Solved: Help Needed - Static Routes with IPSLA and Route-maps

ciscogeek · ‎12-11-2018

Hello everyone,

I need help in the following topology.

Can we fulfill the following requirements:

1. All traffic from Blue Subnet should use the link with the ISP-1 and all traffic from Red Subnet should use the link with the ISP-2.

2. However, if ISP-1 link goes down, the BLUE subnet should automatically start using the link with ISP-2.

I need to complete this using static route. However if there is any other way, please share it.

Any help would highly be appreciated.

Thanks.

Simon Darlington · ‎12-11-2018

A solution without using dynamic routing on the central router is as follows. As the requirement is to route traffic to particular ISP links based on source subnet, policy-based routing is required. Note that no other routing is configured other than the policy-based routing, which takes precendence over the standard routing table. IPSLA is required for failover.

! Configure and schedule IP SLA operations
ip sla 1
icmp-echo 1.1.1.2
ip sla schedule 1 life forever start-time now
!
ip sla 2
icmp-echo 2.1.1.2
ip sla schedule 2 life forever start-time now
!
! Configure Object Tracking to track the operations
!
track 1 ip sla 1 reachability
track 2 ip sla 2 reachability
!
! Configure ACL
ip access-list standard FROM_LAN1_ACL
permit 192.168.1.0 0.0.0.255
!
ip access-list standard FROM_LAN2_ACL
permit 192.168.2.0 0.0.0.255
!
! Configure PBR policing on the router
route-map PBR_RM 10
match ip address FROM_LAN1_ACL
set ip next-hop verify-availability 1.1.1.2 1 track 1
set ip next-hop verify-availability 2.1.1.2 2 track 2
!
route-map PBR_RM 20
match ip address FROM_LAN2_ACL
set ip next-hop verify-availability 2.1.1.2 1 track 2
set ip next-hop verify-availability 1.1.1.2 2 track 1
!
! Apply PBR policy on both incoming interfaces of the router i.e. 192.168.1.x/24 & 192.168.1.x/24
interface ethernet 0/0
ip address 192.168.1.x 255.255.255.0
ip policy route-map PBR_RM
!
interface ethernet 0/1
ip address 192.168.2.x 255.255.255.0
ip policy route-map PBR_RM
!
! Display PBR related information
show route-map PBR_RM
show track brief
show ip sla stat

config adapted from source:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/nx-os/IPSLA/configuration/guide/b_Cisco_Nexus_7000_Series_NX-OS_IP_SLAs_Configuration_Guide/b_Cisco_Nexus_7000_Series_NX-OS_IP_SLAs_Configuration_Guide_rel_6-x_chapter_01000.pdf

Alternatives to this really depend on the WAN service provided by the ISPs. Any of the following would be more elegant solutions if you have access to them.

1. You could consider using a dynamic routing protocol such as OSPF between the central router and the two ISP routers, which you could use to engineer traffic paths without recourse to policy-based routing.

2. Another alternative would be to run BGP down to the central router if this is used on the ISP WANs.

3. A FHRP like HSRP using MHSRP (more than one HSRP group on the ISP routers) would be a simple way to engineer outgoing traffic as per the requirements.

For 2. and 3. if this is an public internet based WAN service rather than private such as MPLS VPN, you may need to source provider independent IP address space.

Hope this helps. Please rate if it does.

View solution in original post

Georg Pauwen · ‎12-11-2018

Hello,

I have come up with the below for your router:

track 1 ip sla 1
!
interface FastEthernet0/0
description BLUE_SUBNET
ip address 192.168.1.1 255.255.255.0
ip policy route-map BLUE_SUBNET
duplex auto
speed auto
media-type rj45
!
interface FastEthernet0/1
description RED_SUBNET
ip address 192.168.2.1 255.255.255.0
ip policy route-map RED_SUBNET
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/0
ip address 1.1.1.1 255.255.255.252
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 2.1.1.1 255.255.255.252
duplex auto
speed auto
media-type rj45
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 track 1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 10
ip route 8.8.8.8 255.255.255.255 GigabitEthernet0/0
!
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0
ip sla schedule 1 life forever start-time now
!
route-map BLUE_SUBNET permit 10
match ip address 101
set ip next-hop verify-availability 1.1.1.2 1 track 1
!
route-map RED_SUBNET permit 10
match ip address 102
set ip next-hop 2.1.1.2
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip 192.168.2.0 0.0.0.255 any

ciscogeek · ‎12-11-2018

Hi Georg,

Thank you for your quick support. Your solution was very helpful in implementing my scenario.

However, It was my mistake that I didn't make it clear. I forgot to mention the word "vice versa" in my point number 2.

Again thank you very much.

Simon Darlington · ‎12-11-2018

A solution without using dynamic routing on the central router is as follows. As the requirement is to route traffic to particular ISP links based on source subnet, policy-based routing is required. Note that no other routing is configured other than the policy-based routing, which takes precendence over the standard routing table. IPSLA is required for failover.

! Configure and schedule IP SLA operations
ip sla 1
icmp-echo 1.1.1.2
ip sla schedule 1 life forever start-time now
!
ip sla 2
icmp-echo 2.1.1.2
ip sla schedule 2 life forever start-time now
!
! Configure Object Tracking to track the operations
!
track 1 ip sla 1 reachability
track 2 ip sla 2 reachability
!
! Configure ACL
ip access-list standard FROM_LAN1_ACL
permit 192.168.1.0 0.0.0.255
!
ip access-list standard FROM_LAN2_ACL
permit 192.168.2.0 0.0.0.255
!
! Configure PBR policing on the router
route-map PBR_RM 10
match ip address FROM_LAN1_ACL
set ip next-hop verify-availability 1.1.1.2 1 track 1
set ip next-hop verify-availability 2.1.1.2 2 track 2
!
route-map PBR_RM 20
match ip address FROM_LAN2_ACL
set ip next-hop verify-availability 2.1.1.2 1 track 2
set ip next-hop verify-availability 1.1.1.2 2 track 1
!
! Apply PBR policy on both incoming interfaces of the router i.e. 192.168.1.x/24 & 192.168.1.x/24
interface ethernet 0/0
ip address 192.168.1.x 255.255.255.0
ip policy route-map PBR_RM
!
interface ethernet 0/1
ip address 192.168.2.x 255.255.255.0
ip policy route-map PBR_RM
!
! Display PBR related information
show route-map PBR_RM
show track brief
show ip sla stat

config adapted from source:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/nx-os/IPSLA/configuration/guide/b_Cisco_Nexus_7000_Series_NX-OS_IP_SLAs_Configuration_Guide/b_Cisco_Nexus_7000_Series_NX-OS_IP_SLAs_Configuration_Guide_rel_6-x_chapter_01000.pdf

Alternatives to this really depend on the WAN service provided by the ISPs. Any of the following would be more elegant solutions if you have access to them.

1. You could consider using a dynamic routing protocol such as OSPF between the central router and the two ISP routers, which you could use to engineer traffic paths without recourse to policy-based routing.

2. Another alternative would be to run BGP down to the central router if this is used on the ISP WANs.

3. A FHRP like HSRP using MHSRP (more than one HSRP group on the ISP routers) would be a simple way to engineer outgoing traffic as per the requirements.

For 2. and 3. if this is an public internet based WAN service rather than private such as MPLS VPN, you may need to source provider independent IP address space.

Hope this helps. Please rate if it does.

ciscogeek · ‎12-11-2018

Hi Simon,

Thank you for your extended support. The whole solution was what I wanted. I have implemented it using OSPF and static routing. Both works well for me.

Thank you again.