Re: Policy Base Routing with Redundancy in links

Zargham Haider · ‎01-29-2020

I have two different ISPs. ISP-A and ISP-B. my specific IP class (ACL-B) uses ISP-B. i have simple scenario that default ACL-A traffic will use default route towards ISP-A. selected traffic (ACL-B) would go to ISP-B. this is done by configuring PBR in ASA 5508x Firewall. Now i need to re-configure PBR route map that if ISP-B link goes down all traffic should route to ISP-A and vice virsa.

i am confused, this can be achieved from route map or in redundancy configuration.

_______

Zargham

Seb Rupik · ‎01-29-2020

Hi there,

You need to use IP SLA and tracking object to be used within the route-map. Try the following, substitue the <Variables> and interface names as required:

!
sla monitor 1
 type echo protocol ipIcmpEcho <ISP-1> interface OUTSIDE1
 frequency 10
sla monitor schedule 1 life forever start-time now
track 1 rtr 1 reachability
!
sla monitor 2
 type echo protocol ipIcmpEcho <ISP-2> interface OUTSIDE2
 frequency 10
sla monitor schedule 2 life forever start-time now
track 2 rtr 2 reachability
!
route-map ISP-PBR permit 10
 match ip address <ACL-A>
 set ip next-hop verify-availability <ISP-1> 1 track 1
 set ip next-hop verify-availability <ISP-2> 2 track 2
!
route-map ISP-PBR permit 20
 match ip address <ACL-B>
 set ip next-hop verify-availability <ISP-1> 1 track 2
 set ip next-hop verify-availability <ISP-2> 2 track 1
!

cheers,

Seb.

Zargham Haider · ‎01-30-2020

Thanks Seb,

this is valuable reply.....let me test and will reply you soon after testing

Seb Rupik · ‎01-30-2020

Just noticed a typo...:

!
route-map ISP-PBR permit 20
 match ip address <ACL-B>
 set ip next-hop verify-availability <ISP-2> 1 track 2
 set ip next-hop verify-availability <ISP-1> 2 track 1
!

paul driver · ‎01-30-2020

Hello

@Zargham Haider wrote:

I have two different ISPs. ISP-A and ISP-B.

i have simple scenario that default ACL-A traffic will use default route towards ISP-A. selected traffic (ACL-B) would go to ISP-B.

If you have all default traffic going via ISPA and you wish speific traffic to go via ISPB then i would say what @Seb Rupik posted was correct however you would only require one pbr track statement because if/when the monitored ip sla track fails all traffic being policy routed traffic would failover and be routed back via the rts default path towards ISPA

example:
ip sla 1
icmp-echo <ISPB host> source-ip XXXXX
ip sla schedule 1 life forever start-time now

access-list 100 permit ip xxxx yyyyy
route-map PBR
match ip address 100
set ip next-hop verify-availability <ISPB> 1 track 1

int x/x
description Lan facing

ip policy route-map PBR

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Seb Rupik · ‎01-30-2020

@paul driver agreed, but if you want true redundancy then in the event of ISP-A failing you would want all traffic to go via ISP-B.

Perhaps adjust ACL-A so that it denies the ACL-B subnets but permits (matches) everything else.

paul driver · ‎01-30-2020

Hello

@Seb Rupik I still think you would only require just the one PBR track statement with maybe an additional static route track if the OP is using floating static default routes for each isp however if dynamic routing is in use then just the one should do it

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul