03-03-2014 08:52 AM - edited 03-04-2019 10:29 PM
Hi All,
I am looking for some suggestion and configuration help in how to manage a sort of failover. Let me explain the requirements which are also in the attached diagram(pdf). There we go: we have 4 sites connected with a full meshed MPLS, and all routes between the sites are being exchanged via EIGRP. However, Internet traffic for the remote sites, 3 of the sites, are sent to the HQ for filtering(IPS,WEB FILTER...) even thought the remote sites do have a backup internet. SO INTERNET TRAFFIC IS IN STAR MODE
Yes, i say backup... since this link is used for site-to-site VPN in case MPLS tunnel does down. Once again, traffic engineering with Bandwidth command in EIGRP makes the MPLS link as default.
Now, my dilemma... I want to use the remote sites internet connection, local internet with no filtering, when the HQ Internet is down! For the sake of me, i still don't Know to make it work!!
There is what i have in mind though, i plan to ping some host on the internet(4.2.2.2 and 208.67.220.220)... If i have reply back, i assume everything is fine. But i don't have reply from both of them, i assume the HQ INTERNET is down; therefore, i want to point the default route to the backup link at the remote!!
So that's how i imagine it but if you have suggestions, please share it.
Thanks,
Solved! Go to Solution.
03-06-2014 09:03 AM
The backup router injects a default route but why ie. if the internet at HQ is down then why send traffic via the backup router.
How does the backup router know when to inject a default route.
Does the default route it injects also cover the non internet routes for remote sites.
I need some help here ie. i need to understand why the backup router uses a default route when internet is down anyway at HQ ?
Jon
03-03-2014 09:13 AM
It looks from your diagram that the remote sites receive a default route from HQ ?
If that is the case then a simple solution is on each remote site L3 device responsible for routing the client subnets configure a floating static default route pointing to you backup internet link.
If the default route via MPLS is lost then the remote sites would use the floating static. If the MPLS default came back then it would use that instead.
The floating static just needs to have a higher AD than the default received from the HQ site.
Obviously you need something at HQ that knows when the internet is down and so stops advertising the default route (IP SLA for example) unless you are receiving a default route from your ISP in the HQ site.
Jon
03-03-2014 10:43 AM
Hi Jon,
First of all, thank you for the reply.
And yes, all the remote are received the default route from HQ.
Well, ip sla tracking is exactly what i have in mind but i was intented to use it at each remote site rather than at the HQ like you suggested. At each remote i have a layer 3 switch and a router... i wanted to make the routing decision the closest to the source which means at the layer 3 switch as the host are connected to the L3 SW and L3 SW send traffic to the router. There is how L3 SW sees the traffic:
D*EX 0.0.0.0/0 [170/1536512] via 10.168.2x.3, 1w5d, Vlan178 >>> WAN MPLS
Now with the current def route admin distance is 170, the floating def route should be higher like 180, would like work?
Thanks,
03-03-2014 10:57 AM
Now with the current def route admin distance is 170, the floating def route should be higher like 180, would like work?
Yes that should work fine.
If the router at each remote site passes the routes learnt from MPLS to the L3 switch then it should be added to the L3 switch.
I can't see an advantage of using IP SLA in each site as you are already receiving the default route anyway from HQ. As long as HQ stops advertising the default route if the internet at HQ goes down then just using the floating static at the remote sites should work fine.
So you may well need IP SLA at the HQ site to check the internet is up and if not remove the default although as i say it depends on whether HQ gets the default route from the ISP or whether you simply generate a default route in HQ to advertise to the remote sites.
Jon
03-03-2014 12:43 PM
Jon,
HQ router is not a border GW router;therefore, does not receive default router from the ISP but it does have a default route pointed to the FW, default routes traffic goes(Remote Router >>> HQ router >>> FW). Now how to have HQ to stop advertising the default route to remote?
Default route received from HQ
Gateway of last resort is 10.168.11x.9x to network 0.0.0.0
D*EX 0.0.0.0/0 [170/1536256] via 10.168.11x.9x, 1w5d, Tunnel1
Now since the default route is bein learn via EIGRP; i assume if anything in the traffic path to the Internet goes down(internal hardware, for instance FW or web filter), HQ router will remove the default router from its routing table, right? Therefore, any configuration should be needed?
AT the remote:
Since HQ is no longer advertise the default router, the backup floating route will be installed in the routing table?
Thank,
03-03-2014 12:55 PM
Now since the default route is bein learn via EIGRP; i assume if anything in the traffic path to the Internet goes down(internal hardware, for instance FW or web filter), HQ router will remove the default router from its routing table, right? Therefore, any configuration should be needed?
Not necessarily.
How is the route being generated and where at HQ. If you are not getting it from the ISP you must be generating that route somewhere in HQ on a certain device.
Gateway of last resort is 10.168.11x.9x to network 0.0.0.0
D*EX 0.0.0.0/0 [170/1536256] via 10.168.11x.9x, 1w5d, Tunnel1
where is that route entry from ie. which device, the HQ MPLS router or a remote site router. It showing a next hop of a tunnnel interface, where is this tunnel going to and from.
You need to understand on which device the actual default route is configured on at HQ. It may be another L3 device with a static default route configured and redistributed into EIGRP.
But i can't say now that default route is generated as i don't know your topology at HQ.
AT the remote:
Since HQ is no longer advertise the default router, the backup floating route will be installed in the routing table?
Yes, at the remote site that is exactly what should happen.
Jon
03-03-2014 01:24 PM
Hi Jon,
There is the routing configuration at the HQ router... As you can see, this router does generate the default route.
ip route 0.0.0.0 0.0.0.0 10.168.1xx.x >>>> To the FW
!
ip access-list standard INTO_EIGRP
permit 0.0.0.0
!
ip access-list extended Internet-Redirect
deny ip 10.168.1XX.0 0.0.0.255 10.168.0.0 0.0.255.255(route summary)
deny ip 10.168.9X.0 0.0.0.255 10.168.0.0 0.0.255.255
permit ip 10.168.1XX.0 0.0.0.255 any
permit ip 10.168.9X.0 0.0.0.255 any
!
!
ip prefix-list Permit-Local seq 5 permit 10.168.1.0/24 (HQ SUBNET)
ip prefix-list Permit-Local seq 10 permit 10.168.11.0/24 (HQ SUBNET)
ip prefix-list Permit-Local seq 15 permit 10.168.14.0/24 (HQ SUBNET)
ip prefix-list Permit-Local seq 20 permit 10.168.121.0/24(HQ SUBNET)
ip prefix-list Permit-Local seq 25 permit 0.0.0.0/0
!
route-map INTO_EIGRP permit 10
match ip address INTO_EIGRP
!
route-map Internet-Redirect permit 10
match ip address Internet-Redirect
set ip next-hop 10.168.1X.X(HQ web filter)
!
!
As per the route below, it was taken at the Remote router which has a GRP tunnel to the HQ router. there 10.168.11x.9x is the destination tunnel IP at the HQ.
Gateway of last resort is 10.168.11x.9x to network 0.0.0.0
D*EX 0.0.0.0/0 [170/1536256] via 10.168.11x.9x, 1w5d, Tunnel1
Thanks,
03-03-2014 01:42 PM
ip route 0.0.0.0 0.0.0.0 10.168.1xx.x >>>> To the FW
So presumably you are redistributing the above static into EIGRP ?
It depends on how you want to check the above route. If the next hop in the above route fails does the route get removed ?
It might not necessarily be removed if for example there is a switch in between so the router interface used to get to the next hop is still up even if the next hop isn't.
Even if it does get removed it won't if there is a failure further upstream towards the ISP.
So you may want to consider using IP SLA on the above route and using an internet IP to check the availability of the connection.
Jon
03-03-2014 04:09 PM
Hi Jon,
I am ready to test this configuration, but i'd like to run it that by you first as i don't have test gear;therefore, i gonna have to implement in production without testing!!
So here it goes:
1. Plan to add floating route at each remote(0.0.0.0/0 remote backup line GW plus admin distance of 180)
2. Then this config at the HQ router to stop advertise the default router to remotes
ip sla monitor 120
type echo protocol ipIcmpEcho 208.67.220.220(OPEN DNS)
timeout 1000
frequency 5
threshold 2
ip sla monitor schedule 1 life forever start-time now
track 10 rtr 120 reachability
ip access-list 101 permit icmp any host 208.67.220.220 echo
route-map BACKUP-ROUTE-POLICY permit 101
match ip address 101
set ip next-hop 208.67.220.220
set interface null 0
ip local policy route-map BACKUP-ROUTE-POLICY
ip route 0.0.0.0 0.0.0.0 10.168.1xx.x track 120 Where 10.168.1xx.x FW at the HQ
TAHNKS ALOT FOR THE HELP, you've been awesome!
03-03-2014 04:18 PM
Not sure why you need the PBR for the IP SLA.
Is this on a router or a L3 switch ?
Note the PBR config is not correct anyway as you are setting the next hop to the internet IP but it should be the next hop that the default route uses.
Can you clarify what device you are doing this on and why you are using PBR ?
Jon
03-03-2014 05:54 PM
Hi Jon,
HQ device is a router. And it's connected to a layer 2 switch on which the FW is also connected. SO when the internet link behind the FW is down,HQ router will still see the interface up. So i need a mechanism to force HQ router to stop advertising the default to the remotes.
Thanks,
03-03-2014 06:20 PM
SO when the internet link behind the FW is down,HQ router will still see the interface up. So i need a mechanism to force HQ router to stop advertising the default to the remotes.
Yes you do. I was asking about the PBR not the IP SLA configuration.
All you are trying to do is remove the default route from the IP routing table if you cannot ping that internet IP.
If the HQ router removes the default route does it get a default route from anywhere else or does it just not have internet connectivity ?
Jon
03-03-2014 09:07 PM
Well i go to the HQ router and remove the default route pointed to the FW which traffic to the internet, Internet traffic at all the remotes are failling.
03-04-2014 08:31 AM
Did you add the floating static at remote sites ?
You need to check the routing table at a remote site when you remove default from HQ.
Jon
03-04-2014 08:43 AM
One other thing.
For IP SLA to work you need to make sure the firewall allows ping through from your HQ router.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: