Re: IP SLA with policy-based routing.

e.swinney · ‎12-30-2008

I have scenario where I have a corporate(HUB) site with multiple remotes(spokes). One remote in particular has it's own internet connection via another carrier and I want to use IP SLAs with policy-based routing to force this site to choose the local/site internet access for primary internet access and use the HUB internet access as a back-up (using BGP with a default route being advertised to the remote).

The issue I am having is that unless I put a default static route in (which negates what I am trying to do) pointing to the other ISP providers router the packets keep going over our MPLS network to get access to the internet.

All normal traffic with known routes learned via BGP and EIGRP (on the LAN) work fine. Just the policy-based routing for the SLA doesn't work.

Below is the part(s) of the config that relate to the IP SLA etc..

***** config starts here *****

track 123 rtr 1 reachability

!

track 124 rtr 2 reachability

!

interface GigabitEthernet0/0

description Remote LAN

ip address 192.168.127.2 255.255.255.0

ip policy route-map Internet_Failover

duplex full

speed 100

!

ip route xxx.59.105.246 255.255.255.255 192.168.127.3

!

ip sla 1

icmp-echo xxx.59.105.246

frequency 30

ip sla schedule 1 life forever start-time now

ip sla 2

icmp-echo xxx.207.89.41

frequency 30

ip sla schedule 2 life forever start-time now

access-list 101 deny ip any xxx.155.50.0 0.0.0.255

access-list 101 deny ip any 192.168.0.0 0.0.255.255

access-list 101 deny ip any 192.xxx.89.0 0.0.0.255

access-list 101 deny ip any 10.0.0.0 0.0.0.255

access-list 101 deny ip any 172.16.0.0 0.15.255.255

access-list 101 permit ip any any

!

route-map Internet_Failover permit 10

match ip address 101

set ip next-hop verify-availability 192.168.127.3 10 track 123

set ip next-hop verify-availability xxx.207.89.41 20 track 124

**** config ends here ******

Any assistance would be greatly apprciated. The IOS is "c2800nm-advsecurityk9-mz.124-15.T7.bin"

Edison Ortiz · ‎12-30-2008

Kevin,

Open for suggestions?

If you want the local ISP to handle the primary internet services

ip route 0.0.0.0 0.0.0.0 [local_ISP_gateway]

BGP will deliver another Quad_0 with a higher metric so if the local ISP is gone (you have to verify the gateway isn't reachable when the ISP is down, so the ip route above is removed from RIB), your router will use the BGP Quad_0.

If you aren't getting specific routes on the spoke from the hub, then you need to address it with either BGP or static routing at the spoke.

PBR and IP SLA on this scenario will make things way too complicated where you can accomplish a better design with pure routing, unless I'm missing some other requirement.

__

Edison.

e.swinney · ‎12-30-2008

My appologies. I may have been to vague. I was worried about being to "wordy"

I am not able to run BGP (or any other dynamic routing protocol) with the other ISP router as there is a customer owned Firewall between the 2 remote site routers and the customer is either not able to or un-willing to open up any more access in the FW other than to run ICMP packets (to confirm the local ISP is still a viable route).

I am running eBGP with this remote and the HUB site and a default-route is being learned at the remote via the eBGP. But, the end user wishes to use his local ISP at the remote and fail over to the HUB site dynamically in case the local ISP ckt goes down or is not reachable. That is why I was trying to use Policy-Based routing using SLA's to determine if the other ISP access was still up.

With that being said, if I remove "only" the current default route that I have pointing to the local ISP router (like you mention above) the packets bound for the internet will immediatly stop going thru the other local ISP and will successfully go thru my MPLS cloud through the HUB site to get to WWW.

The wierd part about this is I had it working for a day (using the above application)and verified it with trace routes but then it hasn't worked since. I have tried numerous things since and I am almost thinking its an IOS issue. Before I go thru the trouble of upgrading the IOS I thought I would bounce this off someone at a Tier III type level.

Believe me, I would try other "best practice" methods but my "scope of work" will not allow me. They customer said it worked with the last providers EQ and I even have the old config but it won't pan out for some reason. It may be because they were 3725s with a different IOS but at this point it's hard to tell.

Any assistance you can lend is greatly appriciated.

lejoe.thomas · ‎12-30-2008

Hi Kevin,

Why dont you go for the static default route to the local ISP with tracking

ip route 0.0.0.0 0.0.0.0 [local ISP next-hop] track XXX

This way you'll use the local ISP and failover to to HUB [because as you said default-route is being learned via eBGP], when the local ISP is no longer reachable. Also you will avoid the use of PBR with object tracking.

HTH

Lejoe

Edison Ortiz · ‎12-31-2008

Kevin,

Fair enough.

Going back to your configuration...

On the line

set ip next-hop verify-availability 192.168.127.3

Is 192.168.127.3 a Cisco device? If so, does it have CDP enabled? You can see this device via CDP from 192.168.172.2?

The verify-availability option will fail the route-map if the next hop isn't reachable via CDP.

http://www.cisco.com/en/US/docs/ios/iproute/command/reference/irp_pi2.html#wp1012541

I recommend removing it if you aren't sure about CDP -and- you are tracking so it seems a bit redundant.

As for the 2nd line

set ip next-hop verify-availability xxx.207.89.41

Is this device directly connected to this router? I don't see it in the config.

Another thing...

if I remove "only" the current default route that I have pointing to the local ISP router (like you mention above) the packets bound for the internet will immediatly stop going thru the other local ISP and will successfully go thru my MPLS cloud through the HUB site to get to WWW.

I'm sorry - you lost me there. Isn't that what you want? To route your internet via the local ISP?

As Lejoe indicated, if you want to conditionally have the static route, you can track it.

HTH,

__

Edison.