Solved: Usage of Route Maps for Next Hop - Page 4

danbowencisco · ‎04-18-2012

Hi Everyone,

I have a Cisco L3 switch that I have configured route maps on to amend the next hop to be a firewall. The destination network for the traffic is also connected to the switch (therefore directly connected network), but my issue is this.

If the FW fails, then the traffic will still try to be sent to the down FW due to the route map amending the next hop. Is there a way that I can get the traffic to go via the connected network if the FW should fail? As far as I am aware, the route map will amend the next hop to the FW IP whether the FW is up or not, and therefore the traffic will be dropped.

Am I right on this or has anyone got another idea?

Thanks in advance,

Dan

Dan-Ciprian Cicioiu · ‎04-19-2012

Dan ,

I think that it is posible , but there is long way to configure it :

- for each vlan you have a PBR , the route-map should have 5 entries, for each other vlan.

- you should track each FW IP

- track combined between very vlan

Here is for example the config only for VLAN128.

ip access-l ex VLAN128-VLAN16

permit ip VLAN128 VLAN16

ip access-l ex VLAN128-VLAN32

permit ip VLAN128 VLAN32

ip access-l ex VLAN128-VLAN48

permit ip VLAN128 VLAN48

ip access-l ex VLAN128-VLAN96

permit ip VLAN128 VLAN96

ip access-l ex VLAN128-VLAN160

permit ip VLAN128 VLAN160

==== TRACK each VLAN

track 1

ping FW-VLAN128

track 2

ping FW-VLAN16

track 3

ping FW-VLAN32

track 4

ping FW-VLAN48

track 5

ping FW-VLAN96

track 6

ping FW-VLAN160

===== TRACK combined

track 10 list boo or

track 1

track 2

track 20 list boo or

track 1

track 3

track 30 list boo or

track 1

track 4

track 40 list boo or

track 1

track 4

track 50 list boo or

track 1

track 5

track 60 list boo or

track 1

track 6

route-map PBR-VLAN128 permit 20

match ip address VLAN128-VLAN16

set ip next-hop x.x.x.x verify-reach track 20

route-map PBR-VLAN128 permit 30

match ip address VLAN128-VLAN32

set ip next-hop x.x.x.x verify-reach track 30

route-map PBR-VLAN128 permit 40

match ip address VLAN128-VLAN48

set ip next-hop x.x.x.x verify-reach track 40

route-map PBR-VLAN128 permit 50

match ip address VLAN128-VLAN96

set ip next-hop x.x.x.x verify-reach track 50

route-map PBR-VLAN128 permit 60

match ip address VLAN128-VLAN160

set ip next-hop x.x.x.x verify-reach track 60

Dan

danbowencisco · ‎04-19-2012

thats brilliant Dan.

I have just one question...

On the "track each VLAN" section, I apply a track ip sla (number) here?

then, within the SLA, I use icmp echo and ping between VLAN 128 switch to the FW IP of the VLAN in question? Like this...

example between 128 and 160

ip sla 1

icmp-echo 10.11.120.161 source ip 10.11.120.130

threshold 300

blah

is that what you meant?

Dan

Dan-Ciprian Cicioiu · ‎04-19-2012

Not quite. First there is no need for the source IP , it wil use the IP on the interface vlan.

ip sla 1

icmp-echo FW-VLAN128

freq ...

threshold ...

timeout ...

ip sla 1 schedule ...

track 1 ip sla 1

ip sla 2

icmp-echo FW-VLAN32

freq ...

threshold ...

timeout ...

ip sla 2 schedule

track 2 ip sla 2

....so on

Dan

danbowencisco · ‎04-19-2012

fantastic, thanks so much Dan, Ive learned a lot and you have really helped.

All the best and thanks again.

Dan

Dan-Ciprian Cicioiu · ‎04-19-2012

My pleasure Dan.

Dan

danbowencisco · ‎04-19-2012

All of the config was good, it just wont allow me to place the route map on the interface. it doesnt error, just isnt in the config when I apply it.

It will allow me to add an older RM to the interface, just not one of these new ones.

I really dont know why.

Dan

danbowencisco · ‎04-19-2012

no probs, it doesnt need to be applied to the interface it seems. It is all working as expected - thanks so much Dan!

danbowencisco · ‎04-20-2012

I thought it was working but it seems not, the route map verify-availability entry shows as down for each route map.

However, I can ping the next hop from the switch but the route map see's it as down!

Dan

Dan-Ciprian Cicioiu · ‎04-20-2012

Dan ,

Please paste your ip sla , track , acl and route-map config.

Dan

danbowencisco · ‎04-20-2012

Hi Dan,

The route map output states that the next hop verify-availability is down.

track 410 list boolean or
object 16
object 96
!
track 420 list boolean or
object 32
object 96
!
track 430 list boolean or
object 48
object 96
!
track 440 list boolean or
object 96
object 128
!
track 450 list boolean or
object 96
object 160
!
track 510 list boolean or
object 16
object 128
!
track 520 list boolean or
object 32
object 528
!
track 530 list boolean or
object 48
object 128
!
track 540 list boolean or
object 96
object 128
!
track 550 list boolean or
object 128
object 160
!
track 610 list boolean or
object 16
object 160
!
track 620 list boolean or
object 32
object 160
!
track 630 list boolean or
object 48
object 160
!
track 640 list boolean or
object 96
object 160
!
track 650 list boolean or
object 128
object 160

interface Vlan96
description Information Network - L3 Interface
ip address 10.11.120.98 255.255.255.240
!
interface Vlan128
description Supervisory Network - L3 Interface
ip address 10.11.120.130 255.255.255.240
!
interface Vlan160
description Management Network - L3 Interface
ip address 10.11.120.162 255.255.255.240

ip access-list extended Route-Map-ACL-Information-Management
permit ip 10.11.120.96 0.0.0.15 10.11.120.160 0.0.0.15
deny   ip any any
ip access-list extended Route-Map-ACL-Information-Process1
permit ip 10.11.120.96 0.0.0.15 10.11.120.16 0.0.0.15
deny   ip any any
ip access-list extended Route-Map-ACL-Information-Process2
permit ip 10.11.120.96 0.0.0.15 10.11.120.32 0.0.0.15
deny   ip any any
ip access-list extended Route-Map-ACL-Information-Process3
permit ip 10.11.120.96 0.0.0.15 10.11.120.48 0.0.0.15
deny   ip any any
ip access-list extended Route-Map-ACL-Information-Supervisory
permit ip 10.11.120.96 0.0.0.15 10.11.120.128 0.0.0.15
deny   ip any any
ip access-list extended Route-Map-ACL-Management-Information
permit ip 10.11.120.160 0.0.0.15 10.11.120.96 0.0.0.15
deny   ip any any
ip access-list extended Route-Map-ACL-Management-Process1
permit ip 10.11.120.160 0.0.0.15 10.11.120.16 0.0.0.15
deny   ip any any
ip access-list extended Route-Map-ACL-Management-Process2
permit ip 10.11.120.160 0.0.0.15 10.11.120.32 0.0.0.15
deny   ip any any
ip access-list extended Route-Map-ACL-Management-Process3
permit ip 10.11.120.160 0.0.0.15 10.11.120.48 0.0.0.15
deny   ip any any
ip access-list extended Route-Map-ACL-Management-Supervisory
permit ip 10.11.120.160 0.0.0.15 10.11.120.128 0.0.0.15
deny   ip any any
ip access-list extended Route-Map-ACL-Supervisory-Information
permit ip 10.11.120.128 0.0.0.15 10.11.120.96 0.0.0.15
deny   ip any any
ip access-list extended Route-Map-ACL-Supervisory-Management
permit ip 10.11.120.128 0.0.0.15 10.11.120.160 0.0.0.15
deny   ip any any
ip access-list extended Route-Map-ACL-Supervisory-Process1
permit ip 10.11.120.128 0.0.0.15 10.11.120.16 0.0.0.15
deny   ip any any
ip access-list extended Route-Map-ACL-Supervisory-Process2
permit ip 10.11.120.128 0.0.0.15 10.11.120.32 0.0.0.15
deny   ip any any
ip access-list extended Route-Map-ACL-Supervisory-Process3
permit ip 10.11.120.128 0.0.0.15 10.11.120.48 0.0.0.15
deny   ip any any

ip sla 16
icmp-echo 10.11.120.17
threshold 300
timeout 300
frequency 8
ip sla schedule 16 life forever start-time now
ip sla 32
icmp-echo 10.11.120.33
threshold 300
timeout 300
frequency 8
ip sla schedule 32 life forever start-time now
ip sla 48
icmp-echo 10.11.120.49
threshold 300
timeout 300
frequency 8
ip sla schedule 48 life forever start-time now
ip sla 96
icmp-echo 10.11.120.97
threshold 300
timeout 300
frequency 8
ip sla schedule 96 life forever start-time now
ip sla 128
icmp-echo 10.11.120.129
threshold 300
timeout 300
frequency 8
ip sla schedule 128 life forever start-time now
ip sla 160
icmp-echo 10.11.120.161
threshold 300
timeout 300
frequency 8
ip sla schedule 160 life forever start-time now

!
route-map PBR-Information permit 10
match ip address Route-Map-ACL-Information-Process1
set ip next-hop verify-availability 10.11.120.97 1 track 410
!
route-map PBR-Information permit 20
match ip address Route-Map-ACL-Information-Process2
set ip next-hop verify-availability 10.11.120.97 1 track 420
!
route-map PBR-Information permit 30
match ip address Route-Map-ACL-Information-Process3
set ip next-hop verify-availability 10.11.120.97 1 track 430
!
route-map PBR-Information permit 40
match ip address Route-Map-ACL-Information-Supervisory
set ip next-hop verify-availability 10.11.120.97 1 track 440
!
route-map PBR-Information permit 50
match ip address Route-Map-ACL-Information-Management
set ip next-hop verify-availability 10.11.120.97 1 track 450
!
route-map PBR-Supervisory permit 10
match ip address Route-Map-ACL-Supervisory-Process1
set ip next-hop verify-availability 10.11.120.129 1 track 510
!
route-map PBR-Supervisory permit 20
match ip address Route-Map-ACL-Supervisory-Process2
set ip next-hop verify-availability 10.11.120.129 1 track 520
!
route-map PBR-Supervisory permit 30
match ip address Route-Map-ACL-Supervisory-Process3
set ip next-hop verify-availability 10.11.120.129 1 track 530
!
route-map PBR-Supervisory permit 40
match ip address Route-Map-ACL-Supervisory-Information
set ip next-hop verify-availability 10.11.120.129 1 track 540
!
route-map PBR-Supervisory permit 50
match ip address Route-Map-ACL-Supervisory-Management
set ip next-hop verify-availability 10.11.120.129 1 track 550

route-map PBR-Management permit 10
match ip address Route-Map-ACL-Management-Process1
set ip next-hop verify-availability 10.11.120.161 1 track 610
!
route-map PBR-Management permit 20
match ip address Route-Map-ACL-Management-Process2
set ip next-hop verify-availability 10.11.120.161 1 track 620
!
route-map PBR-Management permit 30
match ip address Route-Map-ACL-Management-Process3
set ip next-hop verify-availability 10.11.120.161 1 track 630
!
route-map PBR-Management permit 40
match ip address Route-Map-ACL-Management-Information
set ip next-hop verify-availability 10.11.120.161 1 track 640
!
route-map PBR-Management permit 50
match ip address Route-Map-ACL-Management-Supervisory
set ip next-hop verify-availability 10.11.120.161 1 track 650

danbowencisco · ‎04-20-2012

all of my objects are showing as undefined.

Track 410

List boolean or

Boolean OR is Down

1 change, last change 12:38:19

object 16 (Undefined)

object 96 (Undefined)

Tracked by:

ROUTE-MAP 0

Track 420

List boolean or

Boolean OR is Down

1 change, last change 12:38:18

object 32 (Undefined)

object 96 (Undefined)

Tracked by:

ROUTE-MAP 0

Track 430

List boolean or

Boolean OR is Down

1 change, last change 12:38:18

object 48 (Undefined)

object 96 (Undefined)

Tracked by:

ROUTE-MAP 0

Track 440

List boolean or

Boolean OR is Down

1 change, last change 12:38:18

object 96 (Undefined)

object 128 (Undefined)

Tracked by:

ROUTE-MAP 0

Track 410

List boolean or

Boolean OR is Down

1 change, last change 12:38:19

object 16 (Undefined)

object 96 (Undefined)

Tracked by:

ROUTE-MAP 0

Track 420

List boolean or

Boolean OR is Down

1 change, last change 12:38:18

object 32 (Undefined)

object 96 (Undefined)

Tracked by:

ROUTE-MAP 0

Track 430

List boolean or

Boolean OR is Down

1 change, last change 12:38:18

object 48 (Undefined)

object 96 (Undefined)

Tracked by:

ROUTE-MAP 0

Track 440

List boolean or

Boolean OR is Down

1 change, last change 12:38:18

object 96 (Undefined)

object 128 (Undefined)

Tracked by:

ROUTE-MAP 0

danbowencisco · ‎04-20-2012

got it, was missing the track 16 ip sla 16, track 32 ip sla 32

sorry to have bother you Dan

danbowencisco · ‎04-20-2012

apart fromt he fact that no route map ever processes any packets .

Am I missing something from the route map config?

Dan

mukremin13 · ‎04-20-2012

any update daniel

danbowencisco · ‎04-20-2012

nope, still cant get it working.

The command is supported as it allows me to apply it, but no traffic matches the route map. If I take the verify avail off and just use ip next hop it works.

Very odd.