Solved: IP SLA & Advertising Default Route to BGP Peer

Peter Lyttle · ‎09-03-2012

Hello,

I've been trying to work this out for a while so any guidance would be much appreciated.

Basically I want to provide my ISP with a list of commands which they would run on their CE router to enable the IP SLA tracking of a few IPs and perform an action (advertise the 0.0.0.0/0 default route to my peer) based upon the result of the IP SLA check.

I only want to advertise out 0.0.0.0/0 and receive nothing inbound.
I want the IP SLA action only to be performed if all 4 actions fail, not just 1.

I'm a bit rusty on the route-maps as I've never done them in production on Cisco IOS devices and also dont have any device to test this on.

router bgp 1111

bgp log-neighbor-changes

timers bgp 7 21

redistribute connected

neighbor 1.1.1.1 remote-as 65000

neighbor 1.1.1.1 description BGP Internet Peer for Default Route

neighbor 1.1.1.1 next-hop-self

neighbor 1.1.1.1 route-map ALLOW_OUT out

neighbor 1.1.1.1 route-map DENY_IN in

!

route-map ALLOW_OUT permit 10

match ip address prefix-list DEFAULT_ONLY

set ip next-hop verify-availablility 8.8.8.8 1 track 10

set ip next-hop verify-availablility 8.8.4.4 2 track 11

set ip next-hop verify-availablility 8.8.8.8 5 track 14

set ip next-hop verify-availablility 8.8.4.4 6 track 15

route-map DENY_IN permit 20

match ip address prefix-list DENY_IN

!

ip prefix-list DEFAULT_ONLY seq 5 permit 0.0.0.0/0

ip prefix-list DEFAULT_ONLY seq 10 deny 0.0.0.0/0 ge 1

ip prefix-list DENY_IN seq 5 permit 0.0.0.0/0

!

ip sla 10

icmp-echo 8.8.8.8 source-interface Fa0/0

frequency 10

ip sla 11

icmp-echo 8.8.4.4 source-interface Fa0/0

frequency 10

ip sla 14

tcp-connect 8.8.8.8 port 53 source-interface Fa0/0

frequency 10

ip sla 15

tcp-connect 8.8.4.4 port 53 source-interface Fa0/0

frequency 10

!

ip sla monitor group schedule 10-15 start-time now life forever

!

track 10 ip sla 10

track 11 ip sla 11

track 14 ip sla 14

track 15 ip sla 15

Anyone got any feedback (good or bad) please?

Thanks,

Peter

cadet alain · ‎09-03-2012

Hi,

So, you want to advertise a default route only if the 4 IP sla tests are failing or if the 4 IP sla tests are successful ?

in the latter case here's a code snippet that you'll have to adapt to your infrastructure:

inj the former case just put at the end of every object in track 10

ip local policy route-map SLA

ip route 0.0.0.0 0.0.0.0 10.1.13.3 track 10

track 1 rtr 1

track 2 rtr 2

track 3 rtr 3

track 4 rtr 4

track 10 list boolean or

object 1

object 2

object 3

object 4

ip sla 1

icmp-echo x.x.x.x

timeout 2000

frequency 5

ip sla 2

icmp-echo x.x.x.x

timeout 2000

frequency 5

ip sla 3

icmp-echo x.x.x.x

timeout 2000

frequency 5

ip sla 4

icmp-echo x.x.x.x

timeout 2000

frequency 5

ip sla schedule 1 life forever start-time now

ip sla schedule 2 life forever start-time now

ip sla schedule 3 life forever start-time now

ip sla schedule 4 life forever start-time now

access-list 100 permit icmp any host 1.1.1.1

access-list 100 permit icmp any host 11.11.11.1

access-list 100 permit icmp any host 111.111.111.1

route-map SLA permit 10

match ip address 100

set ip next-hop 10.1.13.3

router bgp xxx

redistribute static

neighbor x.x.x.x remote-as xxx

default-information originate

The local policy routing may not be necessary in your case if you only got one path to the destinations you're doing SLA upon otherwise it is there to get sure the IP SLA tests always use the same interface.

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎09-03-2012

Hi,

So, you want to advertise a default route only if the 4 IP sla tests are failing or if the 4 IP sla tests are successful ?

in the latter case here's a code snippet that you'll have to adapt to your infrastructure:

inj the former case just put at the end of every object in track 10

ip local policy route-map SLA

ip route 0.0.0.0 0.0.0.0 10.1.13.3 track 10

track 1 rtr 1

track 2 rtr 2

track 3 rtr 3

track 4 rtr 4

track 10 list boolean or

object 1

object 2

object 3

object 4

ip sla 1

icmp-echo x.x.x.x

timeout 2000

frequency 5

ip sla 2

icmp-echo x.x.x.x

timeout 2000

frequency 5

ip sla 3

icmp-echo x.x.x.x

timeout 2000

frequency 5

ip sla 4

icmp-echo x.x.x.x

timeout 2000

frequency 5

ip sla schedule 1 life forever start-time now

ip sla schedule 2 life forever start-time now

ip sla schedule 3 life forever start-time now

ip sla schedule 4 life forever start-time now

access-list 100 permit icmp any host 1.1.1.1

access-list 100 permit icmp any host 11.11.11.1

access-list 100 permit icmp any host 111.111.111.1

route-map SLA permit 10

match ip address 100

set ip next-hop 10.1.13.3

router bgp xxx

redistribute static

neighbor x.x.x.x remote-as xxx

default-information originate

The local policy routing may not be necessary in your case if you only got one path to the destinations you're doing SLA upon otherwise it is there to get sure the IP SLA tests always use the same interface.

Regards.

Alain

Don't forget to rate helpful posts.

Peter Lyttle · ‎09-04-2012

Hi Alain,

I want to advertise the route if any of the SLA tests are successful (therefore removing it if they fail)

or

I want to remove the route if any of the SLA tests fail

I'm not sure which would be the best way to look at it?

Peter Lyttle · ‎09-04-2012

Update: I also wanted to ensure that the 1.1.1.1 BGP peer was only being sent 1 route and not allowed to receive any routes from 1.1.1.1 (to avoid private addresses leaking). That was why I added the bit in bold at the bottom

ip local policy route-map SLA

ip route 0.0.0.0 0.0.0.0 2.2.2.2 track 10

!

track 1 ip sla 1

track 2 ip sla 2

track 3 ip sla 3

track 4 ip sla 4

track 10 list boolean or

object 1

object 2

object 3

object 4

ip sla 1

icmp-echo 8.8.8.8 source-interface Fa0/0

timeout 2000

frequency 10

ip sla 2

icmp-echo 8.8.4.4 source-interface Fa0/0

timeout 2000

frequency 10

ip sla 3

tcp-connect 8.8.8.8 port 53 source-interface Fa0/0

timeout 2000

frequency 10

ip sla 4

tcp-connect 8.8.4.4 port 53 source-interface Fa0/0

timeout 2000

frequency 10

!

ip sla schedule 1 life forever start-time now

ip sla schedule 2 life forever start-time now

ip sla schedule 3 life forever start-time now

ip sla schedule 4 life forever start-time now

!

access-list 100 permit icmp any host 8.8.8.8

access-list 100 permit icmp any host 8.8.4.4

access-list 100 permit tcp 8.8.8.8 destination-port eq 53

access-list 100 permit tcp 8.8.4.4 destination-port eq 53

!

route-map SLA permit 10

match ip address 100

set ip next-hop 10.1.13.3

route-map ALLOW_OUT permit 10

match ip address prefix-list DEFAULT_ONLY

route-map DENY_IN permit 20

match ip address prefix-list DENY_IN

!

router bgp XXXX

redistribute static

neighbor 1.1.1.1 remote-as 65000

default-information originate

bgp log-neighbor-changes

timers bgp 7 21

neighbor 1.1.1.1 description BGP Internet Peer for Default Route

neighbor 1.1.1.1 next-hop-self

neighbor 1.1.1.1 route-map ALLOW_OUT out

neighbor 1.1.1.1 route-map DENY_IN in

!

ip prefix-list DEFAULT_ONLY seq 5 permit 0.0.0.0/0

ip prefix-list DEFAULT_ONLY seq 10 deny 0.0.0.0/0 ge 1

ip prefix-list DENY_IN seq 5 permit 0.0.0.0/0

cadet alain · ‎09-04-2012

Hi,

I want to advertise the route if any of the SLA tests are successful (therefore removing it if they fail)

so if one SLA fails you don't advertise the route or because the snippet I gave you only advertises the default route if all SLA tests are failing. if you want only one failing test to stop advertising the route then use a boolean list and instead of boolean list or

Regards.

Alain

Don't forget to rate helpful posts.

Peter Lyttle · ‎09-04-2012

Hello Alain,

Thanks for your help. Sorry I missworded that, If 1 fails I still want to advertise the route (to protect against an outage outside of ourselves, i.e. 8.8.8.8 or 8.8.4.4 being down) only if they ALL fail should the route be removed from being advertised.

I hope this makes it a little clearer?

cadet alain · ‎09-04-2012

Hi Peter,

in this case the boolean list or like i mentioned in the snippet is what you need.

Regards.

Alain

Don't forget to rate helpful posts.

Peter Lyttle · ‎09-04-2012

Top man thanks Alain!