cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4894
Views
0
Helpful
11
Replies

PBR and redundancy

luisveraza
Level 1
Level 1

Hi,

If I apply the next configuration:

Differing Next Hops Example

The following example illustrates how to route traffic from different sources to different places (next hops). Packets arriving from source 1.1.1.1 are sent to the next hop at 3.3.3.3; packets arriving from source 2.2.2.2 are sent to the next hop at 3.3.3.5.

access-list 1 permit ip 1.1.1.1

access-list 2 permit ip 2.2.2.2

!

interface fastethernet 3/1

ip policy route-map Texas

!

route-map Texas permit 10

match ip address 1

set ip next-hop 3.3.3.3

!

route-map Texas permit 20

match ip address 2

set ip next-hop 3.3.3.5

If router 3.3.3.5 is down, can I apply a configuration where all traffic goes directly to another router,3.3.3.3?.

Thank you.

3 Accepted Solutions

Accepted Solutions

yagnesh_tel
Level 1
Level 1

It is possible with PBR with object tracking feature using command 'set ip next-hop verify-availability' instead of 'set ip next-hop'. Sequence number in this command can be used to specify primary next-hope and backup next-hope for those matched packets.

set ip next-hop verify-availability 3.3.3.5 10 track 123

set ip next-hop verify-availability 3.3.3.3 20 track 124

Above command set the next-hop to 3.3.3.5 if object 123 is up. If object 123 is down then the next hop will be set to 3.3.3.3 if object 124 is up. If object 124 is also down, then policy routing fails and unicast routing will route the packet.

Refer:

http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a0080211f5c.shtml

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtpbrtrk.html

View solution in original post

Mohamed Sobair
Level 7
Level 7

Hi,

Besides using the Object tracking with PBR, you could apply the following which will also be applicable:

route-map Texas permit 20

match ip address 2

set ip next-hop 3.3.3.5 3.3.3.3

with the above config, If the nexthop 3.3.3.5 down, the next-hop 3.3.3.3 will be the second nexthop for all packet sources by access-list 2.

The Difference when using Object tracking, you will ensure the next-hop is reachable via ICMP as its possible to have the interface up, but the nexthop not reachable.

HTH

Mohamed

View solution in original post

Using this new ACL 103, only communication sourcing from network 10.10.1.0/24 and destined to host 32.30.131.36 will be matched(and next-hope set to 10.10.3.252). Traffic sourced from 10.10.1.0/24 and going towards destination other than 32.30.131.36 will be still matched by ACL 100 and their primary next-hope will be set to 10.10.3.251. This is because of the order in which route-map will be processed by router.

Route-map will be processed in the order of its sequence number. So router will process statement- 'route-map BAD permit 5' first. This statement only match traffic defined by ACL 103(S=10.10.1.0/24 & D=32.30.131.36) and will set primary next to 10.10.3.252. Rest of the traffic will be run against second statement- 'route-map BAD permit 10'. This statement will only able to match traffic source from 10.10.1.0/24 and going to destination other than 32.30.131.36. Primay next-hope for this traffic will be set to 10.10.3.251.

I hope this can clear your understanding.

View solution in original post

11 Replies 11

yagnesh_tel
Level 1
Level 1

It is possible with PBR with object tracking feature using command 'set ip next-hop verify-availability' instead of 'set ip next-hop'. Sequence number in this command can be used to specify primary next-hope and backup next-hope for those matched packets.

set ip next-hop verify-availability 3.3.3.5 10 track 123

set ip next-hop verify-availability 3.3.3.3 20 track 124

Above command set the next-hop to 3.3.3.5 if object 123 is up. If object 123 is down then the next hop will be set to 3.3.3.3 if object 124 is up. If object 124 is also down, then policy routing fails and unicast routing will route the packet.

Refer:

http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a0080211f5c.shtml

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtpbrtrk.html

Mohamed Sobair
Level 7
Level 7

Hi,

Besides using the Object tracking with PBR, you could apply the following which will also be applicable:

route-map Texas permit 20

match ip address 2

set ip next-hop 3.3.3.5 3.3.3.3

with the above config, If the nexthop 3.3.3.5 down, the next-hop 3.3.3.3 will be the second nexthop for all packet sources by access-list 2.

The Difference when using Object tracking, you will ensure the next-hop is reachable via ICMP as its possible to have the interface up, but the nexthop not reachable.

HTH

Mohamed

Hi,

This configuration is working properly now, but I have a new request.

I need to add a static route for data traffic, but the gateway where I can find this new network is the secondary gateway.

I added the static route and it's not working.

Do you know what I can do?

Static route will not work in this scenario as PBR will take effect first. So first make sure that you are not including this network in your existing ACL which you are using for PBR. Then create separate ACL to match this new network and set secondary gateway as primary next hope.

Do you have any configuration example ?.

I don't understand how I can do it.

Thank you.

Hi Luis,

Let's say your new network is 10.10.10.0/24. So first edit your existing ACL 1 or 2(assuming they already include this network) to exclude this subnet. Next thing is to define new ACL 3 which only match this network. Then add new permit statement in your existing route-map.

Sample configuration look like this.

route-map Texas permit 10

match ip address 1

set ip next-hop verify-availability 3.3.3.5 10 track 123

set ip next-hop verify-availability 3.3.3.3 20 track 124

route-map Texas permit 20

match ip address 2

set ip next-hop verify-availability 3.3.3.3 10 track 124

set ip next-hop verify-availability 3.3.3.5 20 track 123

route-map Texas permit 30

match ip address 3

set ip next-hop verify-availability 3.3.3.3 10 track 124

Permit statement 30 in this route map will set next hope as your secondary gateway- 3.3.3.3 first if object 124 is up. If object 124 is down then unicast routing will takeover. You can set your primary gateway as backup nexthope depending on your requirement.

Please share your configuration if this does not help.

I understand, but I don't know where to apply in configuration.

Here is the current configuration:

interface Vlan1

ip address 10.10.1.254 255.255.255.0

ip policy route-map BAD

interface Vlan3

ip address 10.10.3.253 255.255.255.248

interface Vlan93

ip address 10.10.2.254 255.255.255.0

ip policy route-map BAV

ip classless

ip route 0.0.0.0 0.0.0.0 10.10.3.251

ip route 0.0.0.0 0.0.0.0 10.10.3.252

ip route 32.30.131.36 255.255.255.252 10.10.3.252

ip route 32.30.131.42 255.255.255.255 10.10.3.252

!

!

access-list 100 permit ip 10.10.1.0 0.0.0.255 any

access-list 101 permit ip 10.10.2.0 0.0.0.255 any

route-map BAD permit 10

match ip address 100

set ip next-hop verify-availability 10.10.3.251 10 track 123

set ip next-hop verify-availability 10.10.3.252 20 track 124

!

route-map BAV permit 10

match ip address 101

set ip next-hop verify-availability 10.10.3.252 10 track 124

set ip next-hop verify-availability 10.10.3.251 20 track 123

I need that 10.10.1.0/24 source network can find 32.30.131.36 destination network with this gateway: 10.10.3.252.

Thank you.

Ok. Use ACL 103 to match this communication and add new permit statement above the existing statement in route-map BAD.

access-list 103 permit ip 10.10.1.0 0.0.0.255 host 32.30.131.36

route-map BAD permit 5

match ip address 103

set ip next-hop verify-availability 10.10.3.252 10 track 124

set ip next-hop verify-availability 10.10.3.251 20 track 123

Ok.

If I do this change, my default gateway will change to 10.10.3.252 or not ?, I don't need it.

Do you understand ?.

Using this new ACL 103, only communication sourcing from network 10.10.1.0/24 and destined to host 32.30.131.36 will be matched(and next-hope set to 10.10.3.252). Traffic sourced from 10.10.1.0/24 and going towards destination other than 32.30.131.36 will be still matched by ACL 100 and their primary next-hope will be set to 10.10.3.251. This is because of the order in which route-map will be processed by router.

Route-map will be processed in the order of its sequence number. So router will process statement- 'route-map BAD permit 5' first. This statement only match traffic defined by ACL 103(S=10.10.1.0/24 & D=32.30.131.36) and will set primary next to 10.10.3.252. Rest of the traffic will be run against second statement- 'route-map BAD permit 10'. This statement will only able to match traffic source from 10.10.1.0/24 and going to destination other than 32.30.131.36. Primay next-hope for this traffic will be set to 10.10.3.251.

I hope this can clear your understanding.

You're right, I understand.

I didn't see the 'route-map BAD permit 5'; I was thinking that it was replacing the number 10.

I really appreciate your help, thank you!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: