Re: Using PBR with EIGRP

a.gooding · ‎02-04-2013

Good day everyone,

ive seen a lot of examples of the above subject but i would like to have some clarification on an existing lab configuration issue we are having. first off, im by no means an expert hence reaching out here

we have a customer that has its HQ and 10 remote branches. they are all connected via two metro ethernet links with the same bandwidth. the request is to pass video on one link an "the rest" on the other. "The Rest" should also failover to the backup link if the primary fails.

we decided to use PBR with the following general configurations

HQ - WAN1 (Primary) and WAN 2 (backup - for video)

access-list 10 permit "the rest"

access-list 20 permit "video"

route-map TEST 10

match ip 10

set interface WAN 1 WAN 2

route-map TEST 20

match ip 20

set interface WAN 2

Interface LAN

ip policy route-map TEST

my assumption is that for "The rest" it would use the PRIMARY link and if not available use the secondary (this is working)

Video would use the BACKUP link (not working) - it still uses the primary unless i fail the primary.

what im seeing is that EIGRP is advertising the PRIMARY link only and therefore as VIDEO is using the interface WAN2 it sees it as not available and drops off to the normal routing. If this is the case, is there any work around for HQ?

for the branches, since there are defined hops to reach to HQ then i dont think we shoud have any issues. i have tried using the next hop as well as ip sla for the branches and all seem to work. the key difference here is i can send to a specific hop(s) from branch to HQ but i cant do that from HQ to all branches.

thanks in advance and apologies if this has been addressed previously most have been utilzing ISP links which are a bit different from the above.

Gabriel Hill · ‎02-04-2013

Hello,

Can you kinda draw out a little diagram with what you're working with.

Are both WAN1 / WAN2 directly connected to HQ?

You said that the EIGRP is just advertising the primary link and not the backup link. This is where it would be helpful to visualize. Does the backup link meet the feasible condition? Thoughts: If so, you could possibly use the variance command to have the backup link route added to the routing table, then your PBR should work.

Vinayaka Raman · ‎02-04-2013

Right ! You will not be able to influence HQ to BO when you are doing PBR OR PfR at one end.. One way is You need to split BO prefix - video plus rest and then advertise.. What I would prefer is advertise a site's summary route via WAN1 (video secondary and rest primary) and subset video prefix (video primary and rest secondary) plus summary route via WAN2...So we can influence HQ to BO TRAFFIC..

a diagram with one remote office and branch office connection with routing protocols involved will say 100 things

Sent from Cisco Technical Support iPad App

Regards Vinayak

a.gooding · ‎02-05-2013

Everyone

see atttached and see if this helps. sorry im trying to get the actual config but just out on the field at the moment.

Vinayaka Raman · ‎02-05-2013

route-map set-next-hop, permit, sequence 50
Match clauses:
ip address (access-lists): ACL_VIDEO
Set clauses:
ip next-hop verify-availability 200.182.227.53 1 track 50
Policy routing matches: 277521 packets, 222084905 bytes

route-map set-next-hop, permit, sequence 80
Match clauses:
    ip address (access-lists): ACL_VOICE
Set clauses:
    ip next-hop verify-availability 152.177.114.129 1 track 80 [up]
    interface Null0
Policy routing matches: 113403 packets, 10806535 bytes
route-map set-next-hop, permit, sequence 100
Match clauses:
Set clauses:
Policy routing matches: 486445 packets, 161368450 bytes

RO to BO Traffic manipulation

interface LAN
ip policy route-map set-next-hop

route-map set-next-hop permit 10
match ip address ACL_VIDEO
set ip next-hop verify-availability 1 track 10
set interface Null0
route-map set-next-hop permit 80

track 10 ip sla 10 reachability
delay down 10 up 10

ip sla 10
icmp-echo
frequency 10

BO to RO traffic Manipulation

Are you doing a route summarization while advertising the RO prefix to headend?

what is the output of show ip route on the headend

For eg if the BO prefix is 10.74.16.0/20

From BO towards primary MPLS link advertise aggregate only--> 10.74.16.0/20

From BO towards secondary MPLS advertise aggregate (10.74.16.0/20) plus subset (10.74.16.128/26)..
You can use eigrp leack maps to achive this..

Regards Vinayak

a.gooding · ‎02-05-2013

thanks for that detailed response. ill get the ip routing table for the HQ and sample branch momentarily. excuse the basic question but i can get this working from Branch to HQ as i can define next hops from the branch going to the HQ, however from HQ to the MULTIPLE BRANCHES seems to be a challenge since i cant specific next hops for each branch (again from the HQ side).

this is a private WAN and not going to any ISP providing Internet BTW.

thanks again

Vinayaka Raman · ‎02-05-2013

from HQ to branch route manipulation:

we will use most specfic match routing...

if HQ can see two routes, one is summary taking to primary path and other is subset taking to secondary path..it will always prefer the secondary path for video because of longest match...this can be achieved by using leak maps at BO.

Regards Vinayak

a.gooding · ‎02-05-2013

might be the issue though. you said "if HQ can see two routes" , but under normal EIGRP routing only the available route is injected into the routing table no? therefore, even if i can two connections, EIGRP will advertise the backup route only when the first fails?

again, apologies for my cluelessness. im trying to get the routing table. will post ASAP.

Vinayaka Raman · ‎02-05-2013

please get both show ip route x and show ip route eigrp topology x.x.x.x/x on HQ

and

show run | s eigrp on branch router.

Regards Vinayak

a.gooding · ‎02-05-2013

This is what i received from the customer thus far for the main site and one sample branch

paul driver · ‎02-05-2013

Hello,

Have you tried using the distance or offset-lists commands to manipulate the traffic for path selection, This can be done on the branch router with or without touching the hub if you desire.

Offset-lists

Branch:

to advertised a host/network from branch site - use a high offset OUT value with an acl and on the interface you dont want the HQ use.

to change a host/network from HQ - use a high offset IN value with an acl on the interface you dont want the branch to use.

HQ#sh ip route eigrp | se 22.22.22.0

D 22.22.22.0 [90/156160] via 100.1.12.2, 00:01:39, FastEthernet0/1

[90/156160] via 10.1.12.2, 00:01:39, FastEthernet0/0

Branch#sh ip route | se 11.11.11.0

D 11.11.11.0 [90/156160] via 100.1.12.1, 00:23:56, FastEthernet0/1

[90/156160] via 10.1.12.1, 00:23:56, FastEthernet0/0

example:

branch:
advetising 22.22.22.0/24 on both fa0/0 and fa0/1- i want the HQ to take fa0/1 for this network

HQ
advertisig 11.11.11.0/24 on fa0/0 and fa0/1 - I want the branch to take fa0/1 for this network

access-list 10 permit 22.22.22.0 0.0.0.255

access-list 10 permit 11.11.11.0 0.0.0.255

Branch:

router eigrp 100

offset-list 10 out 100 fat0/0

offset-list 10 in 100 fat0/0

clear ip eigrp 100 neighbors soft

HQ#sh ip route eigrp | se 22.22.22.0

D 22.22.22.0 [90/156160] via 100.1.12.2, 00:00:17, FastEthernet0/1

Branch#sh ip route | se 11.11.11.0

D 11.11.11.0 [90/156160] via 100.1.12.1, 00:00:10, FastEthernet0/1

Distance command- Set the admin distance on a specific neighbor to be less attractive for the internal route of the acl

access-list 10 permit 22.22.22.0 0.0.0.255

router eigrp 100

distance 91 (eigrp neighbor) 0.0.0.0 10

res

Paul

Please don't forget to rate this post if it has been helpful

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Vinayaka Raman · ‎02-06-2013

i cannot open the attachment and it is encrypted..would you mind copy paste ?

Regards Vinayak

a.gooding · ‎02-06-2013

see if this helps. its not excrypted might just be an file name extension

Vinayaka Raman · ‎02-06-2013

what is your video prefix at head end and branch ?

Regards Vinayak

a.gooding · ‎02-06-2013

Video,

HQ is 10.200.30.X

branch office is 10.53.14.0

Data separated into the rest.