Solved: Usage of Route Maps for Next Hop - Page 2

danbowencisco · ‎04-18-2012

Hi Everyone,

I have a Cisco L3 switch that I have configured route maps on to amend the next hop to be a firewall. The destination network for the traffic is also connected to the switch (therefore directly connected network), but my issue is this.

If the FW fails, then the traffic will still try to be sent to the down FW due to the route map amending the next hop. Is there a way that I can get the traffic to go via the connected network if the FW should fail? As far as I am aware, the route map will amend the next hop to the FW IP whether the FW is up or not, and therefore the traffic will be dropped.

Am I right on this or has anyone got another idea?

Thanks in advance,

Dan

Dan-Ciprian Cicioiu · ‎04-18-2012

I belive from "Latest operation return code: Unknown" that you have to also set the frequency.

Please paste "show ip sla configuration"

Dan

danbowencisco · ‎04-18-2012

it is now saying the status is DOWN

danbowencisco · ‎04-18-2012

SL-Cisco-3560G-SW#sh ip sla configuration

IP SLAs Infrastructure Engine-III

Entry number: 1

Owner:

Tag:

Operation timeout (milliseconds): 5000

Type of operation to perform: icmp-echo

Target address/Source address: 10.11.120.161/0.0.0.0

Type Of Service parameter: 0x0

Request size (ARR data portion): 28

Verify data: No

Vrf Name:

Schedule:

Operation frequency (seconds): 60 (not considered if randomly scheduled)

Next Scheduled Start Time: Pending trigger

Group Scheduled : FALSE

Randomly Scheduled : FALSE

Life (seconds): 3600

Entry Ageout (seconds): never

Recurring (Starting Everyday): FALSE

Status of entry (SNMP RowStatus): notInService

Threshold (milliseconds): 5000

Distribution Statistics:

Number of statistic hours kept: 2

Number of statistic distribution buckets kept: 1

Statistic distribution interval (milliseconds): 20

Enhanced History:

History Statistics:

Number of history Lives kept: 0

Number of history Buckets kept: 15

History Filter Type: None

Dan-Ciprian Cicioiu · ‎04-18-2012

The funny thing is that in order to modify it we should stop it :

no ip sla sched 1 lif fo start no

ip sla monit 1

timeout 300

threshold 300

freq 2

ip sla sched 1 lif fo start no

Dan

danbowencisco · ‎04-18-2012

SL-Cisco-3560G-SW#sh track

Track 1

IP SLA 1 state

State is Down

1 change, last change 00:11:26

Latest operation return code: Unknown

Tracked by:

ROUTE-MAP 0

SL-Cisco-3560G-SW#sh route-map NMS-RM

route-map NMS-RM, permit, sequence 10

Match clauses:

ip address (access-lists): 2550

Set clauses:

ip next-hop verify-availability 10.11.120.161 1 track 1 [down]

ip next-hop 10.11.120.161

Policy routing matches: 18788 packets, 1592603 bytes

danbowencisco · ‎04-18-2012

BRILLIANT!!!

we are good. Thanks so much Dan.

SL-Cisco-3560G-SW#sh track

Track 1

IP SLA 1 state

State is Up

2 changes, last change 00:00:31

Latest operation return code: OK

Latest RTT (millisecs) 1

Tracked by:

ROUTE-MAP 0

SL-Cisco-3560G-SW#sh rou

SL-Cisco-3560G-SW#sh route-map NMS-RM

route-map NMS-RM, permit, sequence 10

Match clauses:

ip address (access-lists): 2550

Set clauses:

ip next-hop verify-availability 10.11.120.161 1 track 1 [up]

ip next-hop 10.11.120.161

Policy routing matches: 18808 packets, 1594213 bytes

danbowencisco · ‎04-18-2012

well, the tracking appears to be working but its not doing what I expect.

When I take the FW interface down, the traffic drops and doesnt route via the switch - not sure why.

Dan

Dan-Ciprian Cicioiu · ‎04-18-2012

Take a look :

Set clauses:

ip next-hop verify-availability 10.11.120.161 1 track 1 [up]

ip next-hop 10.11.120.161

Dan

Richard Burts · ‎04-18-2012

Dan

Would you post the configuration of the route map? And perhaps post the output of show route-map taken at a time when the firewall interface is down?

HTH

Rick

HTH

Rick

danbowencisco · ‎04-19-2012

Ok, here is a drawing of what I am working with.

What I am trying to achieve is the ability to route via the switch (directly connected) should the FW interface or Firewall fail.

Dan, here is the route map output when both G0.0/128 and G0/0.160 FW interfaces are down.

SL-Cisco-3560G-SW#sh route-map NMS-RM

route-map NMS-RM, permit, sequence 10

Match clauses:

ip address (access-lists): 2550

Set clauses:

ip next-hop verify-availability 10.11.120.161 1 track 1 [down]

ip next-hop 10.11.120.161

Policy routing matches: 26501 packets, 2254398 bytes

SL-Cisco-3560G-SW#sh route-map Supervisory-RM

route-map Supervisory-RM, permit, sequence 10

Match clauses:

ip address (access-lists): 2540

Set clauses:

ip next-hop verify-availability 10.11.120.129 1 track 2 [down]

ip next-hop 10.11.120.129

Policy routing matches: 1276 packets, 113744 bytes

This is what I would expect as the next hop is now unreachable and therefore I would expect the traffic to be forwarded by the switch using the connected destination network, shown in the routing table from the switch. Problem is, the traffic times out when pinging between hosts 10.11.120.163 to 10.11.120.131.

SL-Cisco-3560G-SW#sh ip route 10.11.120.131

Routing entry for 10.11.120.128/28

Known via "connected", distance 0, metric 0 (connected, via interface)

Routing Descriptor Blocks:

* directly connected, via Vlan128

Route metric is 0, traffic share count is 1

SL-Cisco-3560G-SW#sh ip route 10.11.120.163

Routing entry for 10.11.120.160/28

Known via "connected", distance 0, metric 0 (connected, via interface)

Routing Descriptor Blocks:

* directly connected, via Vlan160

Route metric is 0, traffic share count is 1

route-map NMS-RM permit 10

match ip address 2550

set ip next-hop verify-availability 10.11.120.161 1 track 1

set ip next-hop 10.11.120.161

!

route-map Supervisory-RM permit 10

match ip address 2540

set ip next-hop verify-availability 10.11.120.129 1 track 2

set ip next-hop 10.11.120.129

access-list 2540 remark ***Supervisory Network Route Map ACL***

access-list 2540 deny icmp any host 10.11.120.130

access-list 2540 permit ip 10.11.120.128 0.0.0.15 any

access-list 2550 remark ***Network Managment Network Route Map ACL***

access-list 2550 deny icmp any host 10.11.120.162

access-list 2550 deny udp host 10.11.120.163 host 10.11.120.162 eq snmp

access-list 2550 deny udp host 10.11.120.163 host 10.11.120.162 eq snmptrap

access-list 2550 permit ip 10.11.120.160 0.0.0.15 any

I took the route maps from the interface and it starts to work, however, it will now not let me put them back. It accepts the command but the RM config does not show in a show int vlan 128.

Very strange.

Dan-Ciprian Cicioiu · ‎04-19-2012

Remove:

set ip next-hop 10.11.120.161

Your route-map should look like that :

route-map NMS-RM permit 10

match ip address 2550

set ip next-hop verify-availability 10.11.120.161 1 track 1

Dan

danbowencisco · ‎04-19-2012

ok Dan, thank you.

As soon as the switch lets me put the RM statement back onto the interface I will (reloading).

Dan

danbowencisco · ‎04-19-2012

OK my config is now this, reapplied it after reload (I standardised the numbering to match the IP addressing).

Still timing out when I shut down both FW interfaces.

ip sla 160
icmp-echo 10.11.120.161 source-ip 10.11.120.162
threshold 300
timeout 300
frequency 8
ip sla schedule 160 life forever start-time now

!
track 160 ip sla 160

route-map NMS-RM permit 10
match ip address 2550
set ip next-hop verify-availability 10.11.120.161 1 track 160

ip sla 128
icmp-echo 10.11.120.129 source-ip 10.11.120.130
threshold 300
timeout 300
frequency 8
ip sla schedule 128 life forever start-time now

track 128 ip sla 128

route-map Supervisory-RM permit 10
match ip address 2540
set ip next-hop verify-availability 10.11.120.129 1 track 128

Dan-Ciprian Cicioiu · ‎04-19-2012

Now , in my opinion , the PBR works as expected.

If the next-hop is reachable the traffic is forwarded to the firewall.

If the next-hop is not reachable the traffic is forworded according to the routing table.

Where does the routing table route the traffic ?

show ip route

Dan

danbowencisco · ‎04-19-2012

It should route it straight out of the VLAN 128 interface which is directly connected to the switch.

The destination device is physically connected to the switch on VLAN 128, so I cant see why its not working. If I remove the route map statement from the interface, it works.

SL-Cisco-3560G-SW#sh ip route 10.11.120.131

Routing entry for 10.11.120.128/28

Known via "connected", distance 0, metric 0 (connected, via interface)

Routing Descriptor Blocks:

* directly connected, via Vlan128

Route metric is 0, traffic share count is 1