Static backup route when there is an SVI connected route?

jgar · ‎04-27-2008

Hi,

until now, a customer had his 2 main sites connected via an MPLS cloud, who belongs and is managed by their ISP.

A number of other smaller remote sites are also meshed through this cloud.

Recently, the customer had the opportunity to have the 2 main sites connected through a direct dual fiber link (provided by another ISP).

No L3 routing here, just a straight L1 direct connection.

See attached network diagram.

Here's what we would like to achieve:

1)Use the new fiber link as an L2 trunk between the 2 sites.

2)Use the former L3 MPLS path as a backup link, if the fiber etherchannel goes down.

Step 1 is no problem.

Step 2 doesn't work, because even with the etherchannel going down, either 3750's still see the SVI interface corresponding to the remote site as "up".

Since this SVI stays up, it's considered by the switch as a directly connected connected route, so the default external route will not be used.

In other words, we are trying somehow to make the state of the SVI dependent of the state of the etherchannel.

For example, as soon as we administratively shutdown the other sites's corresponding SVI, then the default route is used to reach the other site.

I know that we could do L3 routing instead of L2 trunking, and then it would be much simpler to make the backup path work.

But for several reasons like e.g. disaster recovery, customer wants each sites's vlans propagated to the other one.

Does somebody have a brilliant idea on how to make the backup route work?

Thanks in advance.

JG.

Jon Marshall · ‎04-27-2008

I haven't used this on a 3750 so you would need to test it but you could try using PBR with multiple tracking. The basic idea is you use ICMP to check the status of the SVI interface so from Site A you would ping the SVI of vlan on Site B. If the etherchannel fails then the ping should fail and you can then use a different route.

You will need to use the Routing SDM template on your 3750's to use PBR. As i say, i haven't used this on 3750's so please test.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtpbrtrk.html

Jon

jgar · ‎04-28-2008

Thanks for the suggestion..but am I mistaken by thinking that even like that, both SVI's on both 3750's will still remain up? And that because of this, no different route will be ever installed because of the (svi's) directly connected ones?

Unless PBR is capable of doing such smart things as administratively shutting down an SVI?

Creating a track object for the state of the etherchannel is not a problem, but that doesn't help us much.

Jose.

Edison Ortiz · ‎04-28-2008

A SVI only remains up when a switchport is up/up and part of the Vlan the SVI represents.

I recommend having only the Vlan the SVI represents on that etherchannel and under no other switchport.

HTH,

__

Edison.

Jon Marshall · ‎04-28-2008

Hi Edison

Think that may be the issue. If you only have the SVI on the etherchannel then you may as well route the link because you can't extend a layer 2 vlan across the link anymore.

Jon

Jon Marshall · ‎04-28-2008

Edison

Just ignore me, i'm having a moment ! I mistakenly read the diagram as needing switchports in both sites in both vlans.

Jon

Edison Ortiz · ‎04-28-2008

Edison

Just ignore me,

Done ;)

Jon Marshall · ‎04-28-2008

Jose

I think i may not be understanding your setup properly. My understanding was that when the etherchannel went down it did not fail over to other route because the local SVI was still up.

I was suggesting tracking the remote SVI. If the etherchannel goes down then you will not be able to ping site B's SVI because as you have already said the failover isn't working.

So when you can't ping the remote SVI you can then switch routes. Have i misunderstood ?

Jon

jgar · ‎04-28-2008

Hi Jon,

"I think i may not be understanding your setup properly. My understanding was that when the etherchannel went down it did not fail over to other route because the local SVI was still up."

Well, on both 3750's, the local AND remote SVI's are present. So on 3750-A, vlan2 (local) and vlan3 (remote) are present. And vice-versa. This is what makes inter-vlan (and so inter-site) routing possible. But on site A for example, if I take down the portchannel, the vlan3 SVI stays up from the switch's perspective, hence the external route is not considered. The same on site B, where vlan2 SVI will stay up.

Are we on the same page?

Regarding Edison's input, that's a good point.

But I tried the following on site A:

Verified that there are no switchports assigned to vlan3 (corresponding to site B) on 3750-A, leaving only the 2 trunked fiber ports. Then I took the etherchannel down, hoping that indeed vlan3 SVI would go down. But surprise, it remained up! I waited quite a while, thinking that there could be some timeout that I was unaware off...but no way.

Thx,

Jose.

Jon Marshall · ‎04-28-2008

"Are we on the same page?"

We are now :-). Apologies Jose, this is one thread i wish i hadn't got involved in !!

Edison's point is indeed a good one, when you took down the etherchannel did you verify that both individual links shutdown as well ?

Jon

jgar · ‎04-28-2008

Yes of course, both ports are down, and so does the etherchannel after that.

3750-A#sh int po5

Port-channel5 is down, line protocol is down (notconnect)

3750-A#sh int vl3

Vlan3 is up, line protocol is up

Edison Ortiz · ‎04-28-2008

Make sure you don't have any other trunking switchport on that switch with that Vlan in forwarding state.

You need to manually prune that Vlan on those switchports, if that's the case.

__

Edison.

jgar · ‎04-28-2008

Hi Jon,

"I think i may not be understanding your setup properly. My understanding was that when the etherchannel went down it did not fail over to other route because the local SVI was still up."

Well, on both 3750's, the local AND remote SVI's are present. So on 3750-A, vlan2 (local) and vlan3 (remote) are present. And vice-versa. This is what makes inter-vlan (and so inter-site) routing possible. But on site A for example, if I take down the portchannel, the vlan3 SVI stays up from the switch's perspective, hence the external route is not considered. The same on site B, where vlan2 SVI will stay up.

Are we on the same page?

Regarding Edison's input, that's a good point.

But I tried the following on site A:

Verified that there are no switchports assigned to vlan3 (corresponding to site B) on 3750-A, leaving only the 2 trunked fiber ports. Then I took the etherchannel down, hoping that indeed vlan3 SVI would go down. But surprise, it remained up! I waited quite a while, thinking that there could be some timeout that I was unaware off...but no way.

Thx,

Jose.

Edison Ortiz · ‎04-28-2008

Make sure you don't have any other trunking switchport on that switch with that Vlan in forwarding state.

You need to manually prune that Vlan on those switchports, if that's the case.

__

Edison.

jgar · ‎04-30-2008

Hi guys,

Edison was right, there were some other trunked ports with no pruning.

However, in the meantime, customer confirmed his mandatory need to have some static access ports in each site, pertaining to the opposite site's vlan (Jon was also correct assuming that this was a requirement:-)

So I'm back at the starting point.

I'm beginning to think that there is no native possibility in the IOS to achieve the L3 route failover automatically.

Maybe the only way would be some kind of snmp monitoring of the etherchannes state, who could ultimately trigger some kind of external scripted action that would be sent to the 3750's (shutdown the SVI for instance).

Jose.