Solved: Hello,

dtran · ‎10-28-2016

Hi all, Hope everyone is well !!

I have dual routers / dual WAN links at the data center and at all remote locations (please see attached diagram for topology overview). I've got PBR configured and working as design but I have a couple scenarios that I need some help with. I have PBR configured on the Nexus 7K to route some applications over to the Verizon link and what's happening is (see below)

Scenario 1: When the Verizon link at the data center goes down EIGRP re-converge and traffic automatically get re-routed over to the Sprint link. Is there a way for me to NOT let traffic re-route over to the Sprint link ? I would like to blackhole the traffic when Verizon link is down.

Scenario 2: When the Verizon link at the remote link site goes down traffic get blackhole and goes nowhere. Is there a way to tell PBR to NOT route traffic over to the Verizon link at the data center when the Verizon link at the remote site is down ?

Thanks in advance !!!

Danny

Georg Pauwen · ‎10-29-2016

Hello,

you could use SLA tracking and route all traffic to null if one link is down. For scenario 1, it would look like this (IP addresses obviously need to be changed to what you have configured):

track 1 ip sla 1 reachibility
!
ip sla 1
icmp-echo x.x.x.x source-interface FastEthernet0/1
timeout 1000
threshold 100
frequency 5
ip sla schedule 1 life forever start-time now
!
ip access-list standard LAN_TRAFFIC
permit 192.168.1.0 0.0.0.255
!
route-map DENY_SPRINT permit 10
match ip address LAN_TRAFFIC
set ip next-hop verify-availability x.x.x.x track 1
set interface null0
!
Apply the policy to the interface connected to the Verizon link.

For scenario 2, you could track icmp reachability for the Verizon link at the remote site. I hope I understood correctly where your links are, but the idea of sla tracking is that in case a link is not reachable, the route map is applied, and with this route map, all traffic gets blackholed.

View solution in original post

Georg Pauwen · ‎11-03-2016

Danny,

a floating static route would work, as long as the primary route is dynamic, which in your case it is ,since you use EIGRP. Good solution actually...

You need one SLA for each remote site.If you use only one for all remote sites, the PING to all sites must fail simultaneously for anything to happen, which does not seem to be what you want.

View solution in original post

Georg Pauwen · ‎10-29-2016

Hello,

you could use SLA tracking and route all traffic to null if one link is down. For scenario 1, it would look like this (IP addresses obviously need to be changed to what you have configured):

track 1 ip sla 1 reachibility
!
ip sla 1
icmp-echo x.x.x.x source-interface FastEthernet0/1
timeout 1000
threshold 100
frequency 5
ip sla schedule 1 life forever start-time now
!
ip access-list standard LAN_TRAFFIC
permit 192.168.1.0 0.0.0.255
!
route-map DENY_SPRINT permit 10
match ip address LAN_TRAFFIC
set ip next-hop verify-availability x.x.x.x track 1
set interface null0
!
Apply the policy to the interface connected to the Verizon link.

For scenario 2, you could track icmp reachability for the Verizon link at the remote site. I hope I understood correctly where your links are, but the idea of sla tracking is that in case a link is not reachable, the route map is applied, and with this route map, all traffic gets blackholed.

dtran · ‎11-03-2016

Hi GPauwen, thanks for replying !!

As for scenario 1. What do you think of the idea of using a floating static route pointing to null 0 interface to blackhole the traffic ?

and as for scenario 2. Do I configure one IP SLA operation for all remote sites ? Do I configure one IP SLA operation per remote site ? please see example below.

ip sla 1

icmp-echo 152.177.161.1 source-interface loopback0 - location 1

icmp-echo 199.220.0.245 source-interface loopback0 - location 2

or

ip sla 1

icmp-echo 152.177.161.1 source-interface loopback0 - location 1

ip sla 2

icmp-echo 199.220.0.245 source-interface loopback0 - location 2

Thanks !!!

Danny

Georg Pauwen · ‎11-03-2016

Danny,

a floating static route would work, as long as the primary route is dynamic, which in your case it is ,since you use EIGRP. Good solution actually...

You need one SLA for each remote site.If you use only one for all remote sites, the PING to all sites must fail simultaneously for anything to happen, which does not seem to be what you want.

dtran · ‎11-03-2016

Thanks GPauwen !!! So if I have to do one SLA for each remote site, that means I have to create a route-map for each remote site too ? I have over 20 remote sites and I am just trying to simplify the config.

Thanks !!!

Danny

Georg Pauwen · ‎11-03-2016

Danny,

your route maps track the availability of specific next hops, which are different for each remote site, so yes you need 20 route maps. Makes the configuration rather long, but shouldn't be a problem for the router to handle,since the only traffic that it actually causes is ICMP.

dtran · ‎11-03-2016

Bummer, I was hoping I can do one SLA and one route-map for all locations.

Thanks GPauwen !!!

Policy Base Routing (PBR) Questions