Solved: IP SLA Dual ISP PBR Need Help

bennettg · ‎12-23-2020

I need help with using IP SLA to route traffic to backup ISP when primary is down and revert back to primary when it comes back up.

We have two buildings each containing a core switch (3850) and a FTD firewall connected to a different ISP. Each core switch has a default route pointing to its directly connected firewall. Each firewall has a static route - to route internal traffic back to the core switch its directly connected to. Firewalls are managed independently without FMC so I don’t have access to IP SLA on the firewall.

ISP 1 – FTD -- Core Site1 ---------- TenGig backbone ----------- Core Site2 – FTD--ISP2

The server VLAN uses Site 1 core switch and firewall to access the Internet.

All other traffic uses Site 2 core switch and firewall. I’m using HSRP to set priority on a VLAN so traffic defaults out a specific firewall based on the master role for that VLAN on a switch. The Firewall inside subnet/VLAN is not using HSRP. Originally, I thought HSRP was the issue so I removed HSRP from inside firewall VLAN. This didn’t fix the issue.

Here’s my issue, if I shutdown the directly connected interface from Core switch to firewall, IP SLA works (traffic fails over to floating static route and routes out ISP in other building. If the failure is behind the core switch (e.g. uplink from firewall outside interface to ISP CPE), there is flapping and default route bounces back and forth between the core switches because ping is using default route instead of only sending out a specific interface (that’s what I suspect anyway).

Below is my config.

Site 1

track 1 ip sla 1 reachability

ip route 0.0.0.0 0.0.0.0 10.XX.YY.2 track 1

ip route 0.0.0.0 0.0.0.0 10.XX.YY.1 200

ip access-list extended ping-gw

permit icmp any host 4.2.2.2

!

ip sla 1

icmp-echo 4.2.2.2 source-interface TenGigabitEthernet1/1/1

threshold 5

frequency 5

ip sla schedule 1 life forever start-time now

ip sla logging traps

!

route-map DEFAULT-ROUTE-POLICY permit 10

match ip address ping-gw

set ip default next-hop 10.33.90.2

!

Site 2

track 1 ip sla 1 reachability

delay down 5 up 10

ip route 0.0.0.0 0.0.0.0 10.XX.YY.1 track 1

ip route 0.0.0.0 0.0.0.0 10.XX.YY.2 50

ip access-list extended ping-gw

permit icmp any host 8.8.8.8

!

ip sla 1

icmp-echo 8.8.8.8 source-interface TenGigabitEthernet1/1/1

threshold 10

frequency 5

ip sla schedule 1 life forever start-time now

ip sla logging traps

!

route-map DEFAULT-ROUTE-POLICY permit 10

match ip address ping-gw

set ip default next-hop 10.33.90.1

I’ve tried different options with “set” in the route map to (set interface te1/1/1, set ip next-hop verify-availability 8.8.8.8 1 track 1). None of these seem to bypass the default route in the routing table.

Looking for help to make this work correctly.

paul driver · ‎12-23-2020

Hello

Append this and test again-

no route-map DEFAULT-ROUTE-POLICY

access-list 100 permit icmp host <source ip> host 8.8.8.8 echo
route-map DEFAULT-ROUTE-POLICY
match ip address 100
set ip next-hop 10.33.90.x
set interface Null0

ip local policy route-map DEFAULT-ROUTE-POLICY

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

paul driver · ‎12-23-2020

Hello
You dont apply the route-map to any interface, as its a control plane feature the route-map is only locally significant as such ip local policy route-map is a global command

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

paul driver · ‎12-23-2020

Hello

Append this and test again-

no route-map DEFAULT-ROUTE-POLICY

access-list 100 permit icmp host <source ip> host 8.8.8.8 echo
route-map DEFAULT-ROUTE-POLICY
match ip address 100
set ip next-hop 10.33.90.x
set interface Null0

ip local policy route-map DEFAULT-ROUTE-POLICY

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

bennettg · ‎12-23-2020

I tried that before and the "set interface null0" generates the following error in the log and I'm unable to apply the route-map policy to the VLAN interface. The above command is valid for configuring the route-map though.

%FMANRP_PBR-3-UNSUPPORTED_RMAP: Route-map DEFAULT-ROUTE-POLICY has unsupported options for Policy-Based Routing. It has been removed from the interface, if applied.

paul driver · ‎12-23-2020

Hello
You dont apply the route-map to any interface, as its a control plane feature the route-map is only locally significant as such ip local policy route-map is a global command

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎12-23-2020

Hello,

why don't you use the simple EEM scripts below to add/remove the respective default route based on the track state ?

event manager applet DEFAULT_ROUTE_DOWN
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "no ip route 0.0.0.0 0.0.0.0 10.XX.YY.2
action 4.0 cli command "ip route 0.0.0.0 0.0.0.0 10.XX.YY.1"
action 5.0 cli command "end"
!
event manager applet DEFAULT_ROUTE_UP
event track 1 state up
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "no ip route 0.0.0.0 0.0.0.0 10.XX.YY.1
action 4.0 cli command "ip route 0.0.0.0 0.0.0.0 10.XX.YY.2"
action 5.0 cli command "end"

bennettg · ‎12-23-2020

Thanks Paul, I'll give it a try.

MHM Cisco World · ‎12-23-2020

...