Solved: route-map failback?

Lingfeng Xiong · ‎03-28-2014

I followed this article and configure my router to send all http traffic to a squid proxy. Anyway, I am wondering if my squid server is crashed, all users will not able to access any websites. So can I configure the router to passthru squid server when it crashed?

Regards, Lingfeng Xiong

paul driver · ‎03-31-2014

Hello

I cannot comment on the article but the PBR I may be able to shed some light on this for you

route-map proxy-redirect permit 100
match ip address 111
set ip next-hop SQUID-PROXY-IP

At present the above PBR statetment is matching on th acl and setting the next hop towards the squid proxy ip - However if that ip address becomes unavailble the router will NOT be aware and WILL continuously try to PBR the matching traffic to that failed ip address.

This can be change to verify the availability of the next hop or and if applicable specifying an additional nexthop for resiliency.

route-map proxy-redirect permit 100
match ip address 111
set ip next-hop SQUID-PROXY-IP SQUID-PROXY-IP2 SQUID-PROXY-IP3
set ip next-hop verify-availability

(The set ip next-hop verify-availability command above will check for the availability of the next hop via CDP - so if the nexthop isnt a cisco device it will not work) ..however using another feature called Oblect tracking this can be accomplished and if the failed next hop isnt viable it will be routed
normally.

ip sla 2
icmp-echo (source ip) (SQUID-PROXY-IP)
fre 5
ip sla schedule 2 life forever start-time now

track 10 ip sla 2 reachability

route-map proxy-redirect permit 100
match ip address 111
set ip next-hop SQUID-PROXY-IP
set ip next-hop verify-availability SQUID-PROXY-IP 1 track 10

route-map proxy-redirect permit 999

Note the permit 999 is a catch all statement = meaning all NONE matched traffic will be routed normally.

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Jon Marshall · ‎03-29-2014

The acl in that article seems a bit convoluted.

What traffic are you trying to send to the proxy ie. http but what else. Are there other things like https etc ?

What device are you using ie. a switch or a router ?

If a switch what model and what license are you are running on that switch ?

Have you thought about using WCCP ?

Jon

Lingfeng Xiong · ‎03-29-2014

> The acl in that article seems a bit convoluted.

It just reject all traffic except http I believe.

> What traffic are you trying to send to the proxy ie. http but what else. Are there other things like https etc ?

http only at this time. I want to send https traffic but that would involve a lot of work on certification things.

> What device are you using ie. a switch or a router ?

> If a switch what model and what license are you are running on that switch ?

Cisco 7301/7304

> Have you thought about using WCCP ?

A quick overview suggests that WCCP is a very useful solution and I am currently reading some matrials about it. :-)

Regards, Lingfeng Xiong

Jon Marshall · ‎03-31-2014

It just reject all traffic except http I believe.

It does but with PBR if the traffic is not matched in the acl it is simply routed normally so you only really need to permit the http traffic you want and nothing else ie. you do not need to deny non http traffic.

Can't say much more without seeing the configuration.

Jon

paul driver · ‎03-31-2014

Hello

I cannot comment on the article but the PBR I may be able to shed some light on this for you

route-map proxy-redirect permit 100
match ip address 111
set ip next-hop SQUID-PROXY-IP

At present the above PBR statetment is matching on th acl and setting the next hop towards the squid proxy ip - However if that ip address becomes unavailble the router will NOT be aware and WILL continuously try to PBR the matching traffic to that failed ip address.

This can be change to verify the availability of the next hop or and if applicable specifying an additional nexthop for resiliency.

route-map proxy-redirect permit 100
match ip address 111
set ip next-hop SQUID-PROXY-IP SQUID-PROXY-IP2 SQUID-PROXY-IP3
set ip next-hop verify-availability

(The set ip next-hop verify-availability command above will check for the availability of the next hop via CDP - so if the nexthop isnt a cisco device it will not work) ..however using another feature called Oblect tracking this can be accomplished and if the failed next hop isnt viable it will be routed
normally.

ip sla 2
icmp-echo (source ip) (SQUID-PROXY-IP)
fre 5
ip sla schedule 2 life forever start-time now

track 10 ip sla 2 reachability

route-map proxy-redirect permit 100
match ip address 111
set ip next-hop SQUID-PROXY-IP
set ip next-hop verify-availability SQUID-PROXY-IP 1 track 10

route-map proxy-redirect permit 999

Note the permit 999 is a catch all statement = meaning all NONE matched traffic will be routed normally.

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Lingfeng Xiong · ‎03-31-2014

Thank you! I believe this is what I am looking for!

I will give it a try some time later this week :-)

Regards, Lingfeng Xiong

Lingfeng Xiong · ‎03-31-2014

(removed)

Regards, Lingfeng Xiong