For what ypu want this pbr ??

MHM

Thank you for answer ,IPSLA works good ,it is :

ip sla 6
icmp-echo 10.10.10.1 source-interface Ethernet0/1
ip sla schedule 6 life forever start-time now

track 6 ip sla 6 reachability .

and it give down ,if the connection also down

*the"set ip next-hop verify-availability x.x.x.x  X  track X " i used with the mittel Router instead of match track ,and it works  good , i don't need hier match track but match ACL .and it track the connection ok and the PBR works fine ,to explain i have in topology 3 Routers .But my Question was about match track ,because i need it in the 2 Side Routers ,with others command .hier i have problem with route-map 30 , i bekome o packets ,wheather Track 6 in route-map 20 Up or down .

Hello
The assumption here is you are using PBR with that route-map in a vrf?
if so then stanza 30 is NOT applicable as the route-map will be called by the interface the policy is applied and as it states vrf then again the assumption is that interface is already associated within the vrf

As for the ipsla tracking i would suggest track reachability for the isla and not ip routing 
track x rtr x reachability 

ip route vrf xx (tracked ip) global 

route-map xx
(match what traffic you wish to pbr via a acl or prefix-list or have no match so all traffic originating from the interface will be policy routed)

set ip next-hop verify-availability 10.10.10.1 1 track x 

interface xxx
Ip vrf forwarding xx
Ip policy route-map xxx

i have this Topology

bei each the sides Routers R7,R5 ,i have two output Interfaces (with the same IP ),one belong Global Tabel ,one belong VRF , i have configured leak(using Recieve VRF) between the Global and the VRF ,there is ein static Route from the Global to the VRF A . My Senario , if the main Link (Global Link) go down , the LAN traffic to the main SITE und other Branch will be forwarded usin PBR to the other WAN LInk(VRF LINK)  ,till now ,it work ok , bei the middel Router ,i used "set ip next-hop verify-availability x.x.x.x  X  track X" ,and even with 2 sides Routers , the "set Ip default ip next-hop " works also fine ,and the LAN traffic will be forwarded using static Router from Global to the VRF A and reach the otherside , but to my Understanding , i want to see the effect of setting the o/p packet from Global  with VRF A Tag ,bei Down Interface , because in the middel i have to use set VRF A in PBR (bei Fall Down Int) , in the 2 Side Router ,it works fine ,und that make me Confused ,do i need bei LEAKING from GLOBAL to VRF ,a VRF Tagged Packet oder not , i wanted that using Debag to see , and i use the"Match track" with down " Set VRF" to see the difference . But with the Match track   i come always to next-hop without VRF !. I hope i could explain my Seniario good , but the relability Senario  between the 3 LANS works ok ,and i have connectivity between the 3 Lans ,even with the Global WAN DOWN ,it works good ,i assume using LEAKING and staic Routing .

i have applied  the Toplpgy to the LAN Interface (INcoming Traffic to the router from the LAN ) ,und this Interface has no VRF ,it belong to the Global Routing

Thank you for your Answer ,

the Design simply , a Redundacy option using VRFLite ,  i use it for the WAN Link(betwen the 3 Office) and also for VPN LINK (between the site Office) , if the main Link(Global RT) falldown(also with the IPSEQ Tunnel 2) , come the other Link with same IP (and the other IPSEQ Tunnel 1) as active Link 

the design seem to work fine ,but my Question was mainly  about the Track,even when it is down ,the route-map execute the seq . and i had some Confusion about set Global ,set VRF  command , if we should  use it or not ,in such design ,so can the traffic recognized from Global RT, and VRF RT,vice versa.but obvasily in this design ,that is not recuried ,it seems to work fine through ,static  and redistributed Routing

I will be thankfull for your Advice , it is only Virtuell Project 

hier is the Configuration :

R7 Site Router Office 1
ip vrf A
rd 1:1
track 6 ip sla 6 reachability

#VPN Connection from Office 1 to Office 2
interface Tunnel1
ip vrf forwarding A
ip address 192.168.100.2 255.255.255.0
keepalive 5 4
tunnel source Ethernet0/0
tunnel destination 20.20.20.2
tunnel vrf A
!
interface Tunnel2
ip address 192.168.100.2 255.255.255.0
keepalive 5 4
tunnel source Ethernet0/1
tunnel destination 20.20.20.2
#WAN Connection to HQ (R9)
interface Ethernet0/0
ip vrf forwarding A
ip address 10.10.10.2 255.255.255.0
crypto map VPN-A
!
interface Ethernet0/1
ip address 10.10.10.2 255.255.255.0
crypto map VPN
!
#Connection to the LAN Office 1
interface Ethernet0/2
ip vrf receive A ### Receive Command
ip address 50.50.50.1 255.255.255.0
ip policy route-map GLOBAL_TO_VRF_OR_R5-VPN #PCR Policy with next-hop and Tunnels Redundancy

!
router ospf 1 vrf A
redistribute connected subnets
network 10.10.10.0 0.0.0.255 area 0
network 192.168.100.0 0.0.0.255 area 0
!
router ospf 3
redistribute connected subnets
network 10.10.10.0 0.0.0.255 area 0
network 50.50.50.0 0.0.0.255 area 0
network 192.168.100.0 0.0.0.255 area 0

ip route 10.10.10.0 255.255.255.0 Ethernet0/0 #static route to vrf A
ip route vrf A 40.40.40.0 255.255.255.0 Tunnel1 #static route to GRE Tunnel 1 in VRF A

ip access-list extended ACL1 #ACL für IPSEQ VPN
permit gre 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255

ip access-list extended VPN
permit ip any 40.40.40.0 0.0.0.255

ip sla 6
icmp-echo 10.10.10.1 source-interface Ethernet0/1
ip sla schedule 6 life forever start-time now

route-map GLOBAL_TO_VRF_OR_R5-VPN permit 10 #Route map for IPSEQ VPN Tunnel Redundancy
match ip address VPN
set interface Tunnel2 Tunnel1
!

route-map GLOBAL_TO_VRF_OR_R5-VPN permit 20 #Route map for WAN Redundancy
match track 6
set ip default next-hop 10.10.10.1 auf Global RT ,it is the direct connected Link e0/1,if down ,go to the next (static to the vrf A ,next WAN connection e0/0,(don't need "set VRF A")

show ip Route ### Global RT

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.10.0/24 is directly connected, Ethernet0/1
L 10.10.10.2/32 is directly connected, Ethernet0/1
20.0.0.0/24 is subnetted, 1 subnets
O 20.20.20.0 [110/20] via 10.10.10.1, 00:20:57, Ethernet0/1
40.0.0.0/24 is subnetted, 1 subnets
O 40.40.40.0 [110/30] via 10.10.10.1, 00:20:57, Ethernet0/1
50.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 50.50.50.0/24 is directly connected, Ethernet0/2
L 50.50.50.1/32 is directly connected, Ethernet0/2
O 192.168.52.0/24 [110/20] via 10.10.10.1, 00:20:57, Ethernet0/1
192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.100.0/24 is directly connected, Tunnel2
L 192.168.100.2/32 is directly connected, Tunnel2

show ip Route vrf A

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.10.0/24 is directly connected, Ethernet0/0
L 10.10.10.2/32 is directly connected, Ethernet0/0
20.0.0.0/24 is subnetted, 1 subnets
O 20.20.20.0 [110/20] via 10.10.10.1, 00:22:53, Ethernet0/0
40.0.0.0/24 is subnetted, 1 subnets
S 40.40.40.0 is directly connected, Tunnel1
50.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 50.50.50.0/24 is directly connected, Ethernet0/2
L 50.50.50.1/32 is directly connected, Ethernet0/2
O E2 192.168.52.0/24 [110/20] via 10.10.10.1, 00:22:53, Ethernet0/0 #redistribute from Neighbor R6
192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.100.0/24 is directly connected, Tunnel1
L 192.168.100.2/32 is directly connected, Tunnel1

R5 Site Router -office 2

ip vrf A
rd 1:1

#VPN Connection from Office 2 to Office 1
interface Tunnel1
ip vrf forwarding A
ip address 192.168.100.1 255.255.255.0
keepalive 5 4
tunnel source Ethernet0/0
tunnel destination 10.10.10.2
tunnel vrf A
!
interface Tunnel2
ip address 192.168.100.1 255.255.255.0
keepalive 5 4
tunnel source Ethernet0/0
tunnel destination 10.10.10.2
!
#WAN Connection to HQ (R9)
interface Ethernet0/0
ip vrf forwarding A
ip address 20.20.20.2 255.255.255.0
crypto map VPN-A ##IPSEC Crypto Policy -VRF A
!
interface Ethernet0/1
ip address 20.20.20.2 255.255.255.0
crypto map VPN ##IPSEC Crypto Policy -Global RT
!
interface Ethernet0/2 #Connection to the LAN Office 2
ip vrf receive A
ip address 40.40.40.1 255.255.255.0
ip policy route-map GLOBAL_TO_VRF_OR_R7-VPN #PCR Policy with next-hop and Tunnels Redundancy


router ospf 1 vrf A
redistribute connected subnets
network 20.20.20.0 0.0.0.255 area 0
network 192.168.100.0 0.0.0.255 area 0
!
router ospf 3
redistribute connected subnets
network 20.20.20.0 0.0.0.255 area 0
network 40.40.40.0 0.0.0.255 area 0
network 192.168.100.0 0.0.0.255 area 0

ip route 20.20.20.0 255.255.255.0 Ethernet0/0 #static route to vrf A
ip route vrf A 50.50.50.0 255.255.255.0 Tunnel1 #static route for GRE Tunnel 1

ip access-list extended ACL1 #ACL for GRE Traffic
permit gre 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255

ip access-list extended VPN
permit ip any 50.50.50.0 0.0.0.255

access-list 2105 permit ip 40.40.40.0 0.0.0.255 any
!
ip sla 3
icmp-echo 20.20.20.1 source-interface Ethernet0/1
ip sla schedule 3 life forever start-time now

route-map GLOBAL_TO_VRF_OR_R7-VPN permit 10 #Route map for IPSEQ VPN Tunnel Redundancy ,the same princepe of R7 but hier i used default ,when the default(Tunnel2) not active Tunnel 1 will be used
match ip address VPN
set default interface Tunnel1
!

route-map GLOBAL_TO_VRF_OR_R7-VPN permit 20 #Route map for WAN Redundancy
match track 3
set ip default next-hop 20.20.20.1
!
#i have this als option instead of match track ,it works also ####
#match ip address 2105
set ip next-hop verify-availability 20.20.20.1 20 track 3 # it is the direct connected Link e0/1,if down go to the next (static to the vrf A ,next WAN connection e0/1)
set ip next-hop 20.20.20.1

#
show ip Route
10.0.0.0/24 is subnetted, 1 subnets
O 10.10.10.0 [110/20] via 20.20.20.1, 00:59:59, Ethernet0/1
20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 20.20.20.0/24 is directly connected, Ethernet0/1
L 20.20.20.2/32 is directly connected, Ethernet0/1
40.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 40.40.40.0/24 is directly connected, Ethernet0/2
L 40.40.40.1/32 is directly connected, Ethernet0/2
50.0.0.0/24 is subnetted, 1 subnets
O 50.50.50.0 [110/30] via 20.20.20.1, 00:59:59, Ethernet0/1
O 192.168.52.0/24 [110/20] via 20.20.20.1, 00:59:59, Ethernet0/1
192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.100.0/24 is directly connected, Tunnel2
L 192.168.100.1/32 is directly connected, Tunnel2
show ip Route vrf A
10.0.0.0/24 is subnetted, 1 subnets
O 10.10.10.0 [110/20] via 20.20.20.1, 01:01:05, Ethernet0/0
20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 20.20.20.0/24 is directly connected, Ethernet0/0
L 20.20.20.2/32 is directly connected, Ethernet0/0
40.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 40.40.40.0/24 is directly connected, Ethernet0/2
L 40.40.40.1/32 is directly connected, Ethernet0/2
50.0.0.0/24 is subnetted, 1 subnets
S 50.50.50.0 is directly connected, Tunnel1
O E2 192.168.52.0/24 [110/20] via 20.20.20.1, 01:01:05, Ethernet0/0
192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.100.0/24 is directly connected, Tunnel1
L 192.168.100.1/32 is directly connected, Tunnel1

*show Ip int brief of R5

R9 HQ router
ip vrf A
rd 1:1
track 3 ip sla 3
!
track 4 ip sla 4
Connection to R5
interface Ethernet0/0
ip vrf forwarding A
ip address 20.20.20.1 255.255.255.0
!
interface Ethernet0/1
ip address 20.20.20.1 255.255.255.0
!

!
#Connection to R7
interface Ethernet1/0
ip vrf forwarding A
ip address 10.10.10.1 255.255.255.0

!
interface Ethernet1/1
ip address 10.10.10.1 255.255.255.0

interface Ethernet0/2 #Connection to the HQ LAN
ip vrf receive A **
ip address 192.168.52.100 255.255.255.0
ip policy route-map GLOBAL_TO_VRF


router ospf 1 vrf A
router-id 4.4.4.4
redistribute connected subnets
network 10.10.10.0 0.0.0.255 area 0
network 20.20.20.0 0.0.0.255 area 0
!
router ospf 3
router-id 9.9.9.9
redistribute connected subnets
network 10.10.10.0 0.0.0.255 area 0
network 20.20.20.0 0.0.0.255 area 0
network 192.168.52.0 0.0.0.255 area 0

ip sla 3
icmp-echo 10.10.10.2 source-interface Ethernet1/1
ip sla schedule 3 life forever start-time now
ip sla 4
icmp-echo 20.20.20.2 source-interface Ethernet0/1
ip sla schedule 4 life forever start-time now

route-map GLOBAL_TO_VRF permit 10 ### Route-map to set the next-hop to R5
match ip address 2107
set ip next-hop verify-availability 20.20.20.2 10 track 4 #### auf Global RT ,it is the direct connected Link e0/1,if down go to the next (static to the vrf A ,next WAN connection e0/0)
set ip vrf A next-hop 20.20.20.2
##or set ip next-hop 10.10.10.2
!
route-map GLOBAL_TO_VRF permit 20 ### Route-map to set the next-hop to R7
match ip address 2117
set ip next-hop verify-availability 10.10.10.2 20 track 3 ##auf Global RT ,it is the direct connected Link e1/1,if down go to the next (static to the vrf A ,next WAN connection e1/0)
set ip next-hop 10.10.10.2
##or set ip vrf A next-hop 10.10.10.2 ##the same
!
!
#traffic to the R5 site
access-list 2107 permit ip any 40.40.40.0 0.0.0.255
access-list 2107 permit ip any 20.20.20.0 0.0.0.255

#traffic to the R7 site
access-list 2117 permit ip any 50.50.50.0 0.0.0.255
access-list 2117 permit ip any 10.10.10.0 0.0.0.255

############
#if you want to setup the PDR Policy as Local Router Policy ,the ipsec traffic muss excluded from policy in all 3 Routers
for example in HQ
access-list 2107 deny ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 2117 deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
##################

show ip route
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.10.0/24 is directly connected, Ethernet1/1
L 10.10.10.1/32 is directly connected, Ethernet1/1
20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 20.20.20.0/24 is directly connected, Ethernet0/1
L 20.20.20.1/32 is directly connected, Ethernet0/1
40.0.0.0/24 is subnetted, 1 subnets
O 40.40.40.0 [110/20] via 20.20.20.2, 01:44:00, Ethernet0/1
50.0.0.0/24 is subnetted, 1 subnets
O 50.50.50.0 [110/20] via 10.10.10.2, 01:44:00, Ethernet1/1
192.168.52.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.52.0/24 is directly connected, Ethernet0/2
L 192.168.52.100/32 is directly connected, Ethernet0/2
O 192.168.100.0/24 [110/1010] via 20.20.20.2, 01:43:37, Ethernet0/1
[110/1010] via 10.10.10.2, 01:43:37, Ethernet1/1

show ip route vrf A
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.10.0/24 is directly connected, Ethernet1/0
L 10.10.10.1/32 is directly connected, Ethernet1/0
20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 20.20.20.0/24 is directly connected, Ethernet0/0
L 20.20.20.1/32 is directly connected, Ethernet0/0
40.0.0.0/24 is subnetted, 1 subnets
O E2 40.40.40.0 [110/20] via 20.20.20.2, 01:44:38, Ethernet0/0
50.0.0.0/24 is subnetted, 1 subnets
O E2 50.50.50.0 [110/20] via 10.10.10.2, 01:44:38, Ethernet1/0
192.168.52.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.52.0/24 is directly connected, Ethernet0/2
L 192.168.52.100/32 is directly connected, Ethernet0/2
O 192.168.100.0/24 [110/1010] via 20.20.20.2, 01:44:15, Ethernet0/0
[110/1010] via 10.10.10.2, 01:44:15, Ethernet1/0

hier is the RT with offline link : 

R5

for R7

for R9-HQ

Tunnel 1&Tunnel2 Reduncy

sample von debug ip policy of R9

*please notice if you want to test it ,test the Connectivity from the Switches ,because bei Fall down the Link ,you need for the local traffic from the Router , to setup Local PBR , and the traffic related the Ipseq muss be excluded from Route-map with deny (between 10.10.10.0 und 20.20.20.0) , i let you one as ex .i have tested locally .und it works, but hier in this configuration without local PBR