PBR Issue

w.iqbal · ‎08-20-2009

can we create route map statement in such a way that it uses multiple default gateways for a particular set of host. If one gateway goes down then traffic automatically redirected to second gateway mentioned in route map on WS-C3560G-48TS-S. Is there any Hardware limitation?

Lucien Avramov · ‎08-20-2009

why not use ip sla with track?

If an ip is unreachable for example, track will take the route off, and inject another route that has a higher admin distance.

Giuseppe Larosa · ‎08-20-2009

Hello Wasim,

the question is if the platform supports additional commands and features called verify-availability or tracking.

without this intelligence the times to detect first next-hop failure can be that of the ARP table if all next-hop devices are in the same table.

In old times to make the trick all next-hops had to be in different vlans SVIs and each vlan had to have a single port connected to it that of the gateway.

(the autostate feature tears down an SVI when no L2 port in STP forwarding state exists)

see

http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_46_se/configuration/guide/swiprout.html#wp1210866

or

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_46_se/configuration/guide/swiprout.html#wp1210866

To enable PBR, the switch or stack master must be running the IP services feature set.

And:

To use PBR, you must first enable the routing template by using the sdm prefer routing global configuration command.

w.iqbal · ‎08-21-2009

What if the Ip defined as next hop in route map goes down but still we have configured a default route. Will default route facilitate the traffic defined in match clause?

ip route 0.0.0.0 0.0.0.0 172.17.17.5 10

ip route 0.0.0.0 0.0.0.0 172.17.17.3 15

ip route 0.0.0.0 0.0.0.0 172.17.17.4 20

access-list 10 permit 172.16.16.35

route-map PROXY permit 10

match ip address 10

set ip next-hop 172.17.17.3

What if 172.17.17.3 goes down. will the traffic from 172.16.16.35 use first default route of the above configuration?

Giuseppe Larosa · ‎08-21-2009

Hello Wasim,

as I wrote in my first post the problem is when all IP next-hops are in the same IP subnet/Vlan like in your example.

In this case without additional features like ip verify-reachability or forms of tracking the local node can realize the next-hop is down after up to 4 hours the time the ARP entry is alive in the ARP table.

To mitigate this you should have the different next-hops in different point-to-point subnets so that the switch can detect the failure of one of them.

Hope to help

Giuseppe

yagnesh_tel · ‎08-21-2009

No, PBR won't able to find that next hope is not available and it will still send packets toward interface having IP in the subnet 172.17.17.3 where packets will be dropped. You need PBR with object tracking using command 'set ip next-hop verify-availability'.

set ip next-hop verify-availability 172.17.17.3 track 123

Above command set the next-hop to 172.17.17.3 if object 123 is up. If object 123 is down, then policy routing fails and unicast routing will route the packet. You need to define tracking 123 for this which will monitored availability of next hope 172.17.17.3.

http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a0080211f5c.shtml

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtpbrtrk.html