Reliable PBR with IP SLA

Lesson Contents

In previous lessons I explained how you can use PBR (Policy Based Routing) to overrule the routing table for certain types of traffic. I also explained in another lesson how IP SLA can be used to measure your network performance.

This lesson will combine those two topics, we’ll use PBR to overrule the routing table but only when our IP SLA operation is up and running. Let’s check out the configuration!

Configuration

Here’s the topology we will use:

Cisco Ip Sla Pbr Lab Topology

We have 4 routers and a webserver that we want to reach from R1. Because of the slow serial link between R2 and R4, all traffic is routed through R3:

R1#traceroute 192.168.34.254

Type escape sequence to abort.
Tracing the route to 192.168.34.254

  1 192.168.12.2 44 msec 44 msec 12 msec
  2 192.168.23.3 40 msec 44 msec 24 msec
  3 192.168.34.254 32 msec 60 msec 52 msec

For whatever reason we prefer to use R4 when we want to reach the webserver at 192.168.34.254. The serial link however isn’t very reliable so instead of simply using PBR to forward traffic to R4, we’ll combine it with IP SLA. On R2 we will ping the other side of the serial link (192.168.24.4) and when we get a reply, we’ll use R4 as the next hop to reach 192.168.34.254. Here’s how it’s done:

R2(config)#ip sla 1
R2(config-ip-sla)#icmp-echo 192.168.24.4
R2(config-ip-sla-echo)#frequency 10

R2(config)#ip sla schedule 1 start-time now life forever 

First we configure IP SLA. I’ll use a simple ICMP echo and we will run this operation forever. We can’t “attach” IP SLA directly to the route-map that we will use for policy based routing so we’ll configure object tracking:

R2(config)#track 1 ip sla 1

There we go, object number 1 is now connected to IP SLA operation 1. RTR (Response Time Reporter) is the old name for IP SLA. Let’s continue:

R2(config)#ip access-list extended HTTP_SERVER
R2(config-ext-nacl)#permit ip any host 192.168.34.254

The access-list above will be used in the route-map for PBR. It matches the IP address of the webserver. Now we can create the route-map:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now!

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 800 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)
527 Sign Ups in the last 30 days
satisfaction-guaranteed

  • 100% Satisfaction Guaranteed!
  • You may cancel your monthly membership at any time.
  • No Questions Asked!

Tags:


Forum Replies

  1. thanks for this Rene, easy to understand! PBR with IP SLA is so useful.

  2. Dear Rene,

    This is not working for me, please help…

    my debug ip policy output is as follows:

    *Dec 27 16:07:49.774: IP: s=192.168.12.1 (FastEthernet0/0), d=192.168.34.254, len 28, policy match
    *Dec 27 16:07:49.774: IP: route map RM-192, item 10, permit
    *Dec 27 16:07:49.778: IP: s=192.168.12.1 (FastEthernet0/0), d=192.168.34.254 (Serial1/0), len 28, policy routed
    *Dec 27 16:07:49.782: IP: FastEthernet0/0 to Serial1/0 192.168.24.4
    *Dec 27 16:07:49.794: IP: s=192.168.12.1 (FastEthernet0/0), d=192.168.34.254, len 28, policy match
    *Dec 27 16:0
    ... Continue reading in our forum

  3. Hmm the first few packets did get policy routed:

    *Dec 27 16:07:49.774: IP: s=192.168.12.1 (FastEthernet0/0), d=192.168.34.254, len 28, policy match
    *Dec 27 16:07:49.774: IP: route map RM-192, item 10, permit
    *Dec 27 16:07:49.778: IP: s=192.168.12.1 (FastEthernet0/0), d=192.168.34.254 (Serial1/0), len 28, policy routed
    

    Did anything change in between those pings?

  4. Nothing. Its not forwarding through serial port. Any hint. I’ll make the topology again in gns3 and check again to see whats happening… thanks for the reply

  5. Hi Rene,

    As your diagram but i change from SERVER to Internet. Do i need default route or not ?

    Best Regards,
    CH

22 more replies! Ask a question or join the discussion by visiting our Community Forum