cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
592
Views
5
Helpful
5
Replies

route-map next-hop verify

dale.cooke
Level 1
Level 1

I have 6 routers in a triangle paired formation runing HSRP between each pair. We run OSPF and have started to implement policy routing. The policy works fine but we want to keep the routing Dynamic. I noticed on CCO that there is a next-hop verify command which will pole the next hop router to see if the interface is up. My question is in the instance where the nexthop is down on and the packet gets returned via OSPF to the previous router how do you stop the previous router from passing it back to the next hop yet again because it does not know about the next hop in the path being down?

1 Accepted Solution

Accepted Solutions

Milan was probably referring to split horizon, which dictates that a route not be advertised out the same interface it was received on. This is different from the routing of packets out the same interface via which they arrive, and isn't related to your issue of policy routing conflicting with your dynamic routing protocol when a network failure occurs.

This is a reasonably complex issue and without knowing the specifics of what is happening and when in your network, it's hard to make a specific recommendation. But in general I'd imagine that if the packets are arriving on interface A, being policy-routed out interface B, and then being sent back to interface B from the next router via OSPF during a failure, they shouldn't be policy-routed again unless you have the "ip policy route-map xxx" command that you have configured on interface A configured on interface B as well. Policy routing works based on the interface on which a given packet arrives. In your case the packet is (hopefully) arriving on a different interface (different from the original inbound interface) when it gets looped back, so you should be able to either a) not configure policy-routing on interface B, or b) use a different route-map for the interface B configuration such that packets looped back from the neighbor router aren't matched, and are therefore routed normally via OSPF.

But again, this stuff is very situation-specific. The above assumes that only one router is causing loops when a path fails. If you have a big complex mess whereby any given path failure can cause routing loops on multiple routers, you may want to reevaluate what you're trying to acheive in terms of network reliability vs. traffic flow.

View solution in original post

5 Replies 5

milan.kulik
Level 10
Level 10

Hi,

AFAIK, next-hop verify doesn't poll. It uses CDP neighbor table. See http://www.cisco.com/en/US/customer/products/sw/iosswrel/ps1830/products_feature_guide09186a0080087887.html#13173 for details.

To your question:

There should standard routing loop prevention methods be applied (don't route a packet back to the interface it came from, etc., TTL finally).

Regards,

Milan

Does OSPF do that then "don't route a packet back to the interface it came from" becuase we often get routing loops on our network?

Milan was probably referring to split horizon, which dictates that a route not be advertised out the same interface it was received on. This is different from the routing of packets out the same interface via which they arrive, and isn't related to your issue of policy routing conflicting with your dynamic routing protocol when a network failure occurs.

This is a reasonably complex issue and without knowing the specifics of what is happening and when in your network, it's hard to make a specific recommendation. But in general I'd imagine that if the packets are arriving on interface A, being policy-routed out interface B, and then being sent back to interface B from the next router via OSPF during a failure, they shouldn't be policy-routed again unless you have the "ip policy route-map xxx" command that you have configured on interface A configured on interface B as well. Policy routing works based on the interface on which a given packet arrives. In your case the packet is (hopefully) arriving on a different interface (different from the original inbound interface) when it gets looped back, so you should be able to either a) not configure policy-routing on interface B, or b) use a different route-map for the interface B configuration such that packets looped back from the neighbor router aren't matched, and are therefore routed normally via OSPF.

But again, this stuff is very situation-specific. The above assumes that only one router is causing loops when a path fails. If you have a big complex mess whereby any given path failure can cause routing loops on multiple routers, you may want to reevaluate what you're trying to acheive in terms of network reliability vs. traffic flow.

My understanding was that a router should use ICMP redirect (see http://www.cisco.com/warp/public/105/43.pdf).

But I missed there are additional conditions for ICMP redirect to be used (see the URL above).

I've got another idea to fix your problem:

Have you considered using of Reverse Path Forwarding (http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt6/scrpf.pdf)?

Regards,

Milan

great stuff t.baranski have worked on the configs and although it will add an extra couple of hops to the route in the case of a circuit failure it will work fine for us. We are soon to get MPLS on our network so the company policy is no circuit upgrades until then so we are just working with what we have.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: