GRE Tunnel Auto Changeover - How ?

Dipesh Patel · ‎07-04-2010

Dear All Experts,

Pls find the topology shown. Green color Line is used to show GRE tunnel.

From Location A all Proxy Traffic is sent to Location C where Internet BW has been taken. Location C is the Primary location for Internet BW.

Configuration for GRE tunnel is shown below. Proxy traffic is sent through Tunnel using Routemap which is also shown below.

Now My Problem is : When ISP 1 is down than We need to manually change the configuration and Proxy traffic is diverted to Location D (Secondary location with Internet BW).

How Can I do this means When Internet Link is down at location C than Location A proxy traffic will automatically diverted to Location D?

Please suggest.

Configuation:

Tunnel config on Router A:

int tunnel1
ip address 10.X.X.1 255.255.255.252
tunel source Gi0/1 (WAN int of Location A)
tunnel destination 10.Y.Y.1 (WAN IP address of Location C)

int gi0/0
ip address 172.X.X.XX
ip policy route-map INET-OUT-TRAFFIC

access-list 10 permit 172.X.X.YY

route-map INET-OUT-TRAFFIC permit 10
match ip address 10
set next hop 10.X.X.2 (Tunnel IP of Location C)

Tunnel config on Router C:

int tunnel1
ip address 10.X.X.2 255.255.255.252
tunel source Gi0/1 (WAN int of Location C)
tunnel destination 10.Y.Y.23 (WAN IP address of Location A)

int gi0/0
ip address 172.X.X.XX

Regards,

Mohamed Sobair · ‎07-04-2010

You need to check if your IOS supports this featur (PBR supports for Multiple tracking object)

-- Just configure your policy based routing to track the nexthop tunnel by icmp and you should be good to go.

See this link:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtpbrtrk.html

HTH

Mohamed

gatlin007 · ‎07-04-2010

Dipesh,

Why not let the default route be known over the tunnel? This way failover can occur dynamically removing the need for PBR. An ACL preventing non-proxy traffic from traversing the tunnel will be easier to maintain then PBR. Fault Tolerance is the Achilles Heel of PBR as well as predictability and scalability.

Chris

Dipesh Patel · ‎07-04-2010

Dear,Gatlin,

Thanks for the reply,

Can you show the sample configuration as per details given in my post?

Default route means you meant to say 0.0.0.0 0.0.0.0 Tunnel1

and on Tunnel1 there is an ACL which filter traffic of all non Proxy traffic. M I right?

But How can it auto change over when one Internet ISP goes down than on to other?

Other thing is that, We are using Static routing s IGP and BGP as OGP. so there are lots of Static routes.

Is there any option of HTTP/WEB Tracking option?

Pleae suggest.

Regards,

Dipesh P.

Dipesh Patel · ‎07-04-2010

HI Sobair,

Thanks for the reply.

For Multiple Tracking object using PBR required CDP must enable as shown doc accor to attached link. In my case CDP is disable globally.

Suppose CDP is not an issue than what should I track, Is it Internet ISP - 1 GW ? If it is down than my traffic will be sent using other tunnel next hop address. Is it correct?

Where should I apply PBR means on which Int.?

Please, show me the sample configuration as per the deytails shown in POST. It will be very helpful to understand the scenario.

Regards,

Dipesh Patel · ‎07-05-2010

Dear All,

Please reply ????

Regards,

gatlin007 · ‎07-05-2010

Is there a compelling reason to use the GRE tunnels? You could announce your enterprise prefixes to the service provider via BGP. In the case of default (0.0.0.0) use as-path prepend to make site C more attractive.

### Router C

router bgp 65001
network 0.0.0.0
Exit

### Router D

ip prefix-list DELTA permit 0.0.0.0/0

route-map BGP-OUT permit 10
match ip address prefix-list DELTA
set as-path prepend 65001 65001
exit

router bgp 65001
network 0.0.0.0
neighbor x.x.x.x route-map BGP-OUT ### MPLS PE
exit

This will cause the MPLS network to route default traffic to Router C until it fails. At that point the default route being announced by Router D will remain and carry the load. If this approach is taken you should also announce your LAN prefixes to the provider so traffic takes a symmetric path.

Another option is to use an IGP over the tunnels. For a small network like this RIPv2 is a good choice. RIPv2 doesn’t get the credit it deserves for small networks; it’s easy to tune in regard to timers and filtering. If this network is going to grow consider EIGRP. The example below assumes that default is a static route today.

### Router C

ip prefix-list DELTA permit 0.0.0.0/0

route-map STATIC2RIP permit 10
match ip address prefix-list DELTA
exit

router rip
version 2
no auto-summary
timers basic 1 3 3 5
network 10.0.0.0
passive-interface default
no passive-interface tunnel 1
distribute-list prefix DELTA out
default metric 1
redistribute static route-map STATIC2RIP
exit

### Router D

ip prefix-list DELTA permit 0.0.0.0/0

route-map STATIC2RIP permit 10
match ip address prefix-list DELTA
set metric 3
exit

router rip
version 2
no auto-summary
timers basic 1 3 3 5
network 10.0.0.0
passive-interface default
no passive-interface tunnel 1
distribute-list prefix DELTA out
default-metric 1
redistribute static route-map STATIC2RIP
exit

### Router A

ip prefix-list PREVENT deny 0.0.0.0/0 le 32

router rip
version 2
no auto-summary
network 10.0.0.0
timers basic 1 3 3 5
passive-interface default
no passive-interface tunnel 1

no passive-interface tunnel 2
distribute-list prefix PREVENT out
exit

The config above allows Router A to learn default via RIP, yet RIP doesn’t advertise any prefixes. The default route from Router C will look attractive with a metric of 1 while having a metric of 3 from router D.

For this to work it’s important the default route be removed from the routing table when the path to the ISP loses integrity. If it is a static default to your ISP consider asking them to advertise default to you; RIP could also be used for this. BGP is another option but seems overkill to simply learn default. If the provider won’t send you default you can use ‘IP SLA’ to revoke the static default route in the event it a predetermined service isn’t available over the circuit.

As far as preventing hosts other than the proxy from utilizing the default route I’d install and ACL inbound on the LAN interface. Something like the following may work.

access-list 100 permit ip any 10.0.0.0 0.255.255.255
access-list 100 permit ip any 172.16.0.0 0.31.255.255
access-list 100 permit ip any 192.168.0.0 0.0.255.255
access-list 100 permit ip host x.x.x.x any

### x.x.x.x above allows the proxy source address to reach any internet address.

int
ip access-group 100 in
exit

Chris

Mohamed Sobair · ‎07-05-2010

Hi,

Your config of PBR tracking should be applied here:

Tunnel config on Router A:

int tunnel1
ip address 10.X.X.1 255.255.255.252
tunel source Gi0/1 (WAN int of Location A)
tunnel destination 10.Y.Y.1 (WAN IP address of Location C)

int gi0/0
ip address 172.X.X.XX
ip policy route-map INET-OUT-TRAFFIC verify-availability track1

track 1 rtr 1 reachability

ip sla 1
icmp-echo x.x.x.x (Tunnel Destination of Site C ) source-ip y.y.y.y
timeout 2000
frequency 5
ip sla schedule 1 life forever start-time now

HTH

Mohamed

Dipesh Patel · ‎07-10-2010

Dear Sobair,

Thanks for the reply.I havd tried the same and use Intrnet ISP gateway for tracking. It's working but only when ISP gateway was down.

But in most of the cases ISP Gatway is up but browsing is not working. This is my main concern.

Can you suggest how can I track or what should I track so that if t one location Internet Browsing or any way Internet is not working than my Proxy traffic is automatically diverted to other location with Internet BW as shown in Diagram.

Please reply soon.

Regards,

Mohamed Sobair · ‎07-11-2010

You will need to analyze IP SLA using HTTP operation as bellow:

ip sla monitor 8

 type http operation get url http://198.133.219.25

 frequency 90

ip sla monitor schedule 8 life forever start-time now


check out this link for more info:

http://www.cisco.com/en/US/docs/ios/12_4/ip_sla/configuration/guide/hshttp.html



HTH
Mohamed

Dipesh Patel · ‎07-11-2010

Dear Mohammad,

Thanks,

Will check the same.

Regards,