 172.16.0.24 1 track 1

And nothing else?
0
 

Author Comment

by:thomasm1948
ID: 40406385
Do I need the access-list, Is what I am referring to.
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40406400
access-list 100 permit ip 172.18.0.0 0.0.255.255 any
route-map NewASA permit 10
 match ip address 10
 set ip next-hop verify-availability 172.16.0.24 1 track 1
!
route-map NewASA permit 100
 match ip address 100
 set ip next-hop verify-availability 172.16.0.4 1 track 1

You just need access list and good next hop IP address

somehow I don't think next hop is good for VLAN 18
  set ip next-hop verify-availability 172.16.0.4 1 track 1

no reason why it should not to work as it should be - if access list 100 and next hop address 172.16.0.4 are OK
I was just pointing that IP addresses for next hop are different (but, maybe that's how it should be)
...and of course  route list applied to interface VLAN 18. ;)
0
 

Author Comment

by:thomasm1948
ID: 40406434
ok, I will try this tomorrow.  I am another school today
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40406437
Are VLAN 2 and VLAN 18 use the same next hop, or different?
0
 

Author Comment

by:thomasm1948
ID: 40408257
VLAN 2 and VLAN 18 are the same..  I used VLAN 2 for the example for the live environment it is VLAN 18
0
 

Author Comment

by:thomasm1948
ID: 40408266
sorry for the confusion on this one.

So what I try was access-list extended 100 172.16.0.0 0.0.255.255 any
route-map NewASA permit 100
  match ip address 100
  set ip next-hop verify-availability 172.16.0.4 1 track 1
Int vlan 18
ip policy route-map NewASA

But this did not work for some reason.  is there something that I am missing
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40408275
if next hop for both VLANS is the same.
For VLAN 18 is wrong next hop :) sholud be 172.16.0.24 as in VLAN 2.
:)

if this is no reason copy working configuration after erasing sensitive details
0
 

Author Comment

by:thomasm1948
ID: 40408277
I think I figured out what I could be doing incorrectly.

I should be using route-map NewASA permit 10 (the entry in the access list)
and then match IP address 100 (my ACL).  The apply to VLAN 18.  I will try this when school is out
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40408300
Compare parts of those two.
The one that  works, and one that don't work.
Should be easy to find error.
0
 

Author Comment

by:thomasm1948
ID: 40408358
I only use PBR on the VLAN 18 being that it is the only one going through the new Internet line.  The default route that I used for SLA Monitoring is for the rest of the VLANS

The theory that I have is that I only need PBR for VLAN 18 and the rest can use the default route.  If the default route fails then they will automatically be switched to the new Internet line.  With VLAN 18 I figure that with the next hop availability option with SLA monitoring should enable it to use the new Internet line and if that fails then go to the switches default route.

Sounds good on paper but I am struggling with the PBR part
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40408434
You can verify availability of next hop with
#show route-map
and if your next-hop is available should look like
set ip next-hop verify-availability 172.16.0.4 1 track 1 [up]

after that one - you can set another next-hop which will be used if first one is down
set ip next-hop X.X.X.X
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:thomasm1948
ID: 40409250
I just tried to apply the policy to vlan18 and when I do a sh ip policy, it actually does not show up in there.  I do not get any errors while entering under Int VLAN 18:

ip policy route-map NewASA

for some reason it seems not to be applying it
0
 

Author Comment

by:thomasm1948
ID: 40409268
just tried

conf
ip local policy route-map NewASA

Will this work
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40409288
That will apply to traffic that is created from router. So it wont be applied to VLAN18.
0
 

Author Comment

by:thomasm1948
ID: 40409290
that seemed not to work as well


although I do see packets match when I do show local policy.  it is not routing the traffic
0
 

Author Comment

by:thomasm1948
ID: 40409403
how can I apply the policy to vlan 18.  it seems not to hold.  I do not get any errors when trying to apply it to vlan 18
0
 

Author Comment

by:thomasm1948
ID: 40409434
this is our core switch so all traffic flows through it to the firewalls.  That is why I was wondering if the ip local policy would work
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40410104
IP local policy is applied only to traffic generated by switch - example is ip sla, since it is generated by switch. It is not related to VLANs.
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40410405
If show sdm prefer don't show PBR for VLAN 18 reload switch.
I found in documentation thisManual for Cisco 3850 page 2012.
0
 

Author Comment

by:thomasm1948
ID: 40410476
this is what I get when I do a show sdm prefer

ASAMC3750STACK#sh sdm prefer
 The current template is "desktop routing" template.
 The selected template optimizes the resources in
 the switch to support this level of features for
 8 routed interfaces and 1024 VLANs.

  number of unicast mac addresses:                  3K
  number of IPv4 IGMP groups + multicast routes:    1K
  number of IPv4 unicast routes:                    11K
    number of directly-connected IPv4 hosts:        3K
    number of indirect IPv4 routes:                 8K
  number of IPv4 policy based routing aces:         0.5K
  number of IPv4/MAC qos aces:                      0.75K
  number of IPv4/MAC security aces:                 1K
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40410489
Nothing useful.
0
 

Author Comment

by:thomasm1948
ID: 40410490
OK, I found a document that has indicated that the cisco 3750 does not support PBR on a VLAN.  If I choose to apply the policy to an interface, should I apply the policy to the uplink interface of the core switch (3750).  Also would this affect VLAN 18 from accessing other vlans, I f I do this
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40410504
It would apply to everything that goes out from your core switch to uplink, of course depending on how you create you route-map.
What is iOS version on your 3750?
0
 

Author Comment

by:thomasm1948
ID: 40410523
OK, just tried to use IP next hop only rather than check availability and that work on applying to vlan 18

It seems that check the availability was causing the issue  that is not supported on the 3750.

How would I apply the sla monitoring for failover if I can't check the availbility.  I am going to try

set ip next hop 172.16.0.24 track 1
set ip next hop 172.16.0.23 20

and see if that works
0
 

Author Comment

by:thomasm1948
ID: 40410538
ok that does not work.  it give an invalid marker
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40410546
(Cisco 3750 manual)
To enable PBR, the stack master must be running the IP services image
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40410556
One simple solution, if you are SURE that PBR on VLAN2 works - reload switch.
I know it means outage but ...

Manual page 917 configure PBR
manual that someone created, when he resolve his issue like this
Also on this link you have Cisco's explanation of Switching Database Manager on Catalyst 3750
0
 

Author Comment

by:thomasm1948
ID: 40410573
on VLAN2 it works because I am not using PBR, I am just using SLA Monitoring.

Quick question on VLAN 18.  If I am only using ip next hop 172.16.0.24, if that line fails will PBR revert to the switches default route or will VLAN 18 show down for internet usage
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40410583
You can in route-map after match statement create

set ip next-hop verify-availability 172.16.0.4 1 track 1
set ip next-hop 172.16.0.24

so if first next hop fail second will be used
0
 

Author Comment

by:thomasm1948
ID: 40410591
the problem that I have is that if I use set ip next-hop verify-availability, I cannot use it on a vlan for some reason
0
 

Author Comment

by:thomasm1948
ID: 40410594
I can apply it to the local system but not a vlan
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40410602
OK. Let's get back few steps.
For that traffic can you create patterns.
So that you can separate them, or only difference is source VLAN ?
0
 

Author Comment

by:thomasm1948
ID: 40410617
the school wants:

1.  All Standard VLANS to go through their current ISP and failover to the new Internet line in case of failure
2.  Student VLAN 18 should go through the new Internet line and failover to the old Internet line in case of failure

The school wants us to separate the staff and student internet usage but have high availability for both segments
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40410636
But ... If there's no PBR traffic cannot be pointed in right direction...
Since you cannot route by source IP address. :)

No matter, you can use route without verify-availability

Enable PBR on a Layer 3 interface, and identify the route map
to use. You can configure only one route map on an interface.
However, you can have multiple route map entries with
different sequence numbers. These entries are evaluated in
sequence number order until the first match. If there is no
match, packets are routed as usual.
Note If the IP policy route map contains a deny statement, the configuration fails.
0
 

Author Comment

by:thomasm1948
ID: 40410641
for the standard network traffic it would just use the default route with SLA monitoring and track it.  If it fails then it will automatically be routed to the new internet line.  No need for PBR

for the students VLAN 18, their default route needs to use PBR to route them to a different default route for Internet.  so PBR is needed.  The issue that I have is that next-hop verify-availability is an unsupported command for 3750 12.x, it seems.  so I am stuck :(.

That is why I am wondering if PBR is smart enough to use the switches default route of its route fails.  the switch is automatically configured with CEF
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40410645
UP   ^  
:)
I was correcting while you posted.

PBR is smart enough.
0
 

Author Comment

by:thomasm1948
ID: 40410650
even without using the verify-availability option

:)
0
 

Author Comment

by:thomasm1948
ID: 40410652
it seems that it would
0
 
LVL 26

Accepted Solution

by:
Predrag Jovic earned 500 total points
ID: 40410673
Yes, but I read a  few reports on some platforms that after line that was down comes up sometimes router defines by PBR, don't come back but stays inactive :(
But test solution to see will it restore next-hop as it is define by PBR.
0
 

Author Closing Comment

by:thomasm1948
ID: 40410975
Thank you for all of your help and patients
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now