Can I use a route map to route SLA monitor traffic out of a specific int?

Unanswered Question
Aug 17th, 2007

Hi Everyone,

I have a question which I hope you can help with?

I have a Cisco 1841 acting as my core router(with HSRP to another 1841). Also attached to my lan(192.168.50.X/24) is a Zywall firewall (192.168.50.250). The firewall is my network D/G. What I want to do is use cisco's SLA monitor (to www.cisco.com) in order to tell my 1841 router if the main internet ADSL link is down. In the event of a failure, object tracking will then inject a new default route to pass traffic further down my network and out of another routers ADSL... I have an access list on the backup router stopping the main 1841 from accessing the web. So that the SLA monitor doesnt go live again ass soon as the backup route is in place.

Get the idea? :)

Everything works like clockwork... Apart from when the main adsl goes live again! because my D/G is now further down the network the 1841's SLA monitor never sees cisco.com as live, so never injects the original default route back into the network... Damn!

Basically, what I need to do is always send the SLA traffic to cisco.com out of fastethernet0/0.1 to my main firewall. I have thought about route-maps and as you can see from the example config I have tried applying a route map to the loopback0 interface and setting my SLA to coriginate from that interface. But it doesnt work... I dont see any interesting traffic when I do a sho route-map?

Any Ideas guys??? I have attached my config for your inormation. Thanks for any help :)

Matt

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Richard Burts Fri, 08/17/2007 - 02:00

Matt

I have several comments about your questions and the config that you posted.

- Policy Based Routing is normally configured for traffic that will transit the router and is applied to the interface where traffic enters the router. In your case you want to do PBR on locally generated traffic. Since your SLA traffic does not enter the router on the loopback interface it does no good to assign the route map on the loopback interface. I suggest removing the ip policy from the loopback interface. To do PBR on locally generated traffic use this command:

ip local policy route-map map-tag

This is entered in global config rather than in interface config and the important thing here is the keyword local.

- the access list that is shown to identify traffic for PBR uses permit ip any any. I think that is too broad and will include traffic that you do not necessarily want to send out this interface. Since your SLA specifies source-ipaddr 172.16.250.254 I would suggest that your access list should specify the source address as 172.16.250.254. You might also think about specifying the destination address in the ACL.

- the route map is doing set ip default next-hop 192.168.50.250. I would suggest that you set next-hop instead of default next-hop.

Give these a shot and let us know how it works.

HTH

Rick

Matthew Needs Thu, 08/30/2007 - 05:57

Tested this yesterday.. Works a treat! :). Thanks again Rick.

Kind Regards

Matt

Richard Burts Thu, 08/30/2007 - 09:40

Matt

I am glad that my suggestion was helpful. Thanks for posting back to the forum and indicating that the suggestion did solve your problem. It makes the forum more helpful when people can read about a problem and can read suggestions that are known to have solved the problem. I encourage you to continue your participation in the forum.

HTH

Rick

g-hopkinson Thu, 07/17/2008 - 01:29

Not sure if I will get a response. I am after the same thing but using http get instead of icmp. An example of my http probe is http://www.cisco.com. Using policy based routing the device will resolve the ip address using dns, but fails on the http probe. If I replace the url with a specific ip address it still fails. icmp works fine. I am testing with a Cat3550 running 12.2.44se2 s/w.

Thanks Gary

Richard Burts Thu, 07/17/2008 - 04:11

Gary

Perhaps it would give us something to work with if you would post the configuration.

HTH

Rick

Matthew Needs Thu, 07/17/2008 - 23:23

Hi Gary,

Not sure if it's any help but im pretty sure I had the http probe working on the 1841 because I was toying with using it? Perhaps its something to do with the 3550 platform?? Just an idea but perhaps it's because 3550's dont support the "ip dns server" command or NAT? I'll try and dig out the config for you if I still have it?...

Good luck

Matt

Matthew Needs Thu, 07/17/2008 - 23:28

Hi Gary, I've just realised that it's the http probe I was originally working on!! Not icmp. Sorry about that, it's still early in the morning here! ;oS

Cheers

Matt

Actions

This Discussion