Re: monitoring multiple ips on a router from one source ip

paul amaral · ‎09-29-2021

Hi, I have multiple provider IPs on one router and I need our monitoring software to be able monitor both via ICMP or SNMP.

The monitored router has a cell interface and gig interface, both act as WAN connections with routable ips. Cell interface is the backup and the Gig is the primary.

The problem is when the monitor server pings/monitors the ip on the cell interface, the returned packed might come in the gig interface or vice versa. This creates asymmetrical routing and the monitor drops the incoming packets.

How can I have a monitoring server ping two different ips on the same router and have the returned packet ignore the routing table and go out the same interface it came in?

If I have dual static routes the return packets might come in the cell interface and go out the gig interface which doesn’t help, also setting a weights on floating routes will not help. .

ip route 1.1.1.1 255.255.255.255 Cellular0/2/0

ip route 1.1.1.1 255.255.255.255 70.xx.xx.xx (gig int)

I thought about PBR and enabling on the router with IP local policy, which will policy route traffic originating on the router

Ip local policy route-map test

route-map test, permit, sequence 10

Match clauses:

interface Cellular0/2/0 <- match incoming interface

Set clauses:

default interface Cellular0/2/0 <- if it came in cell then go out the cell

Policy routing matches: 162 packets, 14256 bytes

route-map test, permit, sequence 20

Match clauses:

Set clauses:

Policy routing matches: 0 packets, 0 bytes

I have yet to implement this but Im looking for advise if this is the best way to go about it.

TIA, Paul

Giuseppe Larosa · ‎09-29-2021

Hello @paul amaral ,

note that route-map action set default interface Cellular0/2/0 will check the IP routing table first if no speciific route is found the packet will be out the specified interface . However, a default route may be a match,

So you would propably need to use set interface Cellular0/2/0 that uses the speicified interface as exit without looking at the IP routing table first.

You will need also an ACL that specifies the IP addresses of interest.

Probably the best way to manage the problem of order of operations is a two line ACL like

access-list 111 remark for local Policy

access-list 111 permit icmp host X.X.X.,X host Y.Y.Y:Y

access-list 111 permit icmp host Y.Y.Y.Y hosy X.X,X:X

Hope to help

Giuseppe

paul amaral · ‎09-30-2021

Giuseppe, thanks, not sure why I had the default keyword there as I agree with you and understand what it does. I issue was that when I created the ICMP ACL I only did it only way and it was not working. Your example made me realize my mistake and its now working with the ip local policy which PBRs router generated traffic.

Curious on your example you didnt add a a second permit, I always add a permit 20 for the default class with no match or set, is this even needed ? Or does it bounce out of the route-map if there is no match/deny.

thanks paul

Jon Marshall · ‎09-30-2021

For PBR you do not need a catch all permit statement as anything not matched for PBR will just use the routing table.

Unlike route redistribution for example where you would need one.

Jon

Giuseppe Larosa · ‎10-01-2021

Hello @paul amaral ,

as correctly explained by @Jon Marshall in Cisco implementation of PBR traffic not matching the invoked route-map or denied wthin it it is not dropped but it is simply routed using standard unicast routing based on destination address only lookup.

To be noted other vendors simillar features like Juniper behaves differently and it requires a final "permit any any" because the feature is implemented using a Firewall Filter actually the equivalent of an IP access list applied inbound but with an action that can be setting an IP next-hop or sending to another routing instance ( like a VRF)

In IOS route-maps termination actions depend on the use. So for route filtering you need a final empty permit clause for PBR you don't need it.

Hope to help

Giuseppe