cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
674
Views
0
Helpful
1
Replies

PBR with Object Tracking

tripley
Level 1
Level 1

Hello,

We have ISR 4321's in remote stores that control all store traffic. The default route on the router points back to our head office. However we want Internet traffic for our Point of Sale traffic to go out a direct internet connection to the Internet. POS traffic has its own sub-interface and subnet on the router.

We've done this easily using PBR with object tracking. During normal operation it works fine, but in a failure scenario it doesn't work as expected because I can't track the local internet connection properly.

Here's a basic config:

Gi0/0/0 - Connected to the store networks with sub interfaces for VLANs

Gi0/0/0.102 - POS network
Gi0/0/0.201 - Our local internet connection in the store
Gi0/0/1 - Our WAN connection back to head office

Here's the PBR route-map config:

Extended IP access list ISP_INET_ACL
10 deny ip any 172.16.0.0 0.15.255.255
20 deny ip any 192.168.0.0 0.0.255.255
30 deny ip any 10.0.0.0 0.255.255.255
40 deny ip any host 255.255.255.255
50 permit ip 10.10.10.0 0.255.255.255 any

route-map ISP_INET_RMAP permit 10
match ip address ISP_INET_ACL
set ip next-hop verify-availability 1.2.3.4 1 track 20

interface Gi0/0/0.102
ip address 10.10.10.1 255.255.255.0
ip policy route-map ISP_INET_RMAP
!

My tracking object is configured as such:

ip sla 20
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0/0.201
frequency 5
ip sla schedule 20 life forever start-time now

track 20 ip sla 20 reachability
delay down 30 up 30

Because my default route points back to the head office, my IP SLA traffic to 8.8.8.8 has to go across the WAN because that's the only default route it knows. This causes a problem because if my WAN connection goes down, even if the local Internet is up, the SLA 20 still fails.

Even a traceroute from the router will still go through head office even if I source it from the interface directly connected to the Internet (G0/0/0.201).

Is there a way to specify a next-hop for SLA traffic?

Tyler

1 Accepted Solution

Accepted Solutions

Francesco Molino
VIP Alumni
VIP Alumni

Hi

Just to summarize.

Internet access should go through the direct local connection when your wan with HO is up and even when down. However if the local ISP link is down, internet access from the store should go over wan through HO?

Now your  concern:

When your wan with HO is down, your tracking is not up? 

- default route is a static route or learned from dynamic routing?

You need to create a second default route going through local ISP when your WAN fails. This can be done using static route with tracking. 

Do you have such configuration?

It looks like: (tracking object is not shown in this example)

ip route 0.0.0.0 0.0.0.0 wan-rtr-ip track 10 (primary route)

ip route 0.0.0.0 0.0.0.0 isp-rtr-ip 10 (secondary route)

Now, using PBR with tracking make sense in case local ISP fails. However the tracking is sending icmp packets to 8.8.8.8. This means that the tracking will always be UP and in the case that local isp fails, internet access won't work because I guess the next hop set for pbrb is your local isp router, right?

To achieve that you have 2 solutions:

1. continue tracking a public ip like your doing but you'll need to add a static route for that particular host going through your local isp. The track object will be down if local isp link is down.

2. Tracking your isp router IP. However, this solution isn't reliable 100% because your router could be UP and you're ISP could have a backbone issue.

I'll prefer using solution 1 by tracking Google secondary DNS (8.8.4.4) because 8.8.8.8 is usually used on machines. If you use 8.8.8.8 and you adding a specific route to your isp for that address (as explained on solution 1), in case this link goes down you won't have access to this dns unless you configure a static route with tracking like for default route (as explained before)

Thanks

Hope this is clear

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

1 Reply 1

Francesco Molino
VIP Alumni
VIP Alumni

Hi

Just to summarize.

Internet access should go through the direct local connection when your wan with HO is up and even when down. However if the local ISP link is down, internet access from the store should go over wan through HO?

Now your  concern:

When your wan with HO is down, your tracking is not up? 

- default route is a static route or learned from dynamic routing?

You need to create a second default route going through local ISP when your WAN fails. This can be done using static route with tracking. 

Do you have such configuration?

It looks like: (tracking object is not shown in this example)

ip route 0.0.0.0 0.0.0.0 wan-rtr-ip track 10 (primary route)

ip route 0.0.0.0 0.0.0.0 isp-rtr-ip 10 (secondary route)

Now, using PBR with tracking make sense in case local ISP fails. However the tracking is sending icmp packets to 8.8.8.8. This means that the tracking will always be UP and in the case that local isp fails, internet access won't work because I guess the next hop set for pbrb is your local isp router, right?

To achieve that you have 2 solutions:

1. continue tracking a public ip like your doing but you'll need to add a static route for that particular host going through your local isp. The track object will be down if local isp link is down.

2. Tracking your isp router IP. However, this solution isn't reliable 100% because your router could be UP and you're ISP could have a backbone issue.

I'll prefer using solution 1 by tracking Google secondary DNS (8.8.4.4) because 8.8.8.8 is usually used on machines. If you use 8.8.8.8 and you adding a specific route to your isp for that address (as explained on solution 1), in case this link goes down you won't have access to this dns unless you configure a static route with tracking like for default route (as explained before)

Thanks

Hope this is clear

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Review Cisco Networking for a $25 gift card