Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

route-map failback?

I followed this article and configure my router to send all http traffic to a squid proxy. Anyway, I am wondering if my squid server is crashed, all users will not able to access any websites. So can I configure the router to passthru squid server when it crashed?

Regards, Lingfeng Xiong
Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

HelloI cannot comment on the

Hello

I cannot comment on the article but the PBR I may be able to shed some light on this for you

route-map proxy-redirect permit 100
match ip address 111
set ip next-hop SQUID-PROXY-IP

At present  the above PBR statetment is matching on th acl and setting the next hop towards the squid proxy ip - However if that ip address becomes unavailble the router will NOT be aware and WILL continuously try to PBR the matching traffic to that failed ip address.

This can be change to verify the availability of the next hop or and if applicable specifying an additional nexthop for resiliency.

route-map proxy-redirect permit 100
match ip address 111
set ip next-hop SQUID-PROXY-IP SQUID-PROXY-IP2 SQUID-PROXY-IP3
set ip next-hop verify-availability


(The set ip next-hop verify-availability command above will check for the availability of the next hop via CDP - so if the nexthop isnt a cisco device it will not work) ..however using another feature called Oblect tracking this can be accomplished and if the failed next hop isnt viable it will be routed
normally.

ip sla 2
icmp-echo (source ip) (SQUID-PROXY-IP)
fre 5
ip sla schedule 2 life forever start-time now

track 10 ip sla 2 reachability

route-map proxy-redirect permit 100
match ip address 111
set ip next-hop SQUID-PROXY-IP
set ip next-hop verify-availability SQUID-PROXY-IP  1 track 10

route-map proxy-redirect permit 999

Note the permit 999 is a catch all statement = meaning all NONE matched traffic will be routed normally.

res

Paul

Please don't forget to rate any posts that have been helpful. Thanks.
6 REPLIES
Hall of Fame Super Blue

The acl in that article seems

The acl in that article seems a bit convoluted.

What traffic are you trying to send to the proxy ie. http but what else. Are there other things like https etc ? 

What device are you using ie. a switch or a router ?

If a switch what model and what license are you are running on that switch ?

Have you thought about using WCCP ?

Jon

Community Member

> The acl in that article

> The acl in that article seems a bit convoluted.

It just reject all traffic except http I believe.

> What traffic are you trying to send to the proxy ie. http but what else. Are there other things like https etc ? 

http only at this time. I want to send https traffic but that would involve a lot of work on certification things.

> What device are you using ie. a switch or a router ?

> If a switch what model and what license are you are running on that switch ?

Cisco 7301/7304

> Have you thought about using WCCP ?

A quick overview suggests that WCCP is a very useful solution and I am currently reading some matrials about it. :-)

Regards, Lingfeng Xiong
Hall of Fame Super Blue

It just reject all traffic

It just reject all traffic except http I believe.

It does but with PBR if the traffic is not matched in the acl it is simply routed normally so you only really need to permit the http traffic you want and nothing else ie. you do not need to deny non http traffic.

Can't say much more without seeing the configuration.

Jon

VIP Purple

HelloI cannot comment on the

Hello

I cannot comment on the article but the PBR I may be able to shed some light on this for you

route-map proxy-redirect permit 100
match ip address 111
set ip next-hop SQUID-PROXY-IP

At present  the above PBR statetment is matching on th acl and setting the next hop towards the squid proxy ip - However if that ip address becomes unavailble the router will NOT be aware and WILL continuously try to PBR the matching traffic to that failed ip address.

This can be change to verify the availability of the next hop or and if applicable specifying an additional nexthop for resiliency.

route-map proxy-redirect permit 100
match ip address 111
set ip next-hop SQUID-PROXY-IP SQUID-PROXY-IP2 SQUID-PROXY-IP3
set ip next-hop verify-availability


(The set ip next-hop verify-availability command above will check for the availability of the next hop via CDP - so if the nexthop isnt a cisco device it will not work) ..however using another feature called Oblect tracking this can be accomplished and if the failed next hop isnt viable it will be routed
normally.

ip sla 2
icmp-echo (source ip) (SQUID-PROXY-IP)
fre 5
ip sla schedule 2 life forever start-time now

track 10 ip sla 2 reachability

route-map proxy-redirect permit 100
match ip address 111
set ip next-hop SQUID-PROXY-IP
set ip next-hop verify-availability SQUID-PROXY-IP  1 track 10

route-map proxy-redirect permit 999

Note the permit 999 is a catch all statement = meaning all NONE matched traffic will be routed normally.

res

Paul

Please don't forget to rate any posts that have been helpful. Thanks.
Community Member

Thank you! I believe this is

Thank you! I believe this is what I am looking for!

I will give it a try some time later this week :-)

Regards, Lingfeng Xiong
Community Member

Thank you! I believe this is

(removed)

Regards, Lingfeng Xiong
104
Views
0
Helpful
6
Replies
CreatePlease to create content