ā12-15-2023 02:15 AM
dears,
we have dmvpn connection between HQ and bracnhes through ISP's mpls.
the topology: cisco 4321(branch)--ISP mpls-->dmvpn hub (HQ)-->internet router-->ISP internet
Now we configure backup line.
main line is in gi0/0/0 port
backup line is in gi0/0/1
we need to write sla which will ping default gateway of ISP internet side (f.e.8.8.8.8) and if connection will go down switch default route from dmvpn Tunnel1 to gi0/0/1.
between HQ and bracnhes we use OSPF (170 ad) and I configure backup route with ad 200.
i configure sla with event manager but it is not worked:
ip sla 1
icmp-echo 8.8.8.8 source-interface Tunnel
timeout 1000
frequency 5
ip sla schedule 1 life forever start-time now
track 1 ip sla 1 reachability
delay down 15 up 30
event manager applet ChangeRoute
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "configure terminal"
action 3.0 cli command "ip route 0.0.0.0 0.0.0.0 gi0/0/1 10"
action 4.0 cli command "end"
event manager applet RevertRoute
event track 1 state up
action 1.0 cli command "enable"
action 2.0 cli command "configure terminal"
action 3.0 cli command "no ip route 0.0.0.0 0.0.0.0 gi0/0/1 10"
action 4.0 cli command "end"
also configure sla and attach track to route config:
ip sla 1
icmp-echo 8.8.8.8 source-interface Tunnel1
timeout 1000
frequency 5
ip sla schedule 1 life forever start-time now
track 1 ip sla 1 reachability
delay down 15 up 30
ip route vrf IWAN-TRANSPORT-2 0.0.0.0 0.0.0.0 172.31.255.1 track 1
ip route 0.0.0.0 0.0.0.0 gi0/0/1 200
both options didn't work.
ā12-15-2023 02:18 AM
in order to simulate ping dropping I deny any traffic from Tunnel interface on Interner router (in HQ)
ā12-15-2023 02:24 AM
Tty add
Ip route vrf --- 8.8.8.8 255.255.255.255 tunnel 1 permanent
Also add vrf -- under ip sla to make it vrf aware
Then check eem
MHM
ā12-15-2023 02:25 AM
One last point the two defualt route one in global and other in vrf you need to make then both in VRF
MHM
ā12-15-2023 02:30 AM
if i just disconnect uplink in branches side everything is working:
4321 (branch)--X-->dmvpn hub-->asa-->interne router-->internet router
BUT if i block any traffic on access list in internet router and the ping from branch is stopping but default route still stay on OSPF (mpls). so it doesn't work:
4321 (branch)-->dmvpn hub-->asa-->internet router--<BLOCK ACL>-->internet router
ā12-15-2023 03:11 AM
Sorry it not clsar to me
You use EEM to make branch use DIA or use Hub to access internet? Am I right ? If not please can you more elaborate.
If I am right are brach tunnel use front VRF or not?
MHM
ā12-15-2023 03:33 AM
all traffic coming from branch to HQ. branches don't have dedicated internet line. BUT with backup line they will.
ā12-15-2023 03:38 AM
I see you topolgy the hub connect to asa and then to internet'
So the spoke track internet of hub via ip sla if down it will use DIA (backup). That right?
But you mention vrf' vrf is for tunnel source or vrf for tunnel it self?
Can i see tunnel config in Spoke?
MHM
ā12-16-2023 12:38 AM
here are configs of tunnel and tunnel's source interface.
interface Tunnel1
bandwidth 100000
ip address 172.31.0.33 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco
ip nhrp network-id 101
ip nhrp nhs 172.31.0.1 nbma 172.31.255.1 multicast
ip tcp adjust-mss 1360
delay 100
if-state nhrp
tunnel source GigabitEthernet0/0/0.2000
tunnel mode gre multipoint
tunnel key 101
tunnel vrf IWAN-TRANSPORT-2
tunnel protection ipsec profile DMVPN_CRYPR_ASM
interface GigabitEthernet0/0/0.2000
encapsulation dot1Q 2000
vrf forwarding IWAN-TRANSPORT-2
ip address 172.31.255.33 255.255.255.0
no ip proxy-arp
no cdp enable
Also we have internal subinterfaces on 0/0/0 (data, voice, access points, etc.) and they are NOT in vrf. and i configure ping 8.8.8.8 with source interface DATA, VOICE but unsuccessfull:
ip sla 1
icmp-echo 8.8.8.8 source-interface <DATA SUBINT>
threshold 100
timeout 3000
frequency 30
ā12-16-2023 12:53 AM
I will check
MHM
ā12-16-2023 12:59 AM
and here is DATA interface config
description DATA
encapsulation dot1Q 50
ip address 192.168.1.1 255.255.255.0
no ip proxy-arp
no cdp enable
as you can see it is not in any vrf
ā12-15-2023 02:56 AM
Hello
You donāt really require SLA to poll the line -protocol of an interface, you could just track it directly ( track x interface xxx line-protocol, however in this instance ipsla would be needed, As you are polling an external ip
Also in this instance EEM is not really required either, you just need to add a condition to the primary default static route and append a secondary default static route with a higher administrative distance than the primary.
Example:
no event manager applet ChangeRoute
no manager applet RevertRoute
ip sla 1
icmp-echo 8.8.8.8 source-interface Tunnel
timeout 1000
frequency 5
vrf IWAN-TRANSPORT-2
ip route vrf IWAN-TRANSPORT-2 0.0.0.0 0.0.0.0 172.31.255.1 track 1 name primary link
ip route 0.0.0.0 0.0.0.0 gi0/0/1 2 name backup link
The following will negate 8.8.8.8 being reachable via the secondary path so ipsla will reconverge:
access-list 100 permit icmp host <source ip> host 8.8.8.8 echo
route-map ipsla
match ip address 100
set vrf IWAN-TRANSPORT-2
set ip next-hop (next hop of dmvpn tun)
set interface Null0
ip local policy route-map ipsla
ā12-15-2023 03:09 AM
you wrote
ip route 0.0.0.0 0.0.0.0 gi0/0/1 2 name backup link
you meant ?
ip route 0.0.0.0 0.0.0.0 gi0/0/1 200 name backup link
ā12-15-2023 03:28 AM
FYI- i did mean 2 but you can have it as 200 if you desire
ā12-15-2023 03:31 AM
ip route vrf IWAN-TRANSPORT-2 0.0.0.0 0.0.0.0 172.31.255.1
this is ospf route (170 ad). so i need to configure backup line more than 170. that's why i decided that you wrote it wrong.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide