Cisco IP SLA Track For PBR

We learn in this blog post how to leverage Cisco IOS IP SLA tracking with PBR.

Cisco IP SLA track for PBR: a sample topology

I used Eve-NG to generate this network topology.

cisco-ip-sla-track-pbr-topology

Using PBR to change the path of the packet

The normal behaviour is: IP traffic from host A destined to loopback0 goes through DLS1 then Router.

I configured policy-based routing PBR on DLS1 this way:

if IP or UDP traffic sourced from host A to loopback0 comes on my SVI 100

then force it to go to DLS2 first, then on to Router.

 

VPCS> trace 2.2.2.2
trace to 2.2.2.2, 8 hops max, press Ctrl+C to stop
 1   172.16.100.1   21.232 ms  15.710 ms  6.978 ms
 2   11.11.11.10   20.314 ms  24.029 ms  18.548 ms !!! this is DLS2
 3   *11.11.11.5   31.603 ms (ICMP type:3, code:3, Destination port unreachable)  *

VPCS>

However, when the link between DLS1 and DLS2 fails, we get a routing hole

 

VPCS> trace 2.2.2.2
trace to 2.2.2.2, 8 hops max, press Ctrl+C to stop
 1   172.16.100.1   16.755 ms  18.482 ms  16.274 ms !!! traffic reaches DLS1 and then PBR sends it towards DLS2, which is down.
 2     *  *  *
 3     *  *  *
 4     *  *  *
 5     *  *  *
 6     *  *  *
^C 7

VPCS> 

Cisco IP SLA with object tracking

One nice solution is to implement Object Tracking with IP SLA, then to invoke the Tracking Object within the PBR statement.

First configure the IP SLA operation on DLS1. In the real world, it can be either ICMP Echo or a UDP Echo IP SLA. Since I’m using Cisco virtual IOS in my home lab, I leveraged UDP Echo IP SLA operations.

ip sla 3
 udp-echo 11.11.11.10 5000 source-ip 11.11.11.9 source-port 5001
 frequency 10
ip sla schedule 3 start-time after 00:01:00

Configure a Tracking Object. Set it to track the IP SLA operation you just configured.

track 33 ip sla 3

I named it 33 because it reminds me of IP SLA 3 :)

Cisco IP SLA Track for PBR

Configure a route-map. And instead of setting set ip next-hop blabla, use set ip next-hop verify-availability  command.

route-map RmapPBR permit 10
 match ip address PBRacl1
 continue 20
 set ip next-hop verify-availability 11.11.11.10 1 track 33

This tells to condition the existence of the next hop 11.11.11.10 with the reachability of the IP SLA tracked by the Tracking object 33:
cisco-ip-sla-track-pbr

When the IP SLA 3 gives a reachable destination (here 11.11.11.10) then the next hop in the PBR is 11.11.11.10

VPCS> trace 2.2.2.2
trace to 2.2.2.2, 8 hops max, press Ctrl+C to stop
 1   172.16.100.1   15.724 ms  21.130 ms  14.142 ms
 2   11.11.11.10   28.583 ms  21.695 ms  25.356 ms
 3   *11.11.11.5   11.877 ms (ICMP type:3, code:3, Destination port unreachable)  *

VPCS>
VPCS>

Else, the set ip next-hop statement of the route-map is invalid, and the normal routing process decides which route to take.

-------
Sep 25 15:38:08.561: %TRACK-6-STATE: 33 ip sla 3 state Up -> Down
------
VPCS> trace 2.2.2.2
trace to 2.2.2.2, 8 hops max, press Ctrl+C to stop
 1   172.16.100.1   16.167 ms  44.836 ms  25.935 ms
 2   *11.11.11.1   23.718 ms (ICMP type:3, code:3, Destination port unreachable)  *

VPCS> 

When reachability of the tracked IP SLA (hier is the reachability to DLS2 from DLS1) is established, the Tracking Object returns a positive status to the route-map, and the set ip next-hop statement is valid again.

Sep 25 15:38:33.573: %TRACK-6-STATE: 33 ip sla 3 state Down -> Up

Cisco IP SLA Track for PBR: configuration files

Scroll the buttons to see the configuration of each device of the topology.

  • router
  • DLS1
  • DLS2
  • ALS1
  • ALS2
  • Host A
  • Host B
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
clock timezone EET 2 0
no ipv6 cef
ipv6 multicast rpf use-bgp
!
ip cef
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Ethernet0/0
duplex auto
!
interface Ethernet0/1
description — to DLS1 —
no switchport
ip address 11.11.11.1 255.255.255.252
!
interface Ethernet0/2
description — to DLS2 —
no switchport
ip address 11.11.11.5 255.255.255.252
!
interface Ethernet0/3
duplex auto
!
!
router eigrp 2534
network 2.2.2.2 0.0.0.0
network 11.11.11.0 0.0.0.3
network 11.11.11.4 0.0.0.3
!
!
no ip http server
!
!
!
!
!
control-plane
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
!
end

version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname DLS-1
!
boot-start-marker
boot-end-marker
!
!
logging discriminator EXCESS severity drops 6 msg-body drops EXCESSCOLL
logging buffered 50000
logging console discriminator EXCESS
!
no aaa new-model
no process cpu autoprofile hog
clock timezone cet 1 0
!
!
!
!
!
vtp file vlan.dat
!
!
!
no ip domain-lookup
ip cef
ipv6 multicast rpf use-bgp
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 99-100,200 priority 24576
!
vlan internal allocation policy ascending
!
track 33 ip sla 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
!
interface Port-channel2
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
media-type rj45
duplex full
no negotiation auto
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
media-type rj45
duplex full
no negotiation auto
!
interface GigabitEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
media-type rj45
duplex full
no negotiation auto
channel-protocol lacp
channel-group 2 mode active
!
interface GigabitEthernet0/3
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
media-type rj45
duplex full
no negotiation auto
channel-protocol lacp
channel-group 2 mode active
!
interface GigabitEthernet1/0
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
media-type rj45
no negotiation auto
channel-protocol lacp
channel-group 1 mode active
!
interface GigabitEthernet1/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
media-type rj45
no negotiation auto
channel-protocol lacp
channel-group 1 mode active
!
interface GigabitEthernet1/2
description — router —
no switchport
ip address 11.11.11.2 255.255.255.252
negotiation auto
!
interface GigabitEthernet1/3
shutdown
media-type rj45
negotiation auto
!
interface Vlan99
ip address 172.16.99.1 255.255.255.0
!
interface Vlan100
ip address 172.16.100.1 255.255.255.0
ip policy route-map RmapPBR
!
interface Vlan101
ip address 11.11.11.9 255.255.255.252
!
interface Vlan200
ip address 172.16.200.1 255.255.255.0
!
!
router eigrp 2534
network 11.11.11.0 0.0.0.3
network 11.11.11.8 0.0.0.3
network 172.16.100.0 0.0.0.255
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
!
ip access-list extended PBRacl1
permit icmp host 172.16.100.101 host 2.2.2.2
permit udp host 172.16.100.101 host 2.2.2.2
permit ip host 172.16.100.101 host 2.2.2.2
!
ip sla 1
icmp-echo 172.16.100.101
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 172.16.200.101
ip sla schedule 2 life forever start-time now
ip sla 3
udp-echo 11.11.11.10 5000 source-ip 11.11.11.9 source-port 5001
frequency 10
ip sla schedule 3 start-time after 00:01:00
ip sla 4
udp-jitter 172.16.99.102 5000
ip sla schedule 4 life forever start-time now
ip sla 5
icmp-echo 11.11.11.10 source-ip 11.11.11.9
frequency 40
ip sla schedule 5 start-time after 00:30:00
!
route-map PmapPBR permit 10
match ip address PBRacl1
!
route-map RmapPBR permit 10
match ip address PBRacl1
continue 20
set ip next-hop verify-availability 11.11.11.10 1 track 33
!
!
!
control-plane
!
line con 0
logging synchronous level 0 limit 20
line aux 0
line vty 0 4
login
!
ntp master 5
!
end

version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname DLS-2
!
boot-start-marker
boot-end-marker
!
!
logging discriminator EXCESS severity drops 6 msg-body drops EXCESSCOLL
logging buffered 50000
logging console discriminator EXCESS
enable password ine
!
no aaa new-model
no process cpu autoprofile hog
clock timezone EET 2 0
!
!
!
!
!
vtp file vlan.dat
!
!
!
no ip domain-lookup
ip cef
ipv6 multicast rpf use-bgp
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree portfast edge default
spanning-tree extend system-id
!
spanning-tree mst configuration
name CCNP
revision 1
instance 1 vlan 99-100
instance 2 vlan 110, 120
!
spanning-tree vlan 99-100,200 priority 28672
spanning-tree vlan 101 priority 24576
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
switchport trunk allowed vlan 2-998,1000-4094
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
media-type rj45
duplex full
no negotiation auto
!
interface GigabitEthernet0/1
switchport trunk allowed vlan 2-998,1000-4094
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
media-type rj45
duplex full
no negotiation auto
!
interface GigabitEthernet0/2
switchport trunk allowed vlan 2-998,1000-4094
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport mode trunk
switchport nonegotiate
media-type rj45
duplex full
no negotiation auto
!
interface GigabitEthernet0/3
switchport trunk allowed vlan 2-998,1000-4094
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport mode trunk
switchport nonegotiate
media-type rj45
duplex full
no negotiation auto
!
interface GigabitEthernet1/0
switchport trunk allowed vlan 2-998,1000-4094
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport mode trunk
switchport nonegotiate
shutdown
media-type rj45
negotiation auto
!
interface GigabitEthernet1/1
switchport trunk allowed vlan 2-998,1000-4094
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport mode trunk
switchport nonegotiate
shutdown
media-type rj45
negotiation auto
!
interface GigabitEthernet1/2
description — router —
no switchport
ip address 11.11.11.6 255.255.255.252
duplex full
no negotiation auto
spanning-tree portfast edge
!
interface GigabitEthernet1/3
switchport access vlan 4
switchport mode access
shutdown
media-type rj45
negotiation auto
!
interface Vlan1
ip address 1.1.1.33 255.255.255.0
!
interface Vlan99
ip address 172.16.99.2 255.255.255.0
!
interface Vlan101
ip address 11.11.11.10 255.255.255.252
!
!
router eigrp 2534
network 11.11.11.4 0.0.0.3
network 11.11.11.8 0.0.0.3
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
!
!
ip sla responder
ip sla responder udp-echo ipaddress 11.11.11.9 port 5000
!
!
!
control-plane
!
line con 0
logging synchronous level 0 limit 20
line aux 0
line vty 0 4
password ine
login
!
!
end

version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname ALS-1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
spanning-tree mst configuration
name CCNP
revision 1
instance 1 vlan 99-100
instance 2 vlan 110, 120
!
spanning-tree vlan 666 priority 36864
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Port-channel2
switchport trunk allowed vlan 2-998,1000-4094
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
!
interface Port-channel3
switchport trunk allowed vlan 2-998,1000-4094
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet0/0
switchport trunk allowed vlan 2-998,1000-4094
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport mode trunk
switchport nonegotiate
media-type rj45
negotiation auto
!
interface GigabitEthernet0/1
switchport trunk allowed vlan 2-998,1000-4094
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport mode trunk
switchport nonegotiate
media-type rj45
negotiation auto
!
interface GigabitEthernet0/2
switchport access vlan 100
switchport mode access
media-type rj45
negotiation auto
spanning-tree portfast edge
!
interface GigabitEthernet0/3
switchport trunk allowed vlan 2-998,1000-4094
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport mode trunk
switchport nonegotiate
shutdown
media-type rj45
negotiation auto
!
interface GigabitEthernet1/0
switchport trunk allowed vlan 2-998,1000-4094
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
media-type rj45
negotiation auto
channel-protocol lacp
channel-group 2 mode active
!
interface GigabitEthernet1/1
switchport trunk allowed vlan 2-998,1000-4094
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
media-type rj45
negotiation auto
channel-protocol lacp
channel-group 2 mode active
!
interface GigabitEthernet1/2
switchport trunk allowed vlan 2-998,1000-4094
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
media-type rj45
negotiation auto
channel-protocol lacp
channel-group 3 mode active
!
interface GigabitEthernet1/3
switchport trunk allowed vlan 2-998,1000-4094
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
media-type rj45
negotiation auto
channel-protocol lacp
channel-group 3 mode active
!
interface Vlan99
ip address 172.16.99.101 255.255.255.0
!
interface Group-Async1
physical-layer async
no ip address
encapsulation slip
!
ip default-gateway 172.16.99.1
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
!
!
ip sla responder
ip sla responder udp-echo ipaddress 172.16.99.1 port 5000
!
!
!
control-plane
!
line con 0
line aux 0
line vty 0 4
login
!
ntp source Vlan99
ntp server 172.16.99.1
!
end

!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname ALS-2
!
boot-start-marker
boot-end-marker
!
!
logging discriminator EXCESS severity drops 6 msg-body drops EXCESSCOLL
logging buffered 50000
logging console discriminator EXCESS
enable password ine
!
no aaa new-model
no process cpu autoprofile hog
clock timezone cet 1 0
!
!
!
!
!
vtp file vlan.dat
!
!
!
no ip domain-lookup
ip cef
ipv6 multicast rpf use-bgp
no ipv6 cef
!
!
!
spanning-tree mode mst
spanning-tree portfast edge default
spanning-tree extend system-id
!
spanning-tree mst configuration
name CCNP
revision 1
instance 1 vlan 99-100
instance 2 vlan 110, 120
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Port-channel2
switchport trunk allowed vlan 2-998,1000-4094
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
!
interface Port-channel3
switchport access vlan 5
switchport trunk allowed vlan 2-998,1000-4094
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet0/0
switchport trunk allowed vlan 2-998,1000-4094
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
media-type rj45
duplex full
no negotiation auto
channel-protocol lacp
channel-group 2 mode active
!
interface GigabitEthernet0/1
switchport trunk allowed vlan 2-998,1000-4094
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
media-type rj45
duplex full
no negotiation auto
channel-protocol lacp
channel-group 2 mode active
!
interface GigabitEthernet0/2
switchport trunk allowed vlan 2-998,1000-4094
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport mode trunk
switchport nonegotiate
media-type rj45
negotiation auto
channel-protocol pagp
spanning-tree mst 2 cost 10000
!
interface GigabitEthernet0/3
switchport trunk allowed vlan 2-998,1000-4094
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport mode trunk
switchport nonegotiate
media-type rj45
duplex full
no negotiation auto
!
interface GigabitEthernet1/0
switchport access vlan 200
switchport trunk allowed vlan 2-998,1000-4094
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport mode access
switchport nonegotiate
media-type rj45
negotiation auto
!
interface GigabitEthernet1/1
switchport access vlan 2
switchport trunk allowed vlan 2-998,1000-4094
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport mode trunk
switchport nonegotiate
media-type rj45
negotiation auto
!
interface GigabitEthernet1/2
switchport access vlan 5
switchport trunk allowed vlan 2-998,1000-4094
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
media-type rj45
negotiation auto
channel-protocol lacp
channel-group 3 mode active
!
interface GigabitEthernet1/3
description — to router R4 —
switchport access vlan 4
switchport trunk allowed vlan 2-998,1000-4094
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
media-type rj45
duplex full
no negotiation auto
channel-protocol lacp
channel-group 3 mode active
spanning-tree portfast edge
!
interface Vlan1
ip address 1.1.1.22 255.255.255.0
shutdown
!
interface Vlan4
ip address 4.4.4.22 255.255.255.0
shutdown
!
interface Vlan99
ip address 172.16.99.102 255.255.255.0
!
ip default-gateway 172.16.99.1
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
!
!
ip sla responder
ip sla responder udp-echo ipaddress 172.16.99.1 port 5000
!
!
!
control-plane
!
line con 0
logging synchronous level 0 limit 20
line aux 0
line vty 0 4
password ine
login
!
!
end

ip 172.16.100.101/24 172.16.100.1
save Config
ip 172.16.200.101/24 172.16.200.1
save Config
Top Courses in IT & Software 300x250

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Adsense black background: