ping health check XOS for PBR

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
Hi All,

I have created a policy based routing policy to kind of simulate a "VR" on summit X440. We have a few transits connected to the Summit and these transits go to another device with VR's.

Now we need to route specific subnets to specific transits. I am using the following script, which seems to work fine:

entry PBR-BYOD {
if match all {
    destination-address 0.0.0.0/0 ;
    source-address 10.2XX.X0.0/24 ;
}
then {
    count PBR-BYOD ;
    redirect 192.168.XX.17 ;
}
}

configure access-list PBR-BYOD vlan "vXX0-XX-BYOD" ingress

Now i would like to enable a ping health check to all my different transit IP's. This because i want to make sure the ARP for these networks is always there.

Could anyone please point me in the right direction?

Thanks!
Photo of Akkertje

Akkertje

  • 256 Points 250 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Njanyana Buthelezi

Njanyana Buthelezi

  • 200 Points 100 badge 2x thumb

maybe you can increase you fdb aging time to keep you MAC table longer. For example if you end devive MAC aging timer is 350 you can change the summit from default (300) to 3000.

configure fdb agingtime 3000

Photo of Kevin Kim

Kevin Kim, Employee

  • 2,266 Points 2k badge 2x thumb
I think you could use flow-redirect to enable ping health check to next-hop addresses. 

# create flow-redirect fr1 
# configure flow-redirect fr1 add nexthop 192.168.XX.17 priority 200
# configure flow-redirect fr1 add nexthop 192.168.YY.17 priority 190
# configure flow-redirect fr1 nexthop 192.168.XX.17 ping health-check interval 2 miss 3
# configure flow-redirect fr1 nexthop 192.168.YY.17 ping health-check interval 2 miss 3

entry PBR-BYOD { 
if match all { 
    destination-address 0.0.0.0/0 ;
    source-address 10.2XX.X0.0/24 ;
}
then {
    count PBR-BYOD ;
    redirect-name  fr1 ;
}
}
Photo of Akkertje

Akkertje

  • 256 Points 250 badge 2x thumb
I'm not all to keen to increase the aging timer for my FDB.

And Kevin, thanks for the reply. But i have to ask, isn't there a more simplistic way to get the same result? When using the flow-redirect command i see u enter another hop with a lower priority. We do not have multiple transits to one VR but rather 4 transits to 4 VR's. Your configuration seems more like a redundancy / fail-over solution.

Would this also work without priorities? I also tried to add the mac static but its a trunked port with 4 vlans which simulate the transits, so this won't work either.
Photo of Kawawa

Kawawa, GTAC

  • 3,200 Points 3k badge 2x thumb
Hi Akkertje, I would agree with Kevin's suggestion because it would work well in your case.  So, if your uplinks (let's call them uplink-1, uplink-2, uplink-3 and uplink-4) service your network, and you want VLANs ( let's call them vlan-1, vlan2, vlan3 and vlan4) to always have their traffic redirected to the corresponding uplink, you'd create 4 different flow-redirects that specify where each VLAN's traffic will be redirected, i.e. "ALL vlan-1 traffic should be redirected to uplink-1"  Each redirect could have a single next-hop defined, or you could have multiple next-hops where you could define priorities for the order that the switch selects which link to redirect on.  And while you should define priorities in both instances, it only matters in the instance where multiple next-hops have been defined.

A final advantage of a flow-redirect is,  the option to specific what should happen to redirected traffic when the next hop is unavailable.  If I recall correctly, a PBR will simply forward the traffic through your normal routing channels, whereas a flow-redirect allows you to specify whether you want to route using standard routing options or simply drop that traffic.
(Edited)