• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 724
  • Last Modified:

CISCO PBR with SLA Monitor

Hi,

I been tasked with creating a failover system between 2 ISPs with the following expectations:
 - VLAN 2 has to flow through their new Internet line
 - All other VLANS should flow through their original Internet line
 - Both Internet lines should be able to failover to one another

VLAN 2 IP Range 172.2.0.0 /24
They have a total of 5 VLANS

The following is what I am thinking of configuring and would like advise if it would work correctly

Configure SLA Monitoring
Conf
Ip sla 1
Icmp-echo 4.2.2.1 source-interface Gi1/0/43
Frequency 5
Timeout 5000
Threshold 100
Ip sla schedule 1 life forever start-time now
End
Track 1 ip sla 1 reachability

Ip sla 2
Icmp-echo 4.2.2.1 source-interface Gi2/0/39
Frequency 5
Timeout 5000
Threshold 100
Ip sla schedule 2 life forever start-time now
End
Track 2 ip sla 2 reachability

Configure PBR
Conf
access-list 10 permit extended 172.2.0.0 255.255.0.0 any
route-map NewdASA permit 10
match ip address 10
set Ip Next-hop verify-availability 172.16.0.24 track 1
int vlan 2
ip policy route-map NewASA
end
sdm prefer routing
wr mem
reload

Configure 2 Gateways
Conf
ip route 0.0.0.0 0.0.0.0 172.16.0.23 track 2
ip route 0.0.0.0 0.0.0.0 172.16.0.24 10
0
thomasm1948
Asked:
thomasm1948
  • 34
  • 23
1 Solution
 
PredragNetwork EngineerCommented:
Looks good to me. That should work correctly.
0
 
thomasm1948Author Commented:
I have ran into an issue

I do not see the option for Icmp-echo 4.2.2.1 source-interface Gi2/0/39.  I only see source-ip.  I figured that it was for the gateway to use but for some reason that is not working
0
 
PredragNetwork EngineerCommented:
You can set source ip address of interface Gi2/0/39, but then you should set
ip route 4.2.2.1 255.255.255.255 next-hop (other end of interface Gi2/0/39)

ping should not go through other interfaces on it's way to destination - or tracking won't have any value.
0
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

 
thomasm1948Author Commented:
I just tried source ip address of interface Gi2/0/39 and I get an invalid marker
0
 
thomasm1948Author Commented:
when I try ip route 4.2.2.1 255.255.255.255 Gi2/0/39  I get an error saying that it needs a next hop
0
 
PredragNetwork EngineerCommented:
IP address of other end of Gi2/0/39 instead of interface

Put source IP address of routers Gi2/0/39 interface, create static route to 4.2.2.1 with next-hop IP address of other side Gi2/0/39 interface of as long as ping goes right through that interface and  can't go back through other interfaces, that's OK. You can filter icmp-echo if you want to, for that destination on other interfaces, so, if that ping comes back - it must be through Gi2/0/39. If ping can go out of that interface and go back on the same interface - it serves it's purpose. Otherwise ping dies for cause.
0
 
thomasm1948Author Commented:
ok, I went into gi/2/0/39 and set it no switchport and that allows the ping


So from here if I do SLA Monitoring on 4.2.2.1 without specifying and source-ip, will it still work
0
 
PredragNetwork EngineerCommented:
Good, that's it.
0
 
thomasm1948Author Commented:
ok, so I will have to do this on both interfaces so that the failover work correctly.  is that correct?
0
 
thomasm1948Author Commented:
when do an sh ip route I do not see the route there
0
 
thomasm1948Author Commented:
when I input the ip route the switch seems to take it but when I do a sh ip route it does not display
0
 
thomasm1948Author Commented:
I also cannot ping the firewall now
0
 
PredragNetwork EngineerCommented:
Did you put IP address on interface Gi2/0/39?
0
 
thomasm1948Author Commented:
yes, I tried something else that I would work

I changed the port back to switchport mode on the proper vlan

also added: access-list PERMIT_IN permit icmp any any echo-reply to the new firewall

added the following routes to the router

ip route 4.2.2.1 255.255.255.255 172.16.0.24
ip route 4.2.2.2 255.255.255.255 172.16.0.23

then I created the sla and tacking

I think everything should be going out the right path now for the sla monitor
0
 
thomasm1948Author Commented:
ok,

another issue.  it seems that pbr is not working

access-list 100 permit ip 172.18.0.0 0.0.255.255 any
route-map NewASA permit 10
 match ip address 10
 set ip next-hop verify-availability 172.16.0.24 1 track 1
!
route-map NewASA permit 100
 match ip address 100
 set ip next-hop verify-availability 172.16.0.4 1 track 1

I applied it to vlan 18 but it is not routing through the correct firewall
0
 
PredragNetwork EngineerCommented:
For VLAN 2 works OK?

Is this how it should be
next hop for VLAN 18
 set ip next-hop verify-availability 172.16.0.4 1 track 1
next hop for VLAN 2
 set ip next-hop verify-availability 172.16.0.24 1 track 1
0
 
thomasm1948Author Commented:
All VLANS are working correctly besides VLAN 18 is using the same routes as the rest of the VLANS.  SLA Monitoring seems to be working

For PBR do I just need to add

next hop for VLAN 18
  set ip next-hop verify-availability 172.16.0.4 1 track 1
 next hop for VLAN 2
  set ip next-hop verify-availability 172.16.0.24 1 track 1

And nothing else?
0
 
thomasm1948Author Commented:
Do I need the access-list, Is what I am referring to.
0
 
PredragNetwork EngineerCommented:
access-list 100 permit ip 172.18.0.0 0.0.255.255 any
route-map NewASA permit 10
 match ip address 10
 set ip next-hop verify-availability 172.16.0.24 1 track 1
!
route-map NewASA permit 100
 match ip address 100
 set ip next-hop verify-availability 172.16.0.4 1 track 1

You just need access list and good next hop IP address

somehow I don't think next hop is good for VLAN 18
  set ip next-hop verify-availability 172.16.0.4 1 track 1

no reason why it should not to work as it should be - if access list 100 and next hop address 172.16.0.4 are OK
I was just pointing that IP addresses for next hop are different (but, maybe that's how it should be)
...and of course  route list applied to interface VLAN 18. ;)
0
 
thomasm1948Author Commented:
ok, I will try this tomorrow.  I am another school today
0
 
PredragNetwork EngineerCommented:
Are VLAN 2 and VLAN 18 use the same next hop, or different?
0
 
thomasm1948Author Commented:
VLAN 2 and VLAN 18 are the same..  I used VLAN 2 for the example for the live environment it is VLAN 18
0
 
thomasm1948Author Commented:
sorry for the confusion on this one.

So what I try was access-list extended 100 172.16.0.0 0.0.255.255 any
route-map NewASA permit 100
  match ip address 100
  set ip next-hop verify-availability 172.16.0.4 1 track 1
Int vlan 18
ip policy route-map NewASA

But this did not work for some reason.  is there something that I am missing
0
 
PredragNetwork EngineerCommented:
if next hop for both VLANS is the same.
For VLAN 18 is wrong next hop :) sholud be 172.16.0.24 as in VLAN 2.
:)

if this is no reason copy working configuration after erasing sensitive details
0
 
thomasm1948Author Commented:
I think I figured out what I could be doing incorrectly.

I should be using route-map NewASA permit 10 (the entry in the access list)
and then match IP address 100 (my ACL).  The apply to VLAN 18.  I will try this when school is out
0
 
PredragNetwork EngineerCommented:
Compare parts of those two.
The one that  works, and one that don't work.
Should be easy to find error.
0
 
thomasm1948Author Commented:
I only use PBR on the VLAN 18 being that it is the only one going through the new Internet line.  The default route that I used for SLA Monitoring is for the rest of the VLANS

The theory that I have is that I only need PBR for VLAN 18 and the rest can use the default route.  If the default route fails then they will automatically be switched to the new Internet line.  With VLAN 18 I figure that with the next hop availability option with SLA monitoring should enable it to use the new Internet line and if that fails then go to the switches default route.

Sounds good on paper but I am struggling with the PBR part
0
 
PredragNetwork EngineerCommented:
You can verify availability of next hop with
#show route-map
and if your next-hop is available should look like
set ip next-hop verify-availability 172.16.0.4 1 track 1 [up]

after that one - you can set another next-hop which will be used if first one is down
set ip next-hop X.X.X.X
0
 
thomasm1948Author Commented:
I just tried to apply the policy to vlan18 and when I do a sh ip policy, it actually does not show up in there.  I do not get any errors while entering under Int VLAN 18:

ip policy route-map NewASA

for some reason it seems not to be applying it
0
 
thomasm1948Author Commented:
just tried

conf
ip local policy route-map NewASA

Will this work
0
 
PredragNetwork EngineerCommented:
That will apply to traffic that is created from router. So it wont be applied to VLAN18.
0
 
thomasm1948Author Commented:
that seemed not to work as well


although I do see packets match when I do show local policy.  it is not routing the traffic
0
 
thomasm1948Author Commented:
how can I apply the policy to vlan 18.  it seems not to hold.  I do not get any errors when trying to apply it to vlan 18
0
 
thomasm1948Author Commented:
this is our core switch so all traffic flows through it to the firewalls.  That is why I was wondering if the ip local policy would work
0
 
PredragNetwork EngineerCommented:
IP local policy is applied only to traffic generated by switch - example is ip sla, since it is generated by switch. It is not related to VLANs.
0
 
PredragNetwork EngineerCommented:
If show sdm prefer don't show PBR for VLAN 18 reload switch.
I found in documentation thisManual for Cisco 3850 page 2012.
0
 
thomasm1948Author Commented:
this is what I get when I do a show sdm prefer

ASAMC3750STACK#sh sdm prefer
 The current template is "desktop routing" template.
 The selected template optimizes the resources in
 the switch to support this level of features for
 8 routed interfaces and 1024 VLANs.

  number of unicast mac addresses:                  3K
  number of IPv4 IGMP groups + multicast routes:    1K
  number of IPv4 unicast routes:                    11K
    number of directly-connected IPv4 hosts:        3K
    number of indirect IPv4 routes:                 8K
  number of IPv4 policy based routing aces:         0.5K
  number of IPv4/MAC qos aces:                      0.75K
  number of IPv4/MAC security aces:                 1K
0
 
PredragNetwork EngineerCommented:
Nothing useful.
0
 
thomasm1948Author Commented:
OK, I found a document that has indicated that the cisco 3750 does not support PBR on a VLAN.  If I choose to apply the policy to an interface, should I apply the policy to the uplink interface of the core switch (3750).  Also would this affect VLAN 18 from accessing other vlans, I f I do this
0
 
PredragNetwork EngineerCommented:
It would apply to everything that goes out from your core switch to uplink, of course depending on how you create you route-map.
What is iOS version on your 3750?
0
 
thomasm1948Author Commented:
OK, just tried to use IP next hop only rather than check availability and that work on applying to vlan 18

It seems that check the availability was causing the issue  that is not supported on the 3750.

How would I apply the sla monitoring for failover if I can't check the availbility.  I am going to try

set ip next hop 172.16.0.24 track 1
set ip next hop 172.16.0.23 20

and see if that works
0
 
thomasm1948Author Commented:
ok that does not work.  it give an invalid marker
0
 
PredragNetwork EngineerCommented:
(Cisco 3750 manual)
To enable PBR, the stack master must be running the IP services image
0
 
PredragNetwork EngineerCommented:
One simple solution, if you are SURE that PBR on VLAN2 works - reload switch.
I know it means outage but ...

Manual page 917 configure PBR
manual that someone created, when he resolve his issue like this
Also on this link you have Cisco's explanation of Switching Database Manager on Catalyst 3750
0
 
thomasm1948Author Commented:
on VLAN2 it works because I am not using PBR, I am just using SLA Monitoring.

Quick question on VLAN 18.  If I am only using ip next hop 172.16.0.24, if that line fails will PBR revert to the switches default route or will VLAN 18 show down for internet usage
0
 
PredragNetwork EngineerCommented:
You can in route-map after match statement create

set ip next-hop verify-availability 172.16.0.4 1 track 1
set ip next-hop 172.16.0.24

so if first next hop fail second will be used
0
 
thomasm1948Author Commented:
the problem that I have is that if I use set ip next-hop verify-availability, I cannot use it on a vlan for some reason
0
 
thomasm1948Author Commented:
I can apply it to the local system but not a vlan
0
 
PredragNetwork EngineerCommented:
OK. Let's get back few steps.
For that traffic can you create patterns.
So that you can separate them, or only difference is source VLAN ?
0
 
thomasm1948Author Commented:
the school wants:

1.  All Standard VLANS to go through their current ISP and failover to the new Internet line in case of failure
2.  Student VLAN 18 should go through the new Internet line and failover to the old Internet line in case of failure

The school wants us to separate the staff and student internet usage but have high availability for both segments
0
 
PredragNetwork EngineerCommented:
But ... If there's no PBR traffic cannot be pointed in right direction...
Since you cannot route by source IP address. :)

No matter, you can use route without verify-availability

Enable PBR on a Layer 3 interface, and identify the route map
to use. You can configure only one route map on an interface.
However, you can have multiple route map entries with
different sequence numbers. These entries are evaluated in
sequence number order until the first match. If there is no
match, packets are routed as usual.
Note If the IP policy route map contains a deny statement, the configuration fails.
0
 
thomasm1948Author Commented:
for the standard network traffic it would just use the default route with SLA monitoring and track it.  If it fails then it will automatically be routed to the new internet line.  No need for PBR

for the students VLAN 18, their default route needs to use PBR to route them to a different default route for Internet.  so PBR is needed.  The issue that I have is that next-hop verify-availability is an unsupported command for 3750 12.x, it seems.  so I am stuck :(.

That is why I am wondering if PBR is smart enough to use the switches default route of its route fails.  the switch is automatically configured with CEF
0
 
PredragNetwork EngineerCommented:
UP   ^  
:)
I was correcting while you posted.

PBR is smart enough.
0
 
thomasm1948Author Commented:
even without using the verify-availability option

:)
0
 
thomasm1948Author Commented:
it seems that it would
0
 
PredragNetwork EngineerCommented:
Yes, but I read a  few reports on some platforms that after line that was down comes up sometimes router defines by PBR, don't come back but stays inactive :(
But test solution to see will it restore next-hop as it is define by PBR.
0
 
thomasm1948Author Commented:
Thank you for all of your help and patients
0

Featured Post

IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

  • 34
  • 23
Tackle projects and never again get stuck behind a technical roadblock.
Join Now