Hi Jon,

First of all, thank you for the reply.

And yes, all the remote are received the default route from HQ.

Well, ip sla tracking is exactly what i have in mind but i was intented to use it at each remote site rather than at the HQ like you suggested. At each remote i have a layer 3 switch and a router... i wanted to make the routing decision the closest to the source which means at the layer 3 switch as the host are connected to the L3 SW and L3 SW send traffic to the router. There is how L3 SW sees the traffic:

D*EX 0.0.0.0/0 [170/1536512] via 10.168.2x.3, 1w5d, Vlan178 >>> WAN MPLS

Now with the current def route admin distance is 170, the floating def route should be higher like 180, would like work?

Thanks,

Now with the current def route admin distance is 170, the floating def route should be higher like 180, would like work?

Yes that should work fine.

If the router at each remote site passes the routes learnt from MPLS to the L3 switch then it should be added to the L3 switch.

I can't see an advantage of using IP SLA in each site as you are already receiving the default route anyway from HQ. As long as HQ stops advertising the default route if the internet at HQ goes down then just using the floating static at the remote sites should work fine.

So you may well need IP SLA at the HQ site to check the internet is up and if not remove the default although as i say it depends on whether HQ gets the default route from the ISP or whether you simply generate a default route in HQ to advertise to the remote sites.

Jon

Jon,

HQ router is not a border GW router;therefore, does not receive default router from the ISP but it does have a default route pointed to the FW, default routes traffic goes(Remote Router >>> HQ router >>> FW).  Now how to have HQ to stop advertising the default route to remote?

Default route received from  HQ

Gateway of last resort is 10.168.11x.9x to network 0.0.0.0

D*EX  0.0.0.0/0 [170/1536256] via 10.168.11x.9x, 1w5d, Tunnel1

Now since the default route is bein learn via EIGRP; i assume if anything in the traffic path to the Internet goes down(internal hardware, for instance FW or web filter), HQ router will remove the default router from its routing table, right? Therefore, any configuration should be needed?

AT the remote:

Since HQ is no longer advertise the default router, the backup floating route will be installed in the routing table?

Thank,

Now since the default route is bein learn via EIGRP; i assume if anything in the traffic path to the Internet goes down(internal hardware, for instance FW or web filter), HQ router will remove the default router from its routing table, right? Therefore, any configuration should be needed?

Not necessarily.

How is the route being generated and where at HQ. If you are not getting it from the ISP you must be generating that route somewhere in HQ on a certain device.

Gateway of last resort is 10.168.11x.9x to network 0.0.0.0

D*EX  0.0.0.0/0 [170/1536256] via 10.168.11x.9x, 1w5d, Tunnel1

where is that route entry from ie. which device, the HQ MPLS router or a remote site router. It showing a next hop of a tunnnel interface, where is this tunnel going to and from.

You need to understand on which device the actual default route is configured on at HQ. It may be another L3 device with a static default route configured and redistributed into EIGRP. 

But i can't say now that default route is generated as i don't know your topology at HQ.

AT the remote:

Since HQ is no longer advertise the default router, the backup floating route will be installed in the routing table?

Yes, at the remote site that is exactly what should happen.

Jon

Hi Jon,

There is the routing configuration at the HQ router... As you can see, this router does generate the default route.

ip route 0.0.0.0 0.0.0.0 10.168.1xx.x >>>> To the FW

!

ip access-list standard INTO_EIGRP

permit 0.0.0.0

!

ip access-list extended Internet-Redirect

deny   ip 10.168.1XX.0 0.0.0.255 10.168.0.0 0.0.255.255(route summary)

deny   ip 10.168.9X.0 0.0.0.255 10.168.0.0 0.0.255.255

permit ip 10.168.1XX.0 0.0.0.255 any

permit ip 10.168.9X.0 0.0.0.255 any

!

!

ip prefix-list Permit-Local seq 5 permit 10.168.1.0/24 (HQ SUBNET)

ip prefix-list Permit-Local seq 10 permit 10.168.11.0/24 (HQ SUBNET)

ip prefix-list Permit-Local seq 15 permit 10.168.14.0/24 (HQ SUBNET)

ip prefix-list Permit-Local seq 20 permit 10.168.121.0/24(HQ SUBNET)

ip prefix-list Permit-Local seq 25 permit 0.0.0.0/0

!

route-map INTO_EIGRP permit 10

match ip address INTO_EIGRP

!

route-map Internet-Redirect permit 10

match ip address Internet-Redirect

set ip next-hop 10.168.1X.X(HQ web filter)

!

!

As per the route below, it was taken at the Remote router which has a GRP tunnel to the HQ router. there 10.168.11x.9x is the destination tunnel IP at the HQ.

Gateway of last resort is 10.168.11x.9x to network 0.0.0.0

D*EX  0.0.0.0/0 [170/1536256] via 10.168.11x.9x, 1w5d, Tunnel1

Thanks,

ip route 0.0.0.0 0.0.0.0 10.168.1xx.x >>>> To the FW

So presumably you are redistributing the above static into EIGRP ?

It depends on how you want to check the above route. If the next hop in the above route fails does the route get removed ?

It might not necessarily be removed if for example there is a switch in between so the router interface used to get to the next hop is still up even if the next hop isn't.

Even if it does get removed it won't if there is a failure further upstream towards the ISP.

So you may want to consider using IP SLA on the above route and using an internet IP to check the availability of the connection.

Jon

Hi Jon,

I am ready to test this configuration, but i'd like to  run it that by you first as i don't have test gear;therefore, i gonna have  to implement in production without testing!!

So here it goes:

1. Plan to add floating route at each remote(0.0.0.0/0 remote backup line GW plus admin distance of 180)

2. Then this config at the HQ router to stop advertise the default router to remotes

ip sla monitor 120

  type echo protocol ipIcmpEcho 208.67.220.220(OPEN DNS)

  timeout 1000

  frequency 5

  threshold 2

ip sla monitor schedule 1 life forever start-time now

track 10 rtr 120 reachability

ip access-list 101 permit icmp any host 208.67.220.220 echo

route-map BACKUP-ROUTE-POLICY permit 101

  match ip address 101

  set ip next-hop 208.67.220.220

  set interface null 0

ip local policy route-map BACKUP-ROUTE-POLICY

ip route 0.0.0.0 0.0.0.0 10.168.1xx.x track 120 Where 10.168.1xx.x FW at the HQ

TAHNKS ALOT FOR THE HELP, you've been awesome!

Not sure why you need the PBR for the IP SLA.

Is this on a router or a L3 switch ?

Note the PBR config is not correct anyway as you are setting the next hop to the internet IP but it should be the next hop that the default route uses.

Can you clarify what device you are doing this on and why you are using PBR ?

Jon

Hi Jon,

HQ  device is a router. And it's connected to a layer 2 switch on which the FW is also connected. SO when the internet link behind the FW is down,HQ router will still see the interface up. So i need a mechanism to force HQ router to stop advertising the default to the remotes.

Thanks,

SO when the internet link behind the FW is down,HQ router will still see the interface up. So i need a mechanism to force HQ router to stop advertising the default to the remotes.

Yes you do. I was asking about the PBR not the IP SLA configuration.

All you are trying to do is remove the default route from the IP routing table if you cannot ping that internet IP.

If the HQ router removes the default route does it get a default route from anywhere else or does it just not have internet connectivity ?

Jon

Well i go to the HQ router and remove the default route pointed to the FW which traffic to the internet, Internet traffic at all the remotes are failling.

Did you add the floating static at remote sites ?

You need to check the routing table at a remote site when you remove default from HQ.

Jon

One other thing.

For IP SLA to work you need to make sure the firewall allows ping through from your HQ router.

Jon