Can I use a route map to route SLA monitor traffic out of a specific int?

Unanswered Question
Aug 17th, 2007
User Badges:
  • Bronze, 100 points or more
  • Community Spotlight Award,

    Small Business, May 2015

Hi Everyone,


I have a question which I hope you can help with?


I have a Cisco 1841 acting as my core router(with HSRP to another 1841). Also attached to my lan(192.168.50.X/24) is a Zywall firewall (192.168.50.250). The firewall is my network D/G. What I want to do is use cisco's SLA monitor (to www.cisco.com) in order to tell my 1841 router if the main internet ADSL link is down. In the event of a failure, object tracking will then inject a new default route to pass traffic further down my network and out of another routers ADSL... I have an access list on the backup router stopping the main 1841 from accessing the web. So that the SLA monitor doesnt go live again ass soon as the backup route is in place.


Get the idea? :)


Everything works like clockwork... Apart from when the main adsl goes live again! because my D/G is now further down the network the 1841's SLA monitor never sees cisco.com as live, so never injects the original default route back into the network... Damn!


Basically, what I need to do is always send the SLA traffic to cisco.com out of fastethernet0/0.1 to my main firewall. I have thought about route-maps and as you can see from the example config I have tried applying a route map to the loopback0 interface and setting my SLA to coriginate from that interface. But it doesnt work... I dont see any interesting traffic when I do a sho route-map?


Any Ideas guys??? I have attached my config for your inormation. Thanks for any help :)


Matt



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Richard Burts Fri, 08/17/2007 - 02:00
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Matt


I have several comments about your questions and the config that you posted.

- Policy Based Routing is normally configured for traffic that will transit the router and is applied to the interface where traffic enters the router. In your case you want to do PBR on locally generated traffic. Since your SLA traffic does not enter the router on the loopback interface it does no good to assign the route map on the loopback interface. I suggest removing the ip policy from the loopback interface. To do PBR on locally generated traffic use this command:

ip local policy route-map map-tag

This is entered in global config rather than in interface config and the important thing here is the keyword local.

- the access list that is shown to identify traffic for PBR uses permit ip any any. I think that is too broad and will include traffic that you do not necessarily want to send out this interface. Since your SLA specifies source-ipaddr 172.16.250.254 I would suggest that your access list should specify the source address as 172.16.250.254. You might also think about specifying the destination address in the ACL.

- the route map is doing set ip default next-hop 192.168.50.250. I would suggest that you set next-hop instead of default next-hop.


Give these a shot and let us know how it works.


HTH


Rick

Matthew Needs Fri, 08/17/2007 - 02:40
User Badges:
  • Bronze, 100 points or more
  • Community Spotlight Award,

    Small Business, May 2015

Thanks Rick! I'll give it a try and let you know..


Have a great day


Matt

Matthew Needs Thu, 08/30/2007 - 05:57
User Badges:
  • Bronze, 100 points or more
  • Community Spotlight Award,

    Small Business, May 2015

Tested this yesterday.. Works a treat! :). Thanks again Rick.


Kind Regards


Matt

Richard Burts Thu, 08/30/2007 - 09:40
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Matt


I am glad that my suggestion was helpful. Thanks for posting back to the forum and indicating that the suggestion did solve your problem. It makes the forum more helpful when people can read about a problem and can read suggestions that are known to have solved the problem. I encourage you to continue your participation in the forum.


HTH


Rick

g-hopkinson Thu, 07/17/2008 - 01:29
User Badges:

Not sure if I will get a response. I am after the same thing but using http get instead of icmp. An example of my http probe is http://www.cisco.com. Using policy based routing the device will resolve the ip address using dns, but fails on the http probe. If I replace the url with a specific ip address it still fails. icmp works fine. I am testing with a Cat3550 running 12.2.44se2 s/w.

Thanks Gary

Richard Burts Thu, 07/17/2008 - 04:11
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Gary


Perhaps it would give us something to work with if you would post the configuration.


HTH


Rick

Matthew Needs Thu, 07/17/2008 - 23:23
User Badges:
  • Bronze, 100 points or more
  • Community Spotlight Award,

    Small Business, May 2015

Hi Gary,


Not sure if it's any help but im pretty sure I had the http probe working on the 1841 because I was toying with using it? Perhaps its something to do with the 3550 platform?? Just an idea but perhaps it's because 3550's dont support the "ip dns server" command or NAT? I'll try and dig out the config for you if I still have it?...


Good luck


Matt

Matthew Needs Thu, 07/17/2008 - 23:28
User Badges:
  • Bronze, 100 points or more
  • Community Spotlight Award,

    Small Business, May 2015

Hi Gary, I've just realised that it's the http probe I was originally working on!! Not icmp. Sorry about that, it's still early in the morning here! ;oS


Cheers


Matt

Actions

This Discussion