Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3322
Views
4
Helpful
5
Replies

PBR next hop interface failover

mcsadmin-cqgroup
Level 1
Level 1

‎10-09-2013 10:11 PM - edited ‎03-04-2019 09:16 PM

Hi Community,

I have a Cisco 819G router which I've setup to use ADSL on the Dialer0/Gigabit0 interface, and 3G on the Dialer2/Cellular0 interface. I've setup a route-map on the VLAN1 interface to load balance the internet connections based on protocol. I've currently got web (HTTP, HTTPS) going out ADSL/Dialer0/Gigabit0 and SSH going out 3G/Dialer2/Cellular0 as a test example. However, if the ADSL goes down, the route-map doesn't failover to the 3G/Dialer2/Cell0 interface and vice versa. How could I set this up so that my policy based routing will failover to the other internet connection if one is down? I would've expected the static routes to take over if the PBR couldn't route out the specified interface, but that doesn't happen.

Current running configuration below. I can run any commands on this service you like. The ADSL service is currently unplugged as it's supporting the client's existing setup while we get this Cisco router right, but I can arrange to have it connected after hours.

QUESTION: Is there a way to get policy based routing (PBR) to failover to another interface if the specified next hop interface is down?

QUESTION: I would also like to load balance connections made over the VPN based on PBR policies. E.g. SMB3 via 3G and other traffic destined for the server via ADSL.

Many thanks, and for any readers who find this helpful, please login and mark the authors posts as helpful.

CQROU01#show run

Building configuration...

Current configuration : 6984 bytes

!

! No configuration change since last restart

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname CQROU01

!

boot-start-marker

boot-end-marker

!

!

logging buffered 51200 warnings

!

no aaa new-model

!

clock timezone AEST 10 0

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-584703432

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-584703432

revocation-check none

rsakeypair TP-self-signed-584703432

!

!

crypto pki certificate chain TP-self-signed-584703432

certificate self-signed 01

### REMOVED SELF SIGNED CERTIFICATED DETAILS###

        quit

ip source-route

ip cef

!

!

!

!

!

###REMOVED IP DOMAIN NAME###

ip name-server 172.16.1.1

ip name-server 4.2.2.2

ip name-server 8.8.8.8

no ipv6 cef

!

!

multilink bundle-name authenticated

chat-script hspa "" "AT!SCACT=1,1" TIMEOUT 60 "OK"

license udi pid C819G+7-K9 sn FGL1707237S

!

!

###REMOVED LOCAL ADMIN ACCOUNT CREDENTIALS###

!

!

!

!

controller Cellular 0

gsm sim profile 2 slot 1

gsm sim max-retry 12

gsm failovertimer 1

!

!

track 101 ip sla 101 reachability

!

track 102 ip sla 102 reachability

default-state up

delay down 180

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

encr aes 256

authentication pre-share

group 5

###REMOVED CRYPTO ISAKMP KEY PASSWORD ADDRESS DC INTERNAL ASA PUBLIC IP###

crypto isakmp keepalive 10

!

!

crypto ipsec transform-set TRANSFORM_ESP_SHA_AES256 esp-aes 256 esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

###REMOVED DESCRIPTION OF PUBLIC ADDRESS OF DC INTERNAL ASA###

###REMOVED SET PEER OF PUBLIC ADDRESS OF DC INTERNAL ASA###

set transform-set TRANSFORM_ESP_SHA_AES256

match address 100

!

crypto map SDM_CMAP_2 1 ipsec-isakmp

###REMOVED DESCRIPTION OF PUBLIC ADDRESS OF DC INTERNAL ASA###

###REMOVED SET PEER OF PUBLIC ADDRESS OF DC INTERNAL ASA###

set transform-set TRANSFORM_ESP_SHA_AES256

match address 101

!

!

!

!

!

interface Loopback0

ip address 172.16.3.1 255.255.255.0

!

interface Cellular0

ip address negotiated

ip nat outside

ip virtual-reassembly in

encapsulation slip

dialer in-band

dialer pool-member 2

dialer-group 2

async mode interactive

crypto map SDM_CMAP_1

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface GigabitEthernet0

no ip address

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

pppoe-client dial-pool-number 1

!

interface Serial0

no ip address

shutdown

clock rate 2000000

!

interface Vlan1

description $ETH_LAN$

ip address 192.168.10.9 255.255.255.0 secondary

ip address 172.16.2.1 255.255.255.0

ip helper-address 172.16.1.1

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

ip policy route-map LOAD_BALANCE

!

interface Dialer0

mtu 1492

ip address negotiated

ip nat outside

ip virtual-reassembly in

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer idle-timeout 0

dialer persistent

ppp authentication chap pap callin

###REMOVED PPP CHAP HOSTNAME###

###REMOVED PPP CHAP PASSWORD###

no cdp enable

crypto map SDM_CMAP_2

!

interface Dialer2

ip address negotiated

ip nat outside

ip virtual-reassembly in

encapsulation slip

dialer pool 2

dialer idle-timeout 0

dialer string hspa

dialer persistent

dialer-group 2

crypto map SDM_CMAP_1

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip nat inside source route-map NAT-DIALER1 interface Dialer0 overload

ip nat inside source route-map NAT-DIALER2 interface Dialer2 overload

ip route 0.0.0.0 0.0.0.0 Dialer0 track 101

ip route 0.0.0.0 0.0.0.0 Dialer2 track 102

!

ip access-list extended CQLAN

remark CCP_ACL Category=18

remark IPSec Rule

deny   ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255

permit ip 172.16.2.0 0.0.0.255 any

permit ip any any

ip access-list extended TRAFFIC_FOR_DIALER0

permit tcp any any eq www

permit tcp any any eq 443

deny   ip any any

ip access-list extended TRAFFIC_FOR_DIALER2

permit tcp any any eq 22 log

deny   ip any any

!

ip sla 101

icmp-echo 203.12.160.35 source-interface Dialer0

frequency 10

ip sla schedule 101 life forever start-time now

ip sla 102

icmp-echo 203.12.160.35 source-interface Dialer2

frequency 10

ip sla schedule 102 life forever start-time now

access-list 1 permit any

access-list 100 remark CCP_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 101 remark CCP_ACL Category=4

access-list 101 remark IPSec Rule

access-list 101 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255

dialer-list 1 protocol ip permit

dialer-list 2 protocol ip permit

no cdp run

!

!

!

!

route-map LOAD_BALANCE permit 10

match ip address TRAFFIC_FOR_DIALER0

set interface Dialer0

!

route-map LOAD_BALANCE permit 20

match ip address TRAFFIC_FOR_DIALER2

set interface Dialer2

!

route-map NAT-DIALER1 permit 10

match ip address CQLAN

match interface Dialer0

!

route-map NAT-DIALER2 permit 10

match ip address CQLAN

match interface Dialer2

!

!

control-plane

!

!

line con 0

exec-timeout 0 0

logging synchronous

login local

line aux 0

line 3

script dialer hspa

modem InOut

no exec

rxspeed 21600000

txspeed 5760000

line vty 0 4

exec-timeout 0 0

privilege level 15

logging synchronous

login local

monitor

transport input telnet ssh

!

scheduler allocate 20000 1000

event manager applet CLEAR_NAT_ON_BOOT

event track 101 state up

action 1.0 cli command "clear ip nat trans *"

event manager applet SET-3G-TRACKING-UP-AT-BOOT

event timer cron cron-entry "@reboot"

action 1.0 wait 30

action 2.0 track set 102 state up

!

end

CQROU01#

Labels:
0 Helpful
5 Replies 5

cadet alain
VIP Alumni
VIP Alumni

‎10-10-2013 01:47 AM

Hi,

For PBR failover you should use set ip next-hop x.x.x.x verify-availability track   command instead of set interface.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

mcsadmin-cqgroup
Level 1
Level 1
In response to cadet alain

‎10-10-2013 03:44 AM

Hi Alain,

Thanks for your help. Although my next hop interface is dynamic in the case of 3G so I can't use this command. When I type "set interface dialer2" the only subsequent option is another interface. Does adding a second interface to this command cause it to use this second interface if the first is unavailable? If so, how does the route-map know that the first interface is unavailable?

Thanks.

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to mcsadmin-cqgroup

‎10-10-2013 03:55 AM

Hi,

if the outgoing interface line protocol is up then it will use this one and you may have a problem out one ISP but still have the corresponding interface up so it will not try the second one as far as I know.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

mcsadmin-cqgroup
Level 1
Level 1
In response to cadet alain

‎10-10-2013 04:43 AM

Hi Alain,

I just tried the command "set interface Dialer0 Dialer2" under the route map and the results I found were:

If I do a "show ip interface brief", dialer0 for the ADSL remains in status: up, line protocol: up, even though the underlying physical interface gigabit0 is disconnected.

Using the the command "set interface Dialer0 Dialer2" didn't provide connectivity where the Dialer0(ADSL) interface was not connected to the ADSL service. However, when removing it and replacing it with "set interface Dialer2(3G)", with the 3G service up, it did provide connectivity for the matched statements.

My conclusion is that route-map failover using the "set interface" command is not effective.

My next thoughts are that our ADSL service IP is static, and therefore the next hop will also be static. So, I could use route mapping to specify only what comes in via the ADSL service, and have everything else traverse the 3G link by default. In the event that the ADSL goes down, I could use the route-map to failover to run everything off the 3G service. This doesn't account for the possibility of the 3G service going down, but I would not expect that to happen.

Thanks Alain. I rated your post as very helpful.

0 Helpful

wayfaring
Level 1
Level 1
In response to cadet alain

‎06-07-2016 07:18 AM

Without resorting to hardcoding the ip of the isp ipcp gateway as the next-hop in the route-map since it could change down the road and break things, Is there a way to take the gateway supplied by the isp at the time the dialer ppp ipcp is negotiated and have it pass dynamically into some form of route-map next-hop verify-availability statement that permits failover to the other isp if an sla object tracked/sourced on that interface and associated with it in the route-map goes down?  Have no problem with failover/pbr/sla senarios with static isp's but it gets murky with these dynamic pppoe dialers.  I've gotten an approximation of the desired results with floating static routes pointed at the dialer interface tied to sla tracked objects routed to the dialer interface but it's not pbr.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card