set ip next-hop verify-availability - on cat 9k

robad · ‎10-11-2021

Hi,

We have a new Catalyst 9600 that should replace an older Catalyst 6500 acting as our client's gateway.
Since we have dedicated uplink interfaces for each lab, we are using route-map to route traffic to them.

On the new 9600, we could not add the ip policy to the inteface vlan with the following error showing in the logs:
*Oct 11 08:08:56.427: %FMANRP_PBR-3-UNSUPPORTED_RMAP: Route-map wwsp has unsupported options for Policy-Based Routing. It has been removed from the interface, if applied

After speaking with TAC, they mentioned that verify-availability command is not supported on the 9600 and we should find another way.

This is an example of how our route-maps are configured:

route-map test, permit, sequence 40
Match clauses:
ip address (access-lists): test
Set clauses:
ip next-hop verify-availability 10.10.10.20 10 track 15 [up]
ip next-hop 10.10.20.20

track 15 interface GigabitEthernet1/3/8 line-protocol

Are there any good alternatives for verify-availability? For us it's a must. We use those configs for years on the 6500.

Thanks in advance.

Georg Pauwen · ‎10-11-2021

Hello,

you could achieve the same result with an IP SLA and an EEM script that checks the availability of the next hop. If it is not reachable, the EEM script changes the next hop in the route map accordingly, and vice versa.

The config would look like this:

track 1 ip sla 1 reachability
!
ip sla 1
icmp-echo 10.10.10.20 source-ip 10.10.10.10
frequency 5
!
ip sla schedule 1 start-time now life forever

!

event maanger applet POLICY_MAP_DOWN
event track1 state down
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "route-map test permit 40"
action 4.0 cli command "match ip address test"
action 5.0 cli command "ip next-hop 10.10.20.20"
action 6.0 cli command "end"
!
event maanger applet POLICY_MAP_UP
event track1 state up
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "route-map test permit 40"
action 4.0 cli command "match ip address test"
action 5.0 cli command "ip next-hop 10.10.10.20"
action 6.0 cli command "end"

robad · ‎10-18-2021

Hi Georg, sorry for the delay.

Thanks for your solution

We've tried to run what you suggested.

Under : event maanger applet POLICY_MAP_DOWN
We can't run this : event track1 state down

There is no "event track" option

There is event ipsla, but there is no option for a name, only a group-name and some other options

We are running version 17.3.14

Georg Pauwen · ‎10-18-2021

Hello,

I think you need DNA Advantage to have full EEM capability...can you check what license you have installed (sh lic) ?

pman · ‎10-11-2021

you ask "Are there any good alternatives for verify-availability? For us it's a must. We use those configs for years on the 6500."

if you configure simple PBR (match + ip next-hop) and the switch learn the 10.10.10.20 route from static route (for example)

then you can simply attach ip sla / track to static route

and if the track goes down for this static route then both the static route and the ip next-hop command (inside the route-map) will no longer be used

The next-hop ip command works like this:

The set ip next-hop command verifies the existence of the next hop specified, and…

if the next hop exists in the routing table, then the command policy routes the packet to the next hop.
if the next hop does not exist in the routing table, the command uses the normal routing table to forward the packet.