I have scenario where I have a corporate(HUB) site with multiple remotes(spokes). One remote in particular has it's own internet connection via another carrier and I want to use IP SLAs with policy-based routing to force this site to choose the local/site internet access for primary internet access and use the HUB internet access as a back-up (using BGP with a default route being advertised to the remote).
The issue I am having is that unless I put a default static route in (which negates what I am trying to do) pointing to the other ISP providers router the packets keep going over our MPLS network to get access to the internet.
All normal traffic with known routes learned via BGP and EIGRP (on the LAN) work fine. Just the policy-based routing for the SLA doesn't work.
Below is the part(s) of the config that relate to the IP SLA etc..
***** config starts here *****
track 123 rtr 1 reachability
track 124 rtr 2 reachability
description Remote LAN
ip address 192.168.127.2 255.255.255.0
ip policy route-map Internet_Failover
ip route xxx.59.105.246 255.255.255.255 192.168.127.3
ip sla 1
ip sla schedule 1 life forever start-time now
ip sla 2
ip sla schedule 2 life forever start-time now
access-list 101 deny ip any xxx.155.50.0 0.0.0.255
access-list 101 deny ip any 192.168.0.0 0.0.255.255
access-list 101 deny ip any 192.xxx.89.0 0.0.0.255
access-list 101 deny ip any 10.0.0.0 0.0.0.255
access-list 101 deny ip any 172.16.0.0 0.15.255.255
access-list 101 permit ip any any
route-map Internet_Failover permit 10
match ip address 101
set ip next-hop verify-availability 192.168.127.3 10 track 123
set ip next-hop verify-availability xxx.207.89.41 20 track 124
**** config ends here ******
Any assistance would be greatly apprciated. The IOS is "c2800nm-advsecurityk9-mz.124-15.T7.bin"
If you want the local ISP to handle the primary internet services
ip route 0.0.0.0 0.0.0.0 [local_ISP_gateway]
BGP will deliver another Quad_0 with a higher metric so if the local ISP is gone (you have to verify the gateway isn't reachable when the ISP is down, so the ip route above is removed from RIB), your router will use the BGP Quad_0.
If you aren't getting specific routes on the spoke from the hub, then you need to address it with either BGP or static routing at the spoke.
PBR and IP SLA on this scenario will make things way too complicated where you can accomplish a better design with pure routing, unless I'm missing some other requirement.
My appologies. I may have been to vague. I was worried about being to "wordy"
I am not able to run BGP (or any other dynamic routing protocol) with the other ISP router as there is a customer owned Firewall between the 2 remote site routers and the customer is either not able to or un-willing to open up any more access in the FW other than to run ICMP packets (to confirm the local ISP is still a viable route).
I am running eBGP with this remote and the HUB site and a default-route is being learned at the remote via the eBGP. But, the end user wishes to use his local ISP at the remote and fail over to the HUB site dynamically in case the local ISP ckt goes down or is not reachable. That is why I was trying to use Policy-Based routing using SLA's to determine if the other ISP access was still up.
With that being said, if I remove "only" the current default route that I have pointing to the local ISP router (like you mention above) the packets bound for the internet will immediatly stop going thru the other local ISP and will successfully go thru my MPLS cloud through the HUB site to get to WWW.
The wierd part about this is I had it working for a day (using the above application)and verified it with trace routes but then it hasn't worked since. I have tried numerous things since and I am almost thinking its an IOS issue. Before I go thru the trouble of upgrading the IOS I thought I would bounce this off someone at a Tier III type level.
Believe me, I would try other "best practice" methods but my "scope of work" will not allow me. They customer said it worked with the last providers EQ and I even have the old config but it won't pan out for some reason. It may be because they were 3725s with a different IOS but at this point it's hard to tell.
Any assistance you can lend is greatly appriciated.
Why dont you go for the static default route to the local ISP with tracking
ip route 0.0.0.0 0.0.0.0 [local ISP next-hop] track XXX
This way you'll use the local ISP and failover to to HUB [because as you said default-route is being learned via eBGP], when the local ISP is no longer reachable. Also you will avoid the use of PBR with object tracking.
I recommend removing it if you aren't sure about CDP -and- you are tracking so it seems a bit redundant.
As for the 2nd line
set ip next-hop verify-availability xxx.207.89.41
Is this device directly connected to this router? I don't see it in the config.
if I remove "only" the current default route that I have pointing to the local ISP router (like you mention above) the packets bound for the internet will immediatly stop going thru the other local ISP and will successfully go thru my MPLS cloud through the HUB site to get to WWW.
I'm sorry - you lost me there. Isn't that what you want? To route your internet via the local ISP?
As Lejoe indicated, if you want to conditionally have the static route, you can track it.
The ProblemEnter EVCsHow It Works (Ingress)How It Works
(Egress)Step-by-Step ExampleFinal Thoughts The ProblemOn traditional
switches whenever we have a trunk interface we use the VLAN tag to
demultiplex the VLANs. The switch needs to determine which MAC ...
The ProblemEnter EVCsHow It Works (Ingress)How It Works
(Egress)Step-by-Step ExampleFinal Thoughts Introduction: Netdr is a tool
available on a RSP720, Sup720 or Sup32 that allows one to capture
packets on the RP or SP inband. The netdr command can be use...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...