Re: ip sla with a non point to point interface DHCP wan

David.Peters · ‎03-06-2022

So I'm looking at using a backup link for Starlink and got a little stuck

StarLink config

!
interface GigabitEthernet0/0
 description StarLink
 ip address dhcp
 ip access-group 110 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting access-violations
 ip mtu 1460
 ip nbar protocol-discovery
 ip flow ingress
 ip nat outside
 ip inspect traffic out
 ip virtual-reassembly in
 ip verify unicast reverse-path
 rate-limit input access-group 160 496000 62500 62500 conform-action transmit exceed-action drop
 ip tcp adjust-mss 1420
 duplex full
 speed 1000
 no keepalive proto-up
 no cdp enable
!

ip sla part

!
ip sla 1
 icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0
 frequency 5
ip sla schedule 1 life forever start-time now
!

the ip track part works

router.local(config)#do sh track
Track 1
  IP SLA 1 reachability
  Reachability is Up
    3142 changes, last change 00:00:08
  Latest operation return code: OK
  Latest RTT (millisecs) 42
router.local(config)#

the routing part

#ip route 0.0.0.0 0.0.0.0 GigabitEthernet 0/0 DHCP 1

!
ip nat inside source route-map PRIMARY interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 dhcp
!
route-map BACKUP permit 10
 match ip address 10
!
route-map PRIMARY permit 10
 match ip address 10
 match interface GigabitEthernet0/0
!
access-list 10 permit 192.168.0.0 0.0.0.255
access-list 10 permit 192.168.2.0 0.0.0.255
!

ignore the PRIMAY and BACKUP, I use them when the primary and backup link were both Dialer interfaces and IP SLA worked really well

output of sh ip route

router.local#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 100.127.255.6 to network 0.0.0.0

S*    0.0.0.0/0 [254/0] via 100.127.255.6
      100.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        100.64.0.0/10 is directly connected, GigabitEthernet0/0
L        100.76.70.128/32 is directly connected, GigabitEthernet0/0
      192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.0.0/24 is directly connected, GigabitEthernet0/1.100
L        192.168.0.1/32 is directly connected, GigabitEthernet0/1.100
      192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.2.0/24 is directly connected, GigabitEthernet0/1.200
L        192.168.2.1/32 is directly connected, GigabitEthernet0/1.200
router.local#

there are two vlans, one for normal traffic one for Guest WiFi

!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/1.100
 description INTERNAL LAN
 encapsulation dot1Q 100
 ip address 192.168.0.1 255.255.255.0
 no ip unreachables
 no ip proxy-arp
 ip accounting access-violations
 ip nat inside
 ip virtual-reassembly in
 ip verify unicast reverse-path
 ip tcp adjust-mss 1420
!
interface GigabitEthernet0/1.200
 description GUEST LAN
 encapsulation dot1Q 200
 ip address 192.168.2.1 255.255.255.0
 ip access-group 120 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting access-violations
 ip nat inside
 ip virtual-reassembly in
 ip verify unicast reverse-path
 ip tcp adjust-mss 1420
!

now the problem I'm having is there is no option to do something like

 ip route 0.0.0.0 0.0.0.0 DHCP track 1

in the past I would use Dialer1 instead of GigabitEthernet0/0 and it would work fine

!
ip nat inside source route-map PRIMARY interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 track 1
!

but if I use the above I get a lot of ping time outs if I continually ping an known external IP address

if I use

#ip route 0.0.0.0 0.0.0.0 GigabitEthernet 0/0 DHCP 1

works ok but I can't flip over to the backup link if I do a shut on the Starlink interface

the backup is an LTE link on 192.168.0.254 which works ok, so is there an elegant solution to having ip sla on interface with DHCP clients?

If I try to add it

router.local(config)#ip route 0.0.0.0 0.0.0.0 GigabitEthernet 0/0 track 1
%Default route without gateway, if not a point-to-point interface, may impact performance
router.local(config)#

and it doesn't really work, I still have to add it without track 1 to actually make it work

MHM Cisco World · ‎03-06-2022

Hi Friend,
https://www.cisco.com/c/en/us/support/docs/routers/2900-series-integrated-services-routers/213824-configure-ip-dhcp-client-route-track-f.pdf

I found this link months ago, it specify the way you config the DHCP with Dual ISP, please take look I think this is solution for your issue.

Georg Pauwen · ‎03-06-2022

Hello,

you don't need to track the static route, just use an EEM script to insert/remove the respective routes, based on the state of the IP SLA.

I cannot really figure out from what you posted which the backup link is supposed to be. Post the full running confguration of your router (and put a description on the primary and the backup interface)...

David.Peters · ‎03-06-2022

the backup link for now it's 192.168.0.254

Georg Pauwen · ‎03-06-2022

Hello,

so this interface is your backup interface ?

interface GigabitEthernet0/1.100
description INTERNAL LAN
encapsulation dot1Q 100
ip address 192.168.0.1 255.255.255.0
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip nat inside
ip virtual-reassembly in
ip verify unicast reverse-path
ip tcp adjust-mss 1420

David.Peters · ‎03-06-2022

backup LTE interface

!
interface GigabitEthernet0/2
 description LTE link
 ip address dhcp
 ip access-group 110 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting access-violations
 ip mtu 1460
 ip nbar protocol-discovery
 ip flow ingress
 ip nat outside
 ip inspect traffic out
 ip virtual-reassembly in
 ip verify unicast reverse-path
 rate-limit input access-group 160 496000 62500 62500 conform-action transmit exceed-action drop
 ip tcp adjust-mss 1420
 duplex full
 speed 100
 no keepalive proto-up
 no cdp enable
!

Georg Pauwen · ‎03-06-2022

Hello,

--> the backup link for now it's 192.168.0.254

What do you mean by that ? Just post the full running config, otherwise this fairly simple issue gets way to long to resolve...

Georg Pauwen · ‎03-06-2022

Hello,

here is the config I have in mind. At any time, there is only one static route active, the one for the active interface:

track 1 ip sla 1 reachability
!
interface GigabitEthernet0/0
description StarLink
ip address dhcp
!
interface GigabitEthernet0/2
description LTE link
ip address dhcp
!
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0
frequency 5
ip sla schedule 1 life forever start-time now
!
event manager applet PRIMARY_UP
event track 1 state up
action 1.0 cli command "enable"
action 2.0 cli command "config t"
action 3.0 cli command "no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/2 dhcp"
action 4.0 cli command "ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp"
action 5.0 cli command "end"
action 6.0 cli command "clear ip nat translation *"
!
event manager applet PRIMARY_DOWN
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "config t"
action 3.0 cli command "no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp"
action 4.0 cli command "ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/2 dhcp"
action 5.0 cli command "end"
action 6.0 cli command "clear ip nat translation *"

David.Peters · ‎03-13-2022

I have tried this before and tried it again, the problem comes when the starlink comes back online

well it never comes back online because for some reason it will never get a ping reply via Gi 0/0 so it will remain on the backup LTE

David.Peters · ‎03-06-2022

!
ip dhcp pool INTERNAL
 network 192.168.0.0 255.255.255.0
 default-router 192.168.0.1 
 dns-server 192.168.0.91 192.168.0.1 
 lease infinite
!
ip dhcp pool GUEST
 network 192.168.2.0 255.255.255.0
 default-router 192.168.2.1 
 dns-server 192.168.2.1 
 lease infinite
!
ip dhcp pool VOIP
 network 192.168.3.0 255.255.255.0
 default-router 192.168.3.1 
 dns-server 192.168.3.1 
 lease infinite
!
!
!
ip dhcp snooping
ip name-server 1.1.1.1
ip inspect WAAS flush-timeout 10
ip inspect tcp reassembly queue length 1024
ip inspect tcp reassembly timeout 10
ip inspect name traffic udp
ip inspect name traffic tcp
ip inspect name traffic http
ip inspect name traffic https
ip inspect name traffic smtp
ip inspect name traffic imap
ip inspect name traffic imap3
ip inspect name traffic imaps
ip inspect name traffic dns
ip inspect name traffic ftp
ip inspect name traffic ftps
ip inspect name traffic ntp
ip cef
no ip igmp snooping
login on-failure log
login on-success log
no ipv6 cef
!
multilink bundle-name authenticated
!
!

!
license udi pid CISCO2921/K9 sn FGL164314JL
hw-module sm 1
!
!
!
username david password 
!
redundancy
 notification-timer 120000
!
!
!
!
!
controller Cellular 0/0
!
track 1 ip sla 1 reachability
!
! 
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description StarLink
 ip address dhcp
 ip access-group 110 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting access-violations
 ip mtu 1460
 ip nbar protocol-discovery
 ip flow ingress
 ip nat outside
 ip inspect traffic out
 ip virtual-reassembly in
 ip verify unicast reverse-path
 rate-limit input access-group 160 496000 62500 62500 conform-action transmit exceed-action drop
 ip tcp adjust-mss 1420
 duplex full
 speed 1000
 no keepalive proto-up
 no cdp enable
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
!
!
interface GigabitEthernet0/1.100
 description INTERNAL LAN
 encapsulation dot1Q 100
 ip address 192.168.0.1 255.255.255.0
 no ip unreachables
 no ip proxy-arp
 ip accounting access-violations
 ip nat inside
 ip virtual-reassembly in
 ip verify unicast reverse-path
 ip tcp adjust-mss 1420
!
interface GigabitEthernet0/1.200
 description GUEST LAN
 encapsulation dot1Q 200
 ip address 192.168.2.1 255.255.255.0
 ip access-group 120 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting access-violations
 ip nat inside
 ip virtual-reassembly in
 ip verify unicast reverse-path
 ip tcp adjust-mss 1420
!
interface GigabitEthernet0/2
description LTE
 ip address dhcp
 ip access-group 110 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting access-violations
 ip mtu 1460
 ip nbar protocol-discovery
 ip flow ingress
 ip nat outside
 ip inspect traffic out
 ip virtual-reassembly in
 ip verify unicast reverse-path
 rate-limit input access-group 160 496000 62500 62500 conform-action transmit exceed-action drop
 ip tcp adjust-mss 1420
 duplex full
 speed 100
 no keepalive proto-up
 no cdp enable 
!
interface GigabitEthernet0/3/0
 description LTE link
 switchport access vlan 100
 switchport mode access
 no ip address
!
interface GigabitEthernet0/3/1
 no ip address
!
interface GigabitEthernet0/3/2
 no ip address
!
interface GigabitEthernet0/3/3
 no ip address
!
interface GigabitEthernet0/3/4
 no ip address
!
interface GigabitEthernet0/3/5
 no ip address
!
interface GigabitEthernet0/3/6
 no ip address
!
interface GigabitEthernet0/3/7
 switchport mode access
 no ip address
!
interface SM1/0
 no ip address
 shutdown
 !Application: VMware ESXi 5.1.0 build-1065491 running on SRE
!
interface SM1/1
 no ip address
!
interface Cellular0/0/0
 ip address negotiated
 encapsulation ppp
 shutdown
 dialer in-band
 dialer idle-timeout 0
 dialer string gsm
 dialer-group 1
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan100
 no ip address
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip flow-top-talkers
 top 50
 sort-by packets
!
ip dns server
ip nat inside source route-map PRIMARY interface GigabitEthernet0/0 overload
ip ssh version 2
!
ip sla auto discovery
ip sla 1
 icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0
ip sla schedule 1 life forever start-time now
!
route-map BACKUP permit 10
 match ip address 10
!
route-map PRIMARY permit 10
 match ip address 10
 match interface GigabitEthernet0/0
!
!
access-list 10 permit 192.168.0.0 0.0.0.255
access-list 10 permit 192.168.2.0 0.0.0.255
access-list 110 permit icmp any any unreachable
access-list 110 permit icmp any any echo-reply
access-list 110 permit udp host 1.1.1.1 eq domain any
access-list 110 permit udp host 1.0.0.1 eq domain any
access-list 110 permit tcp any any eq 22 log
access-list 110 permit udp host 203.2.134.1 eq 5060 any
access-list 110 permit udp any eq ntp any
access-list 110 permit udp any any eq 20000
access-list 110 permit tcp any any eq 20000
access-list 110 permit udp any any eq bootpc
access-list 110 permit udp any any eq bootps
access-list 110 deny   udp any any log
access-list 110 deny   ip any any log
access-list 110 deny   tcp any any log
access-list 120 deny   ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 120 permit ip any any
access-list 160 permit icmp any any
!
!
!
control-plane
!
!
 vstack
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line 0/0/0
 script dialer gsm
 no exec
line 67
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 transport input ssh
!
scheduler allocate 20000 1000
ntp logging
ntp update-calendar
ntp server au.pool.ntp.org
!
end

router.local#

MHM Cisco World · ‎03-06-2022

I think you dont read doc.

Under interface get ip from dhcp,

Ip dhcp cleint track

This solve issue since track can not config with ip route .....dhcp track.

Config it under interface.

David.Peters · ‎03-13-2022

I did read the doc and tried it, and again for some reason it will never go back to the StarLink interface when it comes out, the ip sla will never get a ping reply when the route is set to the LTE interface even if the StarLink interface is up, I can manually remove the route to LTE and StarLink works fine and the sla is up

MHM Cisco World · ‎03-13-2022

Show track

Show ip route

Show ip route 8.8.8.8

Please share above output when interface is up and and failed down and when retrun back up

MHM Cisco World · ‎03-17-2022

Any Update Friend ?

paul driver · ‎03-13-2022

Hello

@David.Peters wrote:

I have tried this before and tried it again, the problem comes when the starlink comes back online

well it never comes back online because for some reason it will never get a ping reply via Gi 0/0 so it will remain on the backup LTE

The reason is down to your static routing with iplsa, you are tracking on a public ip address( 8.8.8.8) as such when the primary link goes down 8.8.8.8 is going to be reachable via the backup default route so it never fails, you need to negate this.

Example:

ip sla 1
icmp-echo 8.8.8.8 source-interface gig0/0
timeout 1000
threshold 2000
frequency 15

ip sla schedule 1 start now life forever
track 10 rtr1 reachabilty

int gig0/0
ip dhcp client route track 10

ip route 8.8.8.8 255.255.255.255 gig0/0
ip route 8.8.8.8 255.255.255.255 Null0 2
ip route 0.0.0.0 0.0.0.0 gig0/0 dhcp name primary link
ip route 0.0.0.0 0.0.0.0 gig0/2 dhcp 2 name backup link

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul