cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
1475
Views
1
Helpful
19
Replies

ip sla / event manager

asmlicense
Level 1
Level 1

dears,

we have dmvpn connection between HQ and bracnhes through ISP's mpls.

the topology: cisco 4321(branch)--ISP mpls-->dmvpn hub (HQ)-->internet router-->ISP internet

Now we configure backup line.

main line is in gi0/0/0 port

backup line is in gi0/0/1

we need to write sla which will ping default gateway of ISP internet side (f.e.8.8.8.8) and if connection will go down switch default route from dmvpn Tunnel1 to gi0/0/1.

between HQ and bracnhes we use OSPF (170 ad) and I configure backup route with ad 200.

i configure sla with event manager but it is not worked:

ip sla 1
icmp-echo 8.8.8.8 source-interface Tunnel
timeout 1000
frequency 5

 

ip sla schedule 1 life forever start-time now


track 1 ip sla 1 reachability
delay down 15 up 30

 

event manager applet ChangeRoute
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "configure terminal"
action 3.0 cli command "ip route 0.0.0.0 0.0.0.0 gi0/0/1 10"
action 4.0 cli command "end"

 

event manager applet RevertRoute
event track 1 state up
action 1.0 cli command "enable"
action 2.0 cli command "configure terminal"
action 3.0 cli command "no ip route 0.0.0.0 0.0.0.0 gi0/0/1 10"
action 4.0 cli command "end"

 

 

also configure sla and attach track to route config:

ip sla 1
icmp-echo 8.8.8.8 source-interface Tunnel1
timeout 1000
frequency 5


ip sla schedule 1 life forever start-time now

 

track 1 ip sla 1 reachability
delay down 15 up 30

 

ip route vrf IWAN-TRANSPORT-2 0.0.0.0 0.0.0.0 172.31.255.1 track 1
ip route 0.0.0.0 0.0.0.0 gi0/0/1 200

 

both options didn't work.

19 Replies 19

asmlicense
Level 1
Level 1

in order to simulate ping dropping I deny any traffic from Tunnel interface on Interner router (in HQ)

Tty  add

Ip route  vrf  --- 8.8.8.8 255.255.255.255 tunnel 1 permanent 

Also add vrf -- under ip sla to make it vrf aware 

Then check eem 

MHM

One last point the two defualt route one in global and other in vrf you need to make then both in VRF

MHM

if i just disconnect uplink in branches side everything is working:

4321 (branch)--X-->dmvpn hub-->asa-->interne router-->internet router

 

BUT if i block any traffic on access list in internet router and the ping from branch is stopping but default route still stay on OSPF (mpls). so it doesn't work:

4321 (branch)-->dmvpn hub-->asa-->internet router--<BLOCK ACL>-->internet router

 

Sorry it not clsar to me 

You use EEM to make branch use DIA or use Hub to access internet? Am I right ? If not please can you more elaborate.

If I am right are brach tunnel use front VRF or not?

MHM

all traffic coming from branch to HQ. branches don't have dedicated internet line. BUT with backup line they will.

I see you topolgy the hub connect to asa and then to internet'

So the spoke track internet of hub via ip sla if down it will use DIA (backup). That right?

But you mention vrf' vrf is for tunnel source or vrf for tunnel it self?

Can i see tunnel config in Spoke?

MHM

here are configs of tunnel and tunnel's source interface.

interface Tunnel1
bandwidth 100000
ip address 172.31.0.33 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco
ip nhrp network-id 101
ip nhrp nhs 172.31.0.1 nbma 172.31.255.1 multicast
ip tcp adjust-mss 1360
delay 100
if-state nhrp
tunnel source GigabitEthernet0/0/0.2000
tunnel mode gre multipoint
tunnel key 101
tunnel vrf IWAN-TRANSPORT-2
tunnel protection ipsec profile DMVPN_CRYPR_ASM

interface GigabitEthernet0/0/0.2000
encapsulation dot1Q 2000
vrf forwarding IWAN-TRANSPORT-2
ip address 172.31.255.33 255.255.255.0
no ip proxy-arp
no cdp enable

Also we have internal subinterfaces on 0/0/0 (data, voice, access points, etc.) and they are NOT in vrf. and i configure ping 8.8.8.8 with source interface DATA, VOICE but unsuccessfull: 

ip sla 1
icmp-echo 8.8.8.8 source-interface <DATA SUBINT>
threshold 100
timeout 3000
frequency 30

I will check 

MHM

and here is DATA interface config

description DATA
encapsulation dot1Q 50
ip address 192.168.1.1 255.255.255.0
no ip proxy-arp
no cdp enable

as you can see it is not in any vrf

Hello
You donā€™t really require SLA to poll the line -protocol of an interface, you could just track it directly ( track x interface xxx line-protocol, however in this instance ipsla would be needed, As you are polling an external ip

Also in this instance EEM is not really required either, you just need to add a condition to the primary default static route and append a secondary default static route with a higher administrative distance than the primary.

Example:
no event manager applet ChangeRoute
no manager applet RevertRoute

ip sla 1
icmp-echo 8.8.8.8 source-interface Tunnel
timeout 1000
frequency 5
vrf IWAN-TRANSPORT-2

ip route vrf IWAN-TRANSPORT-2 0.0.0.0 0.0.0.0 172.31.255.1 track 1 name primary link
ip route 0.0.0.0 0.0.0.0 gi0/0/1 2 name backup link


The following will negate 8.8.8.8 being reachable via the secondary path so ipsla will reconverge:

access-list 100 permit icmp host <source ip> host 8.8.8.8 echo
route-map ipsla
match ip address 100
set vrf IWAN-TRANSPORT-2
set ip next-hop (next hop of dmvpn tun)
set interface Null0
ip local policy route-map ipsla


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the communityā€™s global network.

Kind Regards
Paul

you wrote

ip route 0.0.0.0 0.0.0.0 gi0/0/1 2 name backup link

 

you meant ?

ip route 0.0.0.0 0.0.0.0 gi0/0/1 200 name backup link

FYI-   i did mean 2 but you can have it as 200 if you desire


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the communityā€™s global network.

Kind Regards
Paul

ip route vrf IWAN-TRANSPORT-2 0.0.0.0 0.0.0.0 172.31.255.1

this is ospf route (170 ad). so i need to configure backup line more than 170. that's why i decided that you wrote it wrong.

Review Cisco Networking for a $25 gift card