Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Traffic engineering for backup

Hi All,

I am looking for some suggestion and configuration help in how to manage a sort of failover. Let me explain the requirements which are also in the attached diagram(pdf). There we go: we have 4 sites connected with a full meshed MPLS, and all routes between the sites are being exchanged via EIGRP. However, Internet traffic for the remote sites, 3 of the sites, are sent to the HQ for filtering(IPS,WEB FILTER...) even thought the remote sites do have a backup internet. SO INTERNET TRAFFIC IS IN STAR MODE

Yes, i say backup... since this link is used for site-to-site VPN in case MPLS tunnel does down. Once again, traffic engineering with Bandwidth command in EIGRP makes the MPLS link as default.

Now, my dilemma... I want to use the remote sites internet connection, local internet with no filtering, when the HQ Internet is down! For the sake of me, i still don't Know to make it work!!

There is what i have in mind though, i plan to ping some host on the internet(4.2.2.2 and 208.67.220.220)... If i have reply back, i assume everything is fine. But i don't have reply from both of them, i assume the HQ INTERNET is down; therefore, i want to point the default route to the backup link at the remote!!

So that's how i imagine it but if you have suggestions, please share it.

Thanks,

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Traffic engineering for backup

The backup router injects a default route but why ie. if the internet at HQ is down then why send traffic via the backup router.

How does the backup router know when to inject a default route.

Does the default route it injects also cover the non internet routes for remote sites.

I need some help here ie. i need to understand why the backup router uses a default route when internet is down anyway at HQ ?

Jon

21 REPLIES
Hall of Fame Super Blue

Re: Traffic engineering for backup

It looks from your diagram that the remote sites receive a default route from HQ ?

If that is the case then a simple solution is on each remote site L3 device responsible for routing the client subnets configure a floating static default route pointing to you backup internet link.

If the default route via MPLS is lost then the remote sites would use the floating static. If the MPLS default came back then it would use that instead.

The floating static just needs to have a higher AD than the default received from the HQ site.

Obviously you need something at HQ that knows when the internet is down and so stops advertising the default route (IP SLA for example) unless you are receiving a default route from your ISP in the HQ site.

Jon

New Member

Traffic engineering for backup

Hi Jon,

First of all, thank you for the reply.

And yes, all the remote are received the default route from HQ.

Well, ip sla tracking is exactly what i have in mind but i was intented to use it at each remote site rather than at the HQ like you suggested. At each remote i have a layer 3 switch and a router... i wanted to make the routing decision the closest to the source which means at the layer 3 switch as the host are connected to the L3 SW and L3 SW send traffic to the router. There is how L3 SW sees the traffic:

D*EX 0.0.0.0/0 [170/1536512] via 10.168.2x.3, 1w5d, Vlan178 >>> WAN MPLS

Now with the current def route admin distance is 170, the floating def route should be higher like 180, would like work?

Thanks,

Hall of Fame Super Blue

Re: Traffic engineering for backup

Now with the current def route admin distance is 170, the floating def route should be higher like 180, would like work?

Yes that should work fine.

If the router at each remote site passes the routes learnt from MPLS to the L3 switch then it should be added to the L3 switch.

I can't see an advantage of using IP SLA in each site as you are already receiving the default route anyway from HQ. As long as HQ stops advertising the default route if the internet at HQ goes down then just using the floating static at the remote sites should work fine.

So you may well need IP SLA at the HQ site to check the internet is up and if not remove the default although as i say it depends on whether HQ gets the default route from the ISP or whether you simply generate a default route in HQ to advertise to the remote sites.

Jon

New Member

Traffic engineering for backup

Jon,

HQ router is not a border GW router;therefore, does not receive default router from the ISP but it does have a default route pointed to the FW, default routes traffic goes(Remote Router >>> HQ router >>> FW).  Now how to have HQ to stop advertising the default route to remote?

Default route received from  HQ

Gateway of last resort is 10.168.11x.9x to network 0.0.0.0

D*EX  0.0.0.0/0 [170/1536256] via 10.168.11x.9x, 1w5d, Tunnel1

Now since the default route is bein learn via EIGRP; i assume if anything in the traffic path to the Internet goes down(internal hardware, for instance FW or web filter), HQ router will remove the default router from its routing table, right? Therefore, any configuration should be needed?

AT the remote:

Since HQ is no longer advertise the default router, the backup floating route will be installed in the routing table?

Thank,

Hall of Fame Super Blue

Traffic engineering for backup

Now since the default route is bein learn via EIGRP; i assume if anything in the traffic path to the Internet goes down(internal hardware, for instance FW or web filter), HQ router will remove the default router from its routing table, right? Therefore, any configuration should be needed?

Not necessarily.

How is the route being generated and where at HQ. If you are not getting it from the ISP you must be generating that route somewhere in HQ on a certain device.

Gateway of last resort is 10.168.11x.9x to network 0.0.0.0

D*EX  0.0.0.0/0 [170/1536256] via 10.168.11x.9x, 1w5d, Tunnel1

where is that route entry from ie. which device, the HQ MPLS router or a remote site router. It showing a next hop of a tunnnel interface, where is this tunnel going to and from.

You need to understand on which device the actual default route is configured on at HQ. It may be another L3 device with a static default route configured and redistributed into EIGRP. 

But i can't say now that default route is generated as i don't know your topology at HQ.

AT the remote:

Since HQ is no longer advertise the default router, the backup floating route will be installed in the routing table?

Yes, at the remote site that is exactly what should happen.

Jon

New Member

Traffic engineering for backup

Hi Jon,

There is the routing configuration at the HQ router... As you can see, this router does generate the default route.

ip route 0.0.0.0 0.0.0.0 10.168.1xx.x >>>> To the FW

!

ip access-list standard INTO_EIGRP

permit 0.0.0.0

!

ip access-list extended Internet-Redirect

deny   ip 10.168.1XX.0 0.0.0.255 10.168.0.0 0.0.255.255(route summary)

deny   ip 10.168.9X.0 0.0.0.255 10.168.0.0 0.0.255.255

permit ip 10.168.1XX.0 0.0.0.255 any

permit ip 10.168.9X.0 0.0.0.255 any

!

!

ip prefix-list Permit-Local seq 5 permit 10.168.1.0/24 (HQ SUBNET)

ip prefix-list Permit-Local seq 10 permit 10.168.11.0/24 (HQ SUBNET)

ip prefix-list Permit-Local seq 15 permit 10.168.14.0/24 (HQ SUBNET)

ip prefix-list Permit-Local seq 20 permit 10.168.121.0/24(HQ SUBNET)

ip prefix-list Permit-Local seq 25 permit 0.0.0.0/0

!

route-map INTO_EIGRP permit 10

match ip address INTO_EIGRP

!

route-map Internet-Redirect permit 10

match ip address Internet-Redirect

set ip next-hop 10.168.1X.X(HQ web filter)

!

!

As per the route below, it was taken at the Remote router which has a GRP tunnel to the HQ router. there 10.168.11x.9x is the destination tunnel IP at the HQ.

Gateway of last resort is 10.168.11x.9x to network 0.0.0.0

D*EX  0.0.0.0/0 [170/1536256] via 10.168.11x.9x, 1w5d, Tunnel1

Thanks,

Hall of Fame Super Blue

Traffic engineering for backup

ip route 0.0.0.0 0.0.0.0 10.168.1xx.x >>>> To the FW

So presumably you are redistributing the above static into EIGRP ?

It depends on how you want to check the above route. If the next hop in the above route fails does the route get removed ?

It might not necessarily be removed if for example there is a switch in between so the router interface used to get to the next hop is still up even if the next hop isn't.

Even if it does get removed it won't if there is a failure further upstream towards the ISP.

So you may want to consider using IP SLA on the above route and using an internet IP to check the availability of the connection.

Jon

New Member

Traffic engineering for backup

Hi Jon,

I am ready to test this configuration, but i'd like to  run it that by you first as i don't have test gear;therefore, i gonna have  to implement in production without testing!!

So here it goes:

1. Plan to add floating route at each remote(0.0.0.0/0 remote backup line GW plus admin distance of 180)

2. Then this config at the HQ router to stop advertise the default router to remotes

ip sla monitor 120

  type echo protocol ipIcmpEcho 208.67.220.220(OPEN DNS)

  timeout 1000

  frequency 5

  threshold 2

ip sla monitor schedule 1 life forever start-time now

track 10 rtr 120 reachability

ip access-list 101 permit icmp any host 208.67.220.220 echo

route-map BACKUP-ROUTE-POLICY permit 101

  match ip address 101

  set ip next-hop 208.67.220.220

  set interface null 0

ip local policy route-map BACKUP-ROUTE-POLICY

ip route 0.0.0.0 0.0.0.0 10.168.1xx.x track 120 Where 10.168.1xx.x FW at the HQ

TAHNKS ALOT FOR THE HELP, you've been awesome!

Hall of Fame Super Blue

Re: Traffic engineering for backup

Not sure why you need the PBR for the IP SLA.

Is this on a router or a L3 switch ?

Note the PBR config is not correct anyway as you are setting the next hop to the internet IP but it should be the next hop that the default route uses.

Can you clarify what device you are doing this on and why you are using PBR ?

Jon

New Member

Re: Traffic engineering for backup

Hi Jon,

HQ  device is a router. And it's connected to a layer 2 switch on which the FW is also connected. SO when the internet link behind the FW is down,HQ router will still see the interface up. So i need a mechanism to force HQ router to stop advertising the default to the remotes.

Thanks,

Hall of Fame Super Blue

Re: Traffic engineering for backup

SO when the internet link behind the FW is down,HQ router will still see the interface up. So i need a mechanism to force HQ router to stop advertising the default to the remotes.

Yes you do. I was asking about the PBR not the IP SLA configuration.

All you are trying to do is remove the default route from the IP routing table if you cannot ping that internet IP.

If the HQ router removes the default route does it get a default route from anywhere else or does it just not have internet connectivity ?

Jon

New Member

Re: Traffic engineering for backup

Well i go to the HQ router and remove the default route pointed to the FW which traffic to the internet, Internet traffic at all the remotes are failling.

Hall of Fame Super Blue

Re: Traffic engineering for backup

Did you add the floating static at remote sites ?

You need to check the routing table at a remote site when you remove default from HQ.

Jon

Hall of Fame Super Blue

Traffic engineering for backup

One other thing.

For IP SLA to work you need to make sure the firewall allows ping through from your HQ router.

Jon

Hall of Fame Super Blue

Re: Traffic engineering for backup

Sorry, i was a bit busy so my answers were a bit short.

What you need to make sure is -

1) on the remote sites makes sure you have a floating static as discussed on the same device that you have the default received from the MPLS network.

This means you need it on the L3 device that is the default gateway for the clients in the remote site.

2) choose one of the remote sites and logon to that L3 device

3) remove the default route from the HQ router. Note if you do not want any downtime in HQ, instead of removing the static route just don't redistribute it into EIGRP so HQ still has the default route but the remote sites no longer receive it.

4) when you remove it you should see that EIGRP route removed from the remote site L3 device you are logged onto

5) once that route is removed the floating static should then be installed on the remote site L3 device pointing to the local internet connection.

If that happens then if the clients in the remote site still do not have internet access then it may be an issue with the local firewall (assuming you have one).

Jon

New Member

Re: Traffic engineering for backup

Jon thanks for the suggestions and sorry I was on the road and did not have time to test it till ealier today.

Unfortunately, when i removed the default route at the HQ router. Another router at the remote has injected another default router into the L3 sw with an admin distance of 170, so the default route with the admin distance of 180 that i added never get install in the routing table.

Any other ideas?

Hall of Fame Super Blue

Traffic engineering for backup

Another router at the remote has injected another default router into the L3 sw with an admin distance of 170, so the default route with the admin distance of 180 that i added never get install in the routing table.

What is this router at the remote site and why is it injecting a default route into EIGRP ?

What is the next hop of the default route ?

My assumption was that the default route at remote sites was being received from the HQ site only. But now it seems there is another default route at local site.

Do you need this default route ie. what is it used for ?

Jon

New Member

Traffic engineering for backup

This is just a smaller router to provide hardware failover at the remote if the bigger router fails(shutdown, unplug). The way i have that setup originally is to have logical failover(redundant gre tunnels with bandwidth command in eigrp) and a second router with the same concept(dual gre tunnels with lower number in the eigrp bandwidth). But this router supposes to handle traffic only when the primary router fails.

This is router injects a default route into the L3 SW with him being the GW for that route, and even the default route is now pointed to it, the internet traffic still failing and failover did not occur. And of course, it does'nt where is the GW for my secondary ISP, so when i failover and ping... I got destination unreachable!

ps. the FW for the second ISP connection is connected to L3 SW....

Thanks

Hall of Fame Super Blue

Traffic engineering for backup

The backup router injects a default route but why ie. if the internet at HQ is down then why send traffic via the backup router.

How does the backup router know when to inject a default route.

Does the default route it injects also cover the non internet routes for remote sites.

I need some help here ie. i need to understand why the backup router uses a default route when internet is down anyway at HQ ?

Jon

New Member

Traffic engineering for backup

Jon,

Million thanks... I got to work by moving the floating default route in the backup router rathen then the L3 SW.

Now failover occurs just after one ping lost!

Thannks again for all the help.

Hall of Fame Super Blue

Re: Traffic engineering for backup

No problem and glad to have helped.

Jon

284
Views
0
Helpful
21
Replies