Wednesday, 17 June 2020

IP Service Level Agreements (SLA) , Embedded Event Manager (EEM) and Policy-Based Routing (PBR) in Cisco IOS



Objective: The PBR policy will be removed facing Uplink-Router once it detected that the server is unreachable.

Policy-based routing (PBR) is a method used to make routing decisions based on policies.



Scenario: Server1 providing web caching to customers for faster web page loading. Since there is route-map in place to route their http/https traffic to the next hop which is Server1, what if this server suddenly goes down?, the expected behaviour is  the customer won't be able to access websites.

Pre-setup:
1. Configure ACL for http/https 
Router1#
ip access-list extended  ACL-WEB
 permit tcp any any eq www
 permit tcp any any eq 443

2. Configure the route-map to match the ACL for http/https and set next-hop to the Server1 that provides the web caching services
Router1#
route-map ROUTE-MAP-PBR permit 10
 match ip address ACL-WEB
 set ip next-hop 192.168.1.11

3. Configure the IP and apply the PBR in this interface as it is facing the customers. (Assumption: L3 routing is configured between Router1 and Uplink-Router e.g. IGP or BGP)
Router1#
interface fa0/0
 description Connection to Uplink-Router
 ip address 172.20.10.2 255.255.255.252
 ip policy route-map ROUTE-MAP-PBR
 load-interval 30

4. Configure the SVI to become the Server's Gateway IP
Router1#
vlan 100
 name Server Farm Vlan

interface Vlan100
 description Server Gateway
 ip address 192.168.1.1 255.255.255.0
 ip verify unicast source reachable-via any
 load-interval 30

5. Configure L2 for interface facing Server-Switch
Router1#
interface fa1/0
 description Server-Switch
 switchport
 switchport access vlan 100
 switchport mode access
 load-interval 30
 spanning-tree portfast

Solution: Setup IP SLA to track the Server1 network reachability. If server is down, event manager will kicks in as it tracks the IP SLA (track 1)

A. Configure IP SLA:
Router1#
ip sla schedule 1 life forever start-time now
track 1 ip sla 1 reachability
ip sla 1
 icmp-echo 192.168.1.11 source-ip 192.168.1.1
 threshold 500
 timeout 500
 frequency 5

where:
 For IP SLAs operations, the following configuration guideline is recommended:
(frequency seconds ) > (timeout milliseconds ) > (threshold milliseconds )                                                            
B. Configure Event manager:
Router1#
 event manager session cli username "admin"
 event manager applet PBR-REMOVE
 description REMOVE PBR IN EVENT OF SERVER DOWN
 event track 1 state down
 trigger occurs 1
 action 1.0 cli command "enable"
 action 1.1 cli command "configure terminal"
 action 1.2 cli command "interface fa0/0"
 action 1.3 cli command "no ip policy route-map ROUTE-MAP-PBR"
 action 1.4 cli command "exit"
 action 1.5 syslog msg "Server Unreachable. PBR removed"

What does this do?
It is like a script:
login as username "admin" (local account) that is authorized to run all of the CLI commands. EEM does not require authentication, so need to add password. Execute the following:
configure terminal
interface fa0/0
no ip policy route-map ROUTE-MAP-PBR
exit

After this is done, it will send a log saying "Server Unreachable. PBR removed"

Any keyword will do, then can use to trigger NMS server to alerts once received that log
Enjoy!

No comments:

Post a Comment