- Cisco Community
- Technology and Support
- Networking
- Routing
- Ip SLA track for redundancy purposes
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Ip SLA track for redundancy purposes
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-14-2020 11:43 AM
Hi, i am investigating some issues on an existing network topology and i have some questions related to the topology.
Can someone please support me to understand the concept ?
See below some informations:
we have 2 catalystics routers connected from 3 interface ports (point to point). 2 interfaces are used as the main route for UDP and TCP protocol and the third one is the redundant path that takes place only when the 2 main interfaces are not available.
See below the running-config for 1 router from one end. int 0/0 and 0/2 are the main ones, the int 0/1 are the backup. I could not identify any rule that re-route the packet to 0/1 when 0/0 and 0/2 is failed. According to the config below, when the 0/0 and 0/2 is not reachable, does it routes the packet to 0/1 ? is this implementation right ? Vlan11 is used to connect to the vlan11 which is set on the switch bases.
track 1 ip sla 1 reachability
!
track 2 ip sla 2 reachability
!
ip tcp synwait-time 10
ip telnet hidden hostnames
ip telnet hidden addresses
!
!
crypto isakmp policy 101
encr aes 256
hash md5
authentication pre-share
group 24
crypto isakmp key <removed> address 192.168.121.2
crypto isakmp key <removed> address 192.168.121.10
crypto isakmp key <removed> address 192.168.123.2
!
!
crypto ipsec transform-set AES-256 esp-aes esp-md5-hmac
mode tunnel
crypto ipsec fragmentation after-encryption
!
!
!
crypto map IPSecVPN_Backup 202 ipsec-isakmp
set peer 192.168.123.2
set transform-set AES-256
set pfs group24
match address IPSec_ACL_Backup
!
crypto map IPSecVPN_MD 201 ipsec-isakmp
set peer 192.168.121.10
set transform-set AES-256
set pfs group24
match address IPSec_ACL_MD
!
crypto map IPSecVPN_SC_TC 200 ipsec-isakmp
set peer 192.168.121.2
set transform-set AES-256
set pfs group24
match address IPSec_ACL_SC_TC
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
description the Interface will be used to connect the Cisco Integrated Management Controller Express (CIMC-E). CIMC-E is the management service for the Cisco SRE (Internal) Module Services Ready Engine
no ip address
shutdown
!
interface GigabitEthernet0/0
description Process LAN1 DC SC TC
ip address 192.168.121.1 255.255.255.252
ip access-group OUTSIDE_GE00_IN in
ip access-group OUTSIDE_GE00_OUT out
no ip proxy-arp
load-interval 30
duplex auto
speed auto
crypto map IPSecVPN_SC_TC
!
interface GigabitEthernet0/1
description Process LAN1 Backup
ip address 192.168.123.1 255.255.255.252
ip access-group OUTSIDE_GE01_IN in
ip access-group OUTSIDE_GE01_OUT out
no ip proxy-arp
load-interval 30
duplex auto
speed auto
crypto map IPSecVPN_Backup
!
interface GigabitEthernet0/2
description Process LAN1 MD
ip address 192.168.121.9 255.255.255.252
ip access-group OUTSIDE_SCMD_IN in
ip access-group OUTSIDE_SCMD_OUT out
no ip proxy-arp
load-interval 30
duplex auto
speed auto
crypto map IPSecVPN_MD
!
interface GigabitEthernet1/0
description Internal route interface connected to EtherSwitch Service Module
ip unnumbered Vlan15
no ip proxy-arp
load-interval 30
!
interface GigabitEthernet1/1
description Internal switch interface connected to EtherSwitch Service Module
switchport mode trunk
no ip address
load-interval 30
!
interface Vlan1
no ip address
load-interval 30
shutdown
!
interface Vlan11
description Process LAN1
ip address 192.168.11.91 255.255.255.0
ip helper-address 192.168.31.255
ip directed-broadcast
no ip proxy-arp
ip policy route-map SC_TC_Map
load-interval 30
!
interface Vlan15
description Server LAN1
ip address 192.168.15.191 255.255.255.0
ip access-group VLAN_SEPARATION_VLAN15 in
ip access-group VLAN_SEPARATION_VLAN15 out
no ip proxy-arp
load-interval 30
!
interface Vlan211
description OPC UA LAN 1
no ip address
no ip proxy-arp
load-interval 30
!
no ip forward-protocol nd
no ip forward-protocol udp tftp
no ip forward-protocol udp nameserver
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
ip forward-protocol udp ntp
!
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 172.26.11.248 255.255.255.248 192.168.15.254
ip route 192.168.13.0 255.255.255.0 192.168.15.254
ip route 192.168.16.0 255.255.255.0 192.168.15.254
ip route 192.168.21.0 255.255.255.0 192.168.121.10
ip route 192.168.21.0 255.255.255.0 192.168.123.2
ip ssh version 2
ip scp server enable
!
ip access-list standard ADMIN
remark SNB
permit 192.168.13.99
remark TS
permit 172.26.11.250
remark OAC
permit 192.168.13.152
remark cleanup
deny any log
ip access-list standard MCS
remark MCS2
permit 192.168.16.94
remark MCS1
permit 192.168.15.94
ip access-list standard SNMP-V3-allowed-SYSTEMS
remark OAC101
permit 192.168.13.152
!
ip access-list extended IPSec_ACL_Backup
remark ACL for crypto map IPSecVPN_Backup 202
permit ip 192.168.11.0 0.0.0.255 192.168.21.0 0.0.0.255
ip access-list extended IPSec_ACL_MD
remark ACL for crypto map IPSecVPN_MD 201
permit tcp 192.168.11.0 0.0.0.255 192.168.21.0 0.0.0.255
permit icmp 192.168.11.0 0.0.0.255 192.168.21.0 0.0.0.255
ip access-list extended IPSec_ACL_SC_TC
remark ACL for crypto map IPSecVPN_SC_TC 200
permit ip 192.168.11.0 0.0.0.255 192.168.21.0 0.0.0.255
ip access-list extended OUTSIDE_GE00_IN
remark interface protection (interstation)
permit esp host 192.168.121.2 host 192.168.121.1
permit udp host 192.168.121.2 eq isakmp host 192.168.121.1 eq isakmp
permit tcp host 192.168.121.2 gt 1023 host 192.168.121.1 eq 22
permit tcp host 192.168.121.2 eq 22 host 192.168.121.1 gt 1023
permit icmp host 192.168.121.2 host 192.168.121.1
ip access-list extended OUTSIDE_GE00_OUT
remark interface protection (interstation)
permit esp host 192.168.121.1 host 192.168.121.2
permit udp host 192.168.121.1 eq isakmp host 192.168.121.2 eq isakmp
permit tcp host 192.168.121.1 gt 1023 host 192.168.121.2 eq 22
permit tcp host 192.168.121.1 eq 22 host 192.168.121.2 gt 1023
permit icmp host 192.168.121.1 host 192.168.121.2
ip access-list extended OUTSIDE_GE01_IN
remark interface protection (interstation)
permit esp host 192.168.123.2 host 192.168.123.1
permit udp host 192.168.123.2 eq isakmp host 192.168.123.1 eq isakmp
permit tcp host 192.168.123.2 gt 1023 host 192.168.123.1 eq 22
permit tcp host 192.168.123.2 eq 22 host 192.168.123.1 gt 1023
permit icmp host 192.168.123.2 host 192.168.123.1
ip access-list extended OUTSIDE_GE01_OUT
remark interface protection (interstation)
permit esp host 192.168.123.1 host 192.168.123.2
permit udp host 192.168.123.1 eq isakmp host 192.168.123.2 eq isakmp
permit tcp host 192.168.123.1 gt 1023 host 192.168.123.2 eq 22
permit tcp host 192.168.123.1 eq 22 host 192.168.123.2 gt 1023
permit icmp host 192.168.123.1 host 192.168.123.2
ip access-list extended OUTSIDE_SCMD_IN
remark interface protection (interstation)
permit esp host 192.168.121.10 host 192.168.121.9
permit udp host 192.168.121.10 eq isakmp host 192.168.121.9 eq isakmp
permit tcp host 192.168.121.10 gt 1023 host 192.168.121.9 eq 22
permit tcp host 192.168.121.10 eq 22 host 192.168.121.9 gt 1023
permit icmp host 192.168.121.10 host 192.168.121.9
ip access-list extended OUTSIDE_SCMD_OUT
remark interface protection (interstation)
permit esp host 192.168.121.9 host 192.168.121.10
permit udp host 192.168.121.9 eq isakmp host 192.168.121.10 eq isakmp
permit tcp host 192.168.121.9 gt 1023 host 192.168.121.10 eq 22
permit tcp host 192.168.121.9 eq 22 host 192.168.121.10 gt 1023
permit icmp host 192.168.121.9 host 192.168.121.10
ip access-list extended RouteMap_ACL_MD
remark ACL for route-map SC_TC_Map permit 20
remark not SC TC
deny udp host 192.168.11.31 host 192.168.21.31 eq 11072
deny udp host 192.168.11.31 host 192.168.21.32 eq 11073
deny udp host 192.168.11.32 host 192.168.21.31 eq 11076
deny udp host 192.168.11.32 host 192.168.21.32 eq 11077
remark not PC1 TC
deny udp host 192.168.11.11 host 192.168.21.11 eq 11154
deny udp host 192.168.11.11 host 192.168.21.12 eq 11155
deny udp host 192.168.11.12 host 192.168.21.11 eq 11156
deny udp host 192.168.11.12 host 192.168.21.12 eq 11157
remark not PC2 TC
deny udp host 192.168.11.21 host 192.168.21.21 eq 11164
deny udp host 192.168.11.21 host 192.168.21.22 eq 11165
deny udp host 192.168.11.22 host 192.168.21.21 eq 11166
deny udp host 192.168.11.22 host 192.168.21.22 eq 11167
remark MD
permit ip 192.168.11.0 0.0.0.255 192.168.21.0 0.0.0.255
ip access-list extended RouteMap_ACL_SC_TC
remark ACL for route-map SC_TC_Map permit 10
permit udp host 192.168.11.31 host 192.168.21.31 eq 11072
permit udp host 192.168.11.31 host 192.168.21.32 eq 11073
permit udp host 192.168.11.32 host 192.168.21.31 eq 11076
permit udp host 192.168.11.32 host 192.168.21.32 eq 11077
ip access-list extended VLAN_SEPARATION_VLAN15
remark separates ServerLAN from ProcessLAN
permit ip 192.168.15.0 0.0.0.255 192.168.15.0 0.0.0.255
permit ip 192.168.15.0 0.0.0.255 172.26.11.0 0.0.0.255
permit ip 172.26.11.0 0.0.0.255 192.168.15.0 0.0.0.255
permit ip 192.168.15.0 0.0.0.255 192.168.13.0 0.0.0.255
permit ip 192.168.13.0 0.0.0.255 192.168.15.0 0.0.0.255
permit ip 192.168.15.0 0.0.0.255 192.168.16.0 0.0.0.255
permit ip 192.168.16.0 0.0.0.255 192.168.15.0 0.0.0.255
remark cleanup
deny ip any any
permit ip 192.168.15.0 0.0.0.255 172.26.11.248 0.0.0.7
permit ip 172.26.11.248 0.0.0.7 192.168.15.0 0.0.0.255
!
ip sla auto discovery
ip sla 1
icmp-echo 192.168.121.2
frequency 6
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 192.168.121.10
frequency 6
ip sla schedule 2 life forever start-time now
ip access-list logging interval 10
ip access-list log-update threshold 1
logging trap debugging
logging host 192.168.13.152
!
route-map SC_TC_Map permit 10
match ip address RouteMap_ACL_SC_TC
set ip next-hop verify-availability 192.168.121.2 1 track 1
!
route-map SC_TC_Map permit 20
match ip address RouteMap_ACL_MD
set ip next-hop verify-availability 192.168.121.10 1 track 2
!
route-map SC_TC_Map permit 30
match ip address RouteMap_X
set ip next-hop verifify-availability
- Labels:
-
LAN Switching
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-14-2020 01:35 PM
Hello,
have a look at the lines marked in bold. When interface GigabitEthernet0/0 goes down, the default route goes through GigabitEthernet0/2. When both 0/0 and 0/2 are down, all traffic goes through GigabitEthernet0/1:
track 1 ip sla 1 reachability
!
track 2 ip sla 2 reachability
!
track 3 list boolean or
object 1
object 2
!
ip tcp synwait-time 10
ip telnet hidden hostnames
ip telnet hidden addresses
!
crypto isakmp policy 101
encr aes 256
hash md5
authentication pre-share
group 24
crypto isakmp key <removed> address 192.168.121.2
crypto isakmp key <removed> address 192.168.121.10
crypto isakmp key <removed> address 192.168.123.2
!
crypto ipsec transform-set AES-256 esp-aes esp-md5-hmac
mode tunnel
crypto ipsec fragmentation after-encryption
!
crypto map IPSecVPN_Backup 202 ipsec-isakmp
set peer 192.168.123.2
set transform-set AES-256
set pfs group24
match address IPSec_ACL_Backup
!
crypto map IPSecVPN_MD 201 ipsec-isakmp
set peer 192.168.121.10
set transform-set AES-256
set pfs group24
match address IPSec_ACL_MD
!
crypto map IPSecVPN_SC_TC 200 ipsec-isakmp
set peer 192.168.121.2
set transform-set AES-256
set pfs group24
match address IPSec_ACL_SC_TC
!
interface Embedded-Service-Engine0/0
description the Interface will be used to connect the Cisco Integrated Management Controller Express (CIMC-E). CIMC-E is the management service for the Cisco SRE (Internal) Module Services Ready Engine
no ip address
shutdown
!
interface GigabitEthernet0/0
description Process LAN1 DC SC TC
ip address 192.168.121.1 255.255.255.252
ip access-group OUTSIDE_GE00_IN in
ip access-group OUTSIDE_GE00_OUT out
no ip proxy-arp
load-interval 30
duplex auto
speed auto
crypto map IPSecVPN_SC_TC
!
interface GigabitEthernet0/1
description Process LAN1 Backup
ip address 192.168.123.1 255.255.255.252
ip access-group OUTSIDE_GE01_IN in
ip access-group OUTSIDE_GE01_OUT out
no ip proxy-arp
load-interval 30
duplex auto
speed auto
crypto map IPSecVPN_Backup
!
interface GigabitEthernet0/2
description Process LAN1 MD
ip address 192.168.121.9 255.255.255.252
ip access-group OUTSIDE_SCMD_IN in
ip access-group OUTSIDE_SCMD_OUT out
no ip proxy-arp
load-interval 30
duplex auto
speed auto
crypto map IPSecVPN_MD
!
interface GigabitEthernet1/0
description Internal route interface connected to EtherSwitch Service Module
ip unnumbered Vlan15
no ip proxy-arp
load-interval 30
!
interface GigabitEthernet1/1
description Internal switch interface connected to EtherSwitch Service Module
switchport mode trunk
no ip address
load-interval 30
!
interface Vlan1
no ip address
load-interval 30
shutdown
!
interface Vlan11
description Process LAN1
ip address 192.168.11.91 255.255.255.0
ip helper-address 192.168.31.255
ip directed-broadcast
no ip proxy-arp
ip policy route-map SC_TC_Map
load-interval 30
!
interface Vlan15
description Server LAN1
ip address 192.168.15.191 255.255.255.0
ip access-group VLAN_SEPARATION_VLAN15 in
ip access-group VLAN_SEPARATION_VLAN15 out
no ip proxy-arp
load-interval 30
!
interface Vlan211
description OPC UA LAN 1
no ip address
no ip proxy-arp
load-interval 30
!
no ip forward-protocol nd
no ip forward-protocol udp tftp
no ip forward-protocol udp nameserver
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
ip forward-protocol udp ntp
!
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 track 1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/2 track 2
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 10
!
ip route 172.26.11.248 255.255.255.248 192.168.15.254
ip route 192.168.13.0 255.255.255.0 192.168.15.254
ip route 192.168.16.0 255.255.255.0 192.168.15.254
ip route 192.168.21.0 255.255.255.0 192.168.121.10
ip route 192.168.21.0 255.255.255.0 192.168.123.2
ip ssh version 2
ip scp server enable
!
ip access-list standard ADMIN
remark SNB
permit 192.168.13.99
remark TS
permit 172.26.11.250
remark OAC
permit 192.168.13.152
remark cleanup
deny any log
ip access-list standard MCS
remark MCS2
permit 192.168.16.94
remark MCS1
permit 192.168.15.94
ip access-list standard SNMP-V3-allowed-SYSTEMS
remark OAC101
permit 192.168.13.152
!
ip access-list extended IPSec_ACL_Backup
remark ACL for crypto map IPSecVPN_Backup 202
permit ip 192.168.11.0 0.0.0.255 192.168.21.0 0.0.0.255
ip access-list extended IPSec_ACL_MD
remark ACL for crypto map IPSecVPN_MD 201
permit tcp 192.168.11.0 0.0.0.255 192.168.21.0 0.0.0.255
permit icmp 192.168.11.0 0.0.0.255 192.168.21.0 0.0.0.255
ip access-list extended IPSec_ACL_SC_TC
remark ACL for crypto map IPSecVPN_SC_TC 200
permit ip 192.168.11.0 0.0.0.255 192.168.21.0 0.0.0.255
ip access-list extended OUTSIDE_GE00_IN
remark interface protection (interstation)
permit esp host 192.168.121.2 host 192.168.121.1
permit udp host 192.168.121.2 eq isakmp host 192.168.121.1 eq isakmp
permit tcp host 192.168.121.2 gt 1023 host 192.168.121.1 eq 22
permit tcp host 192.168.121.2 eq 22 host 192.168.121.1 gt 1023
permit icmp host 192.168.121.2 host 192.168.121.1
ip access-list extended OUTSIDE_GE00_OUT
remark interface protection (interstation)
permit esp host 192.168.121.1 host 192.168.121.2
permit udp host 192.168.121.1 eq isakmp host 192.168.121.2 eq isakmp
permit tcp host 192.168.121.1 gt 1023 host 192.168.121.2 eq 22
permit tcp host 192.168.121.1 eq 22 host 192.168.121.2 gt 1023
permit icmp host 192.168.121.1 host 192.168.121.2
ip access-list extended OUTSIDE_GE01_IN
remark interface protection (interstation)
permit esp host 192.168.123.2 host 192.168.123.1
permit udp host 192.168.123.2 eq isakmp host 192.168.123.1 eq isakmp
permit tcp host 192.168.123.2 gt 1023 host 192.168.123.1 eq 22
permit tcp host 192.168.123.2 eq 22 host 192.168.123.1 gt 1023
permit icmp host 192.168.123.2 host 192.168.123.1
ip access-list extended OUTSIDE_GE01_OUT
remark interface protection (interstation)
permit esp host 192.168.123.1 host 192.168.123.2
permit udp host 192.168.123.1 eq isakmp host 192.168.123.2 eq isakmp
permit tcp host 192.168.123.1 gt 1023 host 192.168.123.2 eq 22
permit tcp host 192.168.123.1 eq 22 host 192.168.123.2 gt 1023
permit icmp host 192.168.123.1 host 192.168.123.2
ip access-list extended OUTSIDE_SCMD_IN
remark interface protection (interstation)
permit esp host 192.168.121.10 host 192.168.121.9
permit udp host 192.168.121.10 eq isakmp host 192.168.121.9 eq isakmp
permit tcp host 192.168.121.10 gt 1023 host 192.168.121.9 eq 22
permit tcp host 192.168.121.10 eq 22 host 192.168.121.9 gt 1023
permit icmp host 192.168.121.10 host 192.168.121.9
ip access-list extended OUTSIDE_SCMD_OUT
remark interface protection (interstation)
permit esp host 192.168.121.9 host 192.168.121.10
permit udp host 192.168.121.9 eq isakmp host 192.168.121.10 eq isakmp
permit tcp host 192.168.121.9 gt 1023 host 192.168.121.10 eq 22
permit tcp host 192.168.121.9 eq 22 host 192.168.121.10 gt 1023
permit icmp host 192.168.121.9 host 192.168.121.10
ip access-list extended RouteMap_ACL_MD
remark ACL for route-map SC_TC_Map permit 20
remark not SC TC
deny udp host 192.168.11.31 host 192.168.21.31 eq 11072
deny udp host 192.168.11.31 host 192.168.21.32 eq 11073
deny udp host 192.168.11.32 host 192.168.21.31 eq 11076
deny udp host 192.168.11.32 host 192.168.21.32 eq 11077
remark not PC1 TC
deny udp host 192.168.11.11 host 192.168.21.11 eq 11154
deny udp host 192.168.11.11 host 192.168.21.12 eq 11155
deny udp host 192.168.11.12 host 192.168.21.11 eq 11156
deny udp host 192.168.11.12 host 192.168.21.12 eq 11157
remark not PC2 TC
deny udp host 192.168.11.21 host 192.168.21.21 eq 11164
deny udp host 192.168.11.21 host 192.168.21.22 eq 11165
deny udp host 192.168.11.22 host 192.168.21.21 eq 11166
deny udp host 192.168.11.22 host 192.168.21.22 eq 11167
remark MD
permit ip 192.168.11.0 0.0.0.255 192.168.21.0 0.0.0.255
ip access-list extended RouteMap_ACL_SC_TC
remark ACL for route-map SC_TC_Map permit 10
permit udp host 192.168.11.31 host 192.168.21.31 eq 11072
permit udp host 192.168.11.31 host 192.168.21.32 eq 11073
permit udp host 192.168.11.32 host 192.168.21.31 eq 11076
permit udp host 192.168.11.32 host 192.168.21.32 eq 11077
ip access-list extended VLAN_SEPARATION_VLAN15
remark separates ServerLAN from ProcessLAN
permit ip 192.168.15.0 0.0.0.255 192.168.15.0 0.0.0.255
permit ip 192.168.15.0 0.0.0.255 172.26.11.0 0.0.0.255
permit ip 172.26.11.0 0.0.0.255 192.168.15.0 0.0.0.255
permit ip 192.168.15.0 0.0.0.255 192.168.13.0 0.0.0.255
permit ip 192.168.13.0 0.0.0.255 192.168.15.0 0.0.0.255
permit ip 192.168.15.0 0.0.0.255 192.168.16.0 0.0.0.255
permit ip 192.168.16.0 0.0.0.255 192.168.15.0 0.0.0.255
remark cleanup
deny ip any any
permit ip 192.168.15.0 0.0.0.255 172.26.11.248 0.0.0.7
permit ip 172.26.11.248 0.0.0.7 192.168.15.0 0.0.0.255
!
ip sla auto discovery
ip sla 1
icmp-echo 192.168.121.2
frequency 6
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 192.168.121.10
frequency 6
ip sla schedule 2 life forever start-time now
ip access-list logging interval 10
ip access-list log-update threshold 1
logging trap debugging
logging host 192.168.13.152
!
route-map SC_TC_Map permit 10
match ip address RouteMap_ACL_SC_TC
set ip next-hop verify-availability 192.168.121.2 1 track 1
!
route-map SC_TC_Map permit 20
match ip address RouteMap_ACL_MD
set ip next-hop verify-availability 192.168.121.10 1 track 2
!
route-map SC_TC_Map permit 30
match ip address RouteMap_X
set ip next-hop verifify-availability
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-14-2020 02:33 PM
Hello Georg,
Thanks for replying !
See that we use route_map in order to define the access-list:
route-map SC_TC_Map permit 10
match ip address RouteMap_ACL_SC_TC
set ip next-hop verify-availability 192.168.121.2 1 track 1
!
route-map SC_TC_Map permit 20
match ip address RouteMap_ACL_MD
set ip next-hop verify-availability 192.168.121.10 1 track 2
if both interfaces tracked by track 1 and 2 are down, I need to combine both instances (10 and 20) for route-map SC_TC_Map, because it is used on Vlan11 as a ip-policy:
interface Vlan11
description Process LAN1
ip address 192.168.11.91 255.255.255.0
ip helper-address 192.168.31.255
ip directed-broadcast
no ip proxy-arp
ip policy route-map SC_TC_Map
load-interval 30
if I define a track list boolean as you proposed, where is the reference for track 3 ? only defining a static route with administrative distance 10 is enough ? this metric is the reference for the track 3 ?
I did not understand the first config I sent, as we have two route-map instance 10 and 20, both instances are processed if statement matches ? or for example if instance 10 matches, the instance 20 is not considered ?
Another question, if I want to create a new route-map instance in order to include a different access-list for this third interface (0/1), which should be considered only if track 1 and track 2 are down, how can I do it ?
thanks a lot !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-14-2020 03:56 PM - edited 07-15-2020 04:33 AM
Hello
I see you have ip sla tracking but it looks like ip sla isn’t enabled for your policy routing also you mention you wish to re-route traffic towards gig0/1 when BOTH gig0/0 and gig0/2 are down of if either are down - can you confirm?
Also I don’t see any default route to capture all not conforming traffic or the traffic from a failed policy routed interface because if yoo do have these specfied then there would be no need to have multiple route policys like you have now as you would only need to pbr routes not wanting to go the default path., Also I would suggest not to specify any default route just pointing to a local interface as this would incur unnecessary arp for the router, be as specific as possible if you can with specifying an interface and ip next-hop if applicable.
You could also track without ip sla as follows:
track 3 list boolean AND or OR (depending on your requirment)
object 1
object 2
track 1 interface gig0/0 line-protocol
track 2 interface gig0/2 line-protocol
route-map SC_TC_Map permit 30 < this may not be required depending on your exisitng primary default routing path>
route-map SC_TC_Map permit 10
match ip address RouteMap_ACL_SC_TC
set ip next-hop verify-availability 192.168.121.2 1 track 3
route-map SC_TC_Map permit 20
match ip address RouteMap_ACL_MD
set ip next-hop verify-availability 192.168.121.10 1 track 3
As I haven’t suggested any static default route can you elaborate on the order of preference regards this however I would assume the following but please confirm?
ip route 0.0.0.0 0.0.0.0 gig0/0 192.168.121.2 1 track 1 name LAN1_DC_SC_TC
ip route 0.0.0.0 0.0.0.0 gig0/2 192.168.121.2 5 track 2 name LAN1_MD
ip route 0.0.0.0 0.0.0.0 gig0/1 192.168.123.2 10 name LAN1_Backup
Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.
Kind Regards
Paul
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-14-2020 04:46 PM
Hi,
lets consider both interface are down, so I assume AND logic.
interfaces 0/0 and 0/2 uses different protocols from the devices, that is why there are different access-list which excludes the not needed one, e.g. deny udp for permit 20. So I do need permit 10 and 20 statement.
But when both interfaces 0/0 and 0/2 fail, the backup one should take place then I would need an access list that actually has no deny for the hosts I want.
So how to create a new route-map that sets next-hop as the backup interface 0/1 (ip other end 192.168.123.2) and matches this new access-list in order to be forwarded to the VLAN11 (ip-policy) ?
based on the suggestion below:
ip route 0.0.0.0 0.0.0.0 gig0/0 192.168.121.2 1 track 1 name LAN1_DC_SC_TC
ip route 0.0.0.0 0.0.0.0 gig0/2 192.168.121.10 5 track 2 name LAN1_MD
ip route 0.0.0.0 0.0.0.0 gig0/1 192.168.123.2 10 name LAN1_Backup
it has different metrics, 1, 5, 10. So in my understandind track 1 and 2 should have the same distance, is that right ?
why you say the ip sla is not enabled for the policy routing ?
thank you very much !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-15-2020 12:19 AM
Hello,
the boolean 'or' effectively results in a logical 'and'. It is kind of counterintuitive, but with the 'or', the backup route only kicks in when BOTH track 1 and track 2 are down.
If you use the same (no) metric on track 1 and track 2, it means both default routes (through GigabitEthernet0/0 and 0/2) will be installed, and you achieve load balancing, which is kind of leveraging your connectivity, if that is what you want:
ip route 0.0.0.0 0.0.0.0 gig0/0 192.168.121.2 track 1
ip route 0.0.0.0 0.0.0.0 gig0/2 192.168.121.10 track 2
ip route 0.0.0.0 0.0.0.0 gig0/1 192.168.123.2 10
If you use a higher metric on the second default route than on the first, only the default route through GigabitEthernet0/0 will be installed initially:
ip route 0.0.0.0 0.0.0.0 gig0/0 192.168.121.2 track 1
ip route 0.0.0.0 0.0.0.0 gig0/2 192.168.121.10 5 track 2
ip route 0.0.0.0 0.0.0.0 gig0/1 192.168.123.2 10
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-15-2020 04:24 AM - edited 07-15-2020 04:27 AM
Hello
@Jefferson Amancio wrote:
ip route 0.0.0.0 0.0.0.0 gig0/0 192.168.121.2 1 track 1 name LAN1_DC_SC_TC
ip route 0.0.0.0 0.0.0.0 gig0/2 192.168.121.10 5 track 2 name LAN1_MD
ip route 0.0.0.0 0.0.0.0 gig0/1 192.168.123.2 10 name LAN1_Backup
it has different metrics, 1, 5, 10. So in my understandind track 1 and 2 should have the same distance, is that right ?
If you had a single failure on either the primary or the secondary interface where would you want the traffic that was traversing that failed interface be re-routed to?
If the answer is to the next preffered default route then the default static for both gig0/0 & gig0/2 would have differant metrics with gig0/0 being the preffered path of the two. (as above)
As for you PBR routing again this is dependant on the above, if you had a single preffered defalt static route (gig0/0) then I would say route-map SC_TC_Map permit 30 isnt applicable as the PBR should focus on specific traffic you want to be policy routed via gig0/2 leaving all other traffic to go via gig0/0 and if the primary interface gig0/0 faills all traffic will go via gig0/2 (even your PBR traffic) and if gig0/2 fails its traffic with go via gig0/0 and if both interfaces fail then all traffic will go via the back path (gig0/1) - This is how I understand how you wish it to be?
If this is the case I would say you wouldnt really even need to use a boolean just the object tracking with or without ip sla.
Please see attached file for a possible alternative example:
@Jefferson Amancio wrote:
why you say the ip sla is not enabled for the policy routing ?
I don’t see any ip sla scheduling configured in your configuration.
.
Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.
Kind Regards
Paul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide