Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6272
Views
0
Helpful
5
Replies

route-map object tracking

cgabbert100
Level 1
Level 1

‎09-02-2015 10:41 AM - edited ‎03-05-2019 02:13 AM

Hello All!

 

At each remote office we have two circuits: one for Internet and one for MPLS. The two circuits reside on two routing tables, the Internet is on a VRF and the MPLS uses the global table. We use a route-map to send web traffic from the LAN (resides on the global route table) out the Internet interface and vise versa to dump the return traffic from the VRF back into the global table. We match this traffic based off of ACL that lists our cloud web proxy service as the destination which is triggered by a PAC file installed on each workstation.

The problem is that when a site looses Internet service, the physical interface remains Up but layer-3 reachability dies, the web traffic is black-holed because the route-map on the LAN interface continues to dump the traffic to the VRF. I'd like for the route-map to not dump the traffic to the VRF if a tracked object is not reachable and instead let it route using the global table. Just to be clear, this is only for traffic matching the destination of our web proxy service in the route-map ACL. Our routing for all other traffic routes either DMVPN or the MPLS circuits and is not an issue when lose Internet connectivity.

I looked into route-map object tracking and all I can find is tracking for setting the next-hop. I do not want to set the next-hop because most of our sites are receiving their default route on the VRF via DHCP. Thinking about it now, I suppose this still would work as the default route never really changes. It just doesn't seem like a the solution I'm looking for though, or is it? What I'm really hoping for is that there is something I can do for the route-map to track reachability to a certain object and if it's Down then do not apply the "set" command to dump the traffic into the VRF.

I've also thought about using EEM and simply having the route-map command pulled from the LAN interface when the tracked object is Down then setting up a second EEM event to put the route-map back in. I use a similar setup for removing BGP neighbors and placing them back into production during circuit issues.

 

I hope I explained myself well enough for everyone to understand what I'm trying to accomplish.

 

Thanks in advance,

 

Chris - CCNP

Labels:
0 Helpful
5 Replies 5

Martin Hruby
Level 1
Level 1

‎09-04-2015 01:14 AM

Hello Chris

Can you post the configuration of your route-map?

For simple PBR offloading of traffic, you could configure the route-map to verify the reachability of the next-hop (e.g. 192.168.1.1) by tracking an IP SLA probe. For example:

ip sla 1
 icmp-echo 192.168.1.1
 frequency 5
ip sla schedule 1 life forever start-time now

track 1 ip sla 1 reachability

route-map PBR permit 10
 match ip address 100
 set ip next-hop verify-availability 192.168.1.1 1 track 1

The you can verify using:

R1#show route-map PBR
route-map PBR, permit, sequence 10
  Match clauses:
    ip address (access-lists): 100
  Set clauses:
    ip next-hop verify-availability 192.168.1.1 1 track 1  [up]
  Policy routing matches: 35 packets, 2240 bytes

Best regards,
Martin

0 Helpful

cgabbert100
Level 1
Level 1
In response to Martin Hruby

‎09-05-2015 08:21 AM

Hi Martin,

 

Thank you for the reply. Yes, I am aware of setting the next-hop if an SLA object is Up but I was looking for a way to maintain the current set parameter of dumping the traffic to the VRF because the IP segment used for the transit to the ISP has changed in the past without my knowledge (i.e. local IT staff provisions a new ISP or modem/router and our router is set for DHCP). Although this does not happen very often I didn't want to configure the route-map set parameter for next-hop.

 

I don't have access to my work environment as I'm writing this but here is a general description of the configuration:

 

Extended ACL named "proxy" for matching web proxy traffic sourced from LAN subnet to cloud web proxy service:

permit ip source LAN subnet destined to cloud proxy hosts

 

Extended ACL named "proxy-return" for matching return web proxy traffic sourced from cloud web proxy service to LAN subnet

permit ip source cloud proxy hosts destined to LAN subnet

 

route-map proxy permit 10

match ACL "proxy"

set vrf "external"

 

route-map proxy-return permit 10

match ACL "proxy-return"

set global

 

Internet Interface

ip address dhcp

vrf forwarding external

ip policy route-map proxy-return

 

LAN Interface

ip policy route-map proxy

0 Helpful

Pushpa Ranathunga
Level 1
Level 1
In response to cgabbert100

‎02-03-2018 08:36 PM

Hi

 

Have you got a positive feedback for the mentioned issue???

I also have the same requirement but unable to process

0 Helpful

Georg Pauwen
VIP
VIP
In response to Pushpa Ranathunga

‎02-04-2018 12:34 AM

Hello,

 

the original post mentioned an EEM script, I think that could be a good option. Can you post your configuration so we can fill in the necessary bits and pieces for the script ?

0 Helpful

paul driver
VIP
VIP

‎02-04-2018 01:02 AM - edited ‎02-04-2018 01:03 AM

Hello

 

@cgabbert100 wrote:

Hello All!

 

At each remote office we have two circuits: one for Internet and one for MPLS. The two circuits reside on two routing tables, the Internet is on a VRF and the MPLS uses the global table. We use a route-map to send web traffic from the LAN (resides on the global route table) out the Internet interface and vise versa to dump the return traffic from the VRF back into the global table. We match this traffic based off of ACL that lists our cloud web proxy service as the destination which is triggered by a PAC file installed on each workstation.

The problem is that when a site looses Internet service, the physical interface remains Up but layer-3 reachability dies, the web traffic is black-holed because the route-map on the LAN interface continues to dump the traffic to the VRF. I'd like for the route-map to not dump the traffic to the VRF if a tracked object is not reachable and instead let it route using the global table. Just to be clear, this is only for traffic matching the destination of our web proxy service in the route-map ACL. Our routing for all other traffic routes either DMVPN or the MPLS circuits and is not an issue when lose Internet connectivity.

I looked into route-map object tracking and all I can find is tracking for setting the next-hop. I do not want to set the next-hop because most of our sites are receiving their default route on the VRF via DHCP. Thinking about it now, I suppose this still would work as the default route never really changes. It just doesn't seem like a the solution I'm looking for though, or is it? What I'm really hoping for is that there is something I can do for the route-map to track reachability to a certain object and if it's Down then do not apply the "set" command to dump the traffic into the VRF.

 

 

 I would say the most elaborate solution inst always the best solution (EEM) -  you can track source  track a destination so that your traffic inst balckholed with either solution but it sounds like you already policy routing so why not just use add Ip sla object tracking to what you've already have?

 



res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card