Network Architecture & Design

Expand all | Collapse all

Remove primary iproute and inject secondary iproute when primary path is unavailable; then reverse when primary path is available

Jeff McLeod

Jeff McLeod01-18-2016 14:24

  • 1.  Remove primary iproute and inject secondary iproute when primary path is unavailable; then reverse when primary path is available

    Posted 01-15-2016 17:18
    I'm trying to inject a static route 192.168.12.0/22 192.168.11.253 when gateway 192.168.8.12 fails. When 192.168.8.12 is once again available, I would like to remove the 192.168.12.0/22 192.168.11.253 route and replace it with 192.168.12.0/22 192.168.8.12. Both gateway devices are connected to my Summit L2/3 device 192.168.8.36/22. I've examined numerous documents; flow-redirect, IP SLA scripting, and route weighting. All of the knowledge base articles and user streams seem to have partial configs or the scripts are full of bugs\errors. I'm new to Extreme Networks, so my knowledge is a little lacking. I'm able to do this with my Cisco equipment using ip sla and tracking statements, but of course it's well documented in comparison to what I've found with Extreme Networks. I would appreciate any help. I'm looking for detailed configs and\or explanation.

    Drowning,

    Jeff



  • 2.  RE: Remove primary iproute and inject secondary iproute when primary path is unavailable; then reverse when primary path is available

    Posted 01-15-2016 17:33
    Hi,

    if I understand correctly, you can't use dynamic routing protocols only static route?

    --
    Jarek



  • 3.  RE: Remove primary iproute and inject secondary iproute when primary path is unavailable; then reverse when primary path is available

    Posted 01-15-2016 18:11
    Correct Jarek. I inherited a network that is all static. I'm working on a backup\failover solution. I will be migrating to dynamic routing protocols once this project is done, but I have a bunch of industry no-no's to work around (ie. One site with <500 nodes using VLAN 1 10.0.0.0/8). There are so many gotchas with the way they've done things here, I can't afford to break things in the process of implementing the backup\failover solution.



  • 4.  RE: Remove primary iproute and inject secondary iproute when primary path is unavailable; then reverse when primary path is available

    Posted 01-15-2016 18:45
    Hi Jeff,

    Our gtac knowledge site might be perfect for you. Based on what you are saying it sounds like flow redirect will work perfectly. Below is an article that explains how to configure it:

    Browser View: https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-flow-redirect

    I hope this helps!


  • 5.  RE: Remove primary iproute and inject secondary iproute when primary path is unavailable; then reverse when primary path is available

    Posted 01-15-2016 19:46
    Hey Patrick. I may be missing something. I have the flow-redirect configured and I can see the nexthop drop in and out. But nothing is routing to the next hop. Since everything is static here, do I need static routes for both the primary and secondary gateways in addition to the flow-redirect? I can ping from a host (192.168.11.250/22) to the Extreme Networks flow-redirect device (192.168.8.36/22), to the primary gateway (192.168.8.12/22), and the secondary gateway (192.168.11.253/22). But nothing past either of these devices.

    USARB-SW010001.94 # show flow
    Name Nexthop Active VR Name Inactive Health
    Count IP address Nexthops Check
    ====================================================================
    GTAC_redirect 2 192.168.8.12 VR-Default Forward PING

    ND: Neighbor Discovery

    USARB-SW010001.95 # show flow-redirect "GTAC_redirect"
    Name : GTAC_redirect VR Name : VR-Default
    Inactive Nexthops: Forward Health Check : PING
    Nexthop Count : 2
    Active IP Address : 192.168.8.12
    Index State Priority IP Address Status Interval Miss
    ======================================================================
    0 Enabled 250 192.168.8.12 UP 2 2
    1 Enabled 200 192.168.11.253 UP 2 2

    ND: Neighbor Discovery

    And if I take down the primary gateway:

    USARB-SW010001.96 # show flow
    Name Nexthop Active VR Name Inactive Health
    Count IP address Nexthops Check
    ====================================================================
    GTAC_redirect 2 192.168.11.253 VR-Default Forward PING

    ND: Neighbor Discovery

    USARB-SW010001.97 # show flow-redirect "GTAC_redirect"
    Name : GTAC_redirect VR Name : VR-Default
    Inactive Nexthops: Forward Health Check : PING
    Nexthop Count : 2
    Active IP Address : 192.168.11.253
    Index State Priority IP Address Status Interval Miss
    ======================================================================
    0 Enabled 250 192.168.8.12 DOWN 2 2
    1 Enabled 200 192.168.11.253 UP 2 2

    ND: Neighbor Discovery

    Thanks again,

    Jeff



  • 6.  RE: Remove primary iproute and inject secondary iproute when primary path is unavailable; then reverse when primary path is available

    Posted 01-15-2016 21:38
    Jeff maybe this will help you, let's assume:
    -vlan GW_primary,
    -vlan GW_secondary,
    -vlan Network,
    -both gateway must be direct connected to the switch,
    -IP address bellow in config.

    create vlan GW_primary
    configure vlan GW_primary tag 10
    configure vlan GW_primary add ports 1 untagged
    configure vlan GW_primary ipaddress 192.168.8.36/22
    enable ipforwarding vlan GW_primary

    create vlan GW_secondary
    configure vlan GW_secondary tag 20
    configure vlan GW_secondary add ports 2 untagged
    configure vlan GW_secondary ipaddress 192.168.11.254/24
    enable ipforwarding vlan GW_secondary

    create vlan Network
    configure vlan Network tag 30
    configure vlan Network add ports 3 untagged

    ## Lets say Network has subnet 10.0.0.0/24

    configure vlan Network ipaddress 10.0.0.1/24
    enable ipforwarding vlan Network

    ## Now we need configure route to our secondary GW
    ## We need this, because we should know where to route traffic
    ## when the primary GW is unreachable

    configure iproute add 192.168.12.0/22 192.168.11.253

    ## Now we create our flow redirect and configure IP adress of the primary GW

    create flow-redirect primary_GW
    configure flow-redirect primary_GW add nexthop 192.168.8.12 priority 100
    configure flow-redirect primary_GW nexthop 192.168.8.12 ping health-check interval 60 miss 3

    ## Now we create an ACL primary_GW.pol for redirect traffic from network 10.0.0.0/24 to gw 192.168.8.12

    entry Network1 {
    if match all {
    source-address 10.0.0.0/24;
    destination-address 192.168.12.0/22;
    } then {
    permit;
    redirect-name primary_GW;
    }
    }

    ### We apply the access list on vlan ingress

    configure access-list primary_GW vlan Network ingress

    #############################################

    --
    Jarek


  • 7.  RE: Remove primary iproute and inject secondary iproute when primary path is unavailable; then reverse when primary path is available

    Posted 01-18-2016 14:23
    Hey Jarek.
    Thanks a bunch! It wasn't a direct solution for my scenario, but your detailed analysis allowed me to piece together my network needs. I was using the flow-redirect configuration in the complete opposite of how it should have been configured. I now have my traffic going to a monitored next hop. When that next hop becomes unavailable, depending on my "interval," it fails over to a default (the secondary) route. Works like a charm. I now have a good handle on it.

    Thanks again!

    Jeff


  • 8.  RE: Remove primary iproute and inject secondary iproute when primary path is unavailable; then reverse when primary path is available

    Posted 01-18-2016 14:24
    P.S. How do we close this thread?


  • 9.  RE: Remove primary iproute and inject secondary iproute when primary path is unavailable; then reverse when primary path is available

    Posted 01-27-2016 19:04
    Hi Jeff,

    You can utilize flow-redirect to fit your scenario by adding in another next hop with a higher priority than your redundant path and configuring the ping feature to check the availability. An example configuration is below:

    create flow-redirect test
    configure flow-redirect test add nexthop 10.10.10.1 priority 200
    configure flow-redirect test add nexthop 10.10.10.2 priority 100 (Primary route)
    configure flow-redirect test nexthop 10.10.10.2 ping health-check interval 2

    Try this and see if this does what you expect.

    Also, I noticed that a comment was made on this article. Was this you? I just wanted to get some feedback into this article on how I can improve it. Considering I personally made the article I will revise it to add in this scenario so it can be used if needed.

    I hope this helps!

    Patrick


  • 10.  RE: Remove primary iproute and inject secondary iproute when primary path is unavailable; then reverse when primary path is available

    Posted 01-18-2016 14:24
    I've marked it as answered. Glad to see you were able to get this worked out!

    -Brandon


  • 11.  RE: Remove primary iproute and inject secondary iproute when primary path is unavailable; then reverse when primary path is available

    Posted 01-18-2016 14:24
    Can we open this back up? It didn't work. Due to the configurations that I was given, it's sill the same problem. The flow-redirect monitors the primary path, but never takes the primary path even when it's up. It always takes the default path which is the secondary path even if the primary path is up. I've stripped down my whole lab, configured it as Jarek documented (with a couple of modifications due to incorrect subnet designations), and it WILL NOT work. My original thought that it worked is because the traffic was ALWAYS taking the secondary path. So when I dropped the link on the primary path device, I mistakenly thought it was failing over, and it wasn't. It was just taking the same secondary path.

    Thanks,

    Jeff



  • 12.  RE: Remove primary iproute and inject secondary iproute when primary path is unavailable; then reverse when primary path is available

    Posted 01-18-2016 14:24
    Hi Jeff,

    This is exactly how flow-redirect works. It will overpower what ever is in the routing table. You should be able to add in a second next hop address and give it a different priority. I will do some research to make sure this checks the availability of the hop.


  • 13.  RE: Remove primary iproute and inject secondary iproute when primary path is unavailable; then reverse when primary path is available

    Posted 01-18-2016 14:24
    Jeff, what extreme device do you have? -- Jarek


  • 14.  RE: Remove primary iproute and inject secondary iproute when primary path is unavailable; then reverse when primary path is available

    Posted 01-27-2016 19:04
    Yes. I made the comment. The problem is; if I don't enter a static or default route, the traffic NEVER gets routed to the nexthop, it just dies. And if I'm verifying correctly, I don't ever see it hit the access-list. I definitely see the flow-redirect health-check go up and down when the nexthop isn't available, but regardless, it never hits the nexthop indicated in the flow-redirect.



  • 15.  RE: Remove primary iproute and inject secondary iproute when primary path is unavailable; then reverse when primary path is available

    Posted 01-27-2016 19:04
    Hi Jeff,

    How are you verifying it is not hitting the ACL? Can you add a "count test;" in the then section of the ACL:

    entry Network1 {
    if match all {
    source-address 10.0.0.0/24;
    destination-address 192.168.12.0/22;
    } then {
    permit;
    redirect-name primary_GW;
    count test;
    }
    }

    Then run "refresh policy " and "show access-list counter ingress"


  • 16.  RE: Remove primary iproute and inject secondary iproute when primary path is unavailable; then reverse when primary path is available

    Posted 01-27-2016 19:04
    Hey Patrick. Thanks a bunch! Nothing was hitting the access-list. But I think the problem is the Virtual Image I was using. I swapped it out for the one with 15.7.x.x code and it all works! I can even see the access list getting hit. Now my question is: Will the 15.3.x.x code I'm using in my physical production area work? Or will it be non-functional like the virtual image. Where can I find a list of existing bugs for the EXOS I'm using?

    Thanks again!!!!!!



  • 17.  RE: Remove primary iproute and inject secondary iproute when primary path is unavailable; then reverse when primary path is available

    Posted 01-27-2016 19:04
    Jeff, You should check release notes pdf for that firmware. You must log in to extreme portal and there you can find firmware and docs. -- Jarek


  • 18.  RE: Remove primary iproute and inject secondary iproute when primary path is unavailable; then reverse when primary path is available

    Posted 04-15-2020 15:03

    Can someone confirm that the lower priority is the primary route (like in your example)?  I have documentation from my lab testing showing the other way around but since we’re working remotely my lab isn’t set to retest again and need to deploy flow redirect.