×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

route-map failback?

Answered Question
Mar 28th, 2014
User Badges:

I followed this article and configure my router to send all http traffic to a squid proxy. Anyway, I am wondering if my squid server is crashed, all users will not able to access any websites. So can I configure the router to passthru squid server when it crashed?

Correct Answer by paul driver about 3 years 4 months ago

Hello

I cannot comment on the article but the PBR I may be able to shed some light on this for you

route-map proxy-redirect permit 100
match ip address 111
set ip next-hop SQUID-PROXY-IP

At present  the above PBR statetment is matching on th acl and setting the next hop towards the squid proxy ip - However if that ip address becomes unavailble the router will NOT be aware and WILL continuously try to PBR the matching traffic to that failed ip address.

This can be change to verify the availability of the next hop or and if applicable specifying an additional nexthop for resiliency.

route-map proxy-redirect permit 100
match ip address 111
set ip next-hop SQUID-PROXY-IP SQUID-PROXY-IP2 SQUID-PROXY-IP3
set ip next-hop verify-availability


(The set ip next-hop verify-availability command above will check for the availability of the next hop via CDP - so if the nexthop isnt a cisco device it will not work) ..however using another feature called Oblect tracking this can be accomplished and if the failed next hop isnt viable it will be routed
normally.

ip sla 2
icmp-echo (source ip) (SQUID-PROXY-IP)
fre 5
ip sla schedule 2 life forever start-time now

track 10 ip sla 2 reachability

route-map proxy-redirect permit 100
match ip address 111
set ip next-hop SQUID-PROXY-IP
set ip next-hop verify-availability SQUID-PROXY-IP  1 track 10

route-map proxy-redirect permit 999

Note the permit 999 is a catch all statement = meaning all NONE matched traffic will be routed normally.

res

Paul

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Sat, 03/29/2014 - 07:26
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

The acl in that article seems a bit convoluted.

What traffic are you trying to send to the proxy ie. http but what else. Are there other things like https etc ? 

What device are you using ie. a switch or a router ?

If a switch what model and what license are you are running on that switch ?

Have you thought about using WCCP ?

Jon

Lingfeng Xiong Sat, 03/29/2014 - 21:55
User Badges:

> The acl in that article seems a bit convoluted.

It just reject all traffic except http I believe.

> What traffic are you trying to send to the proxy ie. http but what else. Are there other things like https etc ? 

http only at this time. I want to send https traffic but that would involve a lot of work on certification things.

> What device are you using ie. a switch or a router ?

> If a switch what model and what license are you are running on that switch ?

Cisco 7301/7304

> Have you thought about using WCCP ?

A quick overview suggests that WCCP is a very useful solution and I am currently reading some matrials about it. :-)

Jon Marshall Mon, 03/31/2014 - 06:44
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

It just reject all traffic except http I believe.

It does but with PBR if the traffic is not matched in the acl it is simply routed normally so you only really need to permit the http traffic you want and nothing else ie. you do not need to deny non http traffic.

Can't say much more without seeing the configuration.

Jon

Correct Answer
paul driver Mon, 03/31/2014 - 07:30
User Badges:
  • Green, 3000 points or more

Hello

I cannot comment on the article but the PBR I may be able to shed some light on this for you

route-map proxy-redirect permit 100
match ip address 111
set ip next-hop SQUID-PROXY-IP

At present  the above PBR statetment is matching on th acl and setting the next hop towards the squid proxy ip - However if that ip address becomes unavailble the router will NOT be aware and WILL continuously try to PBR the matching traffic to that failed ip address.

This can be change to verify the availability of the next hop or and if applicable specifying an additional nexthop for resiliency.

route-map proxy-redirect permit 100
match ip address 111
set ip next-hop SQUID-PROXY-IP SQUID-PROXY-IP2 SQUID-PROXY-IP3
set ip next-hop verify-availability


(The set ip next-hop verify-availability command above will check for the availability of the next hop via CDP - so if the nexthop isnt a cisco device it will not work) ..however using another feature called Oblect tracking this can be accomplished and if the failed next hop isnt viable it will be routed
normally.

ip sla 2
icmp-echo (source ip) (SQUID-PROXY-IP)
fre 5
ip sla schedule 2 life forever start-time now

track 10 ip sla 2 reachability

route-map proxy-redirect permit 100
match ip address 111
set ip next-hop SQUID-PROXY-IP
set ip next-hop verify-availability SQUID-PROXY-IP  1 track 10

route-map proxy-redirect permit 999

Note the permit 999 is a catch all statement = meaning all NONE matched traffic will be routed normally.

res

Paul

Lingfeng Xiong Mon, 03/31/2014 - 12:07
User Badges:

Thank you! I believe this is what I am looking for!

I will give it a try some time later this week :-)

Actions

This Discussion

Related Content