Remove primary iproute and inject secondary iproute when primary path is unavailable; then reverse when primary path is available

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered

I'm trying to inject a static route 192.168.12.0/22 192.168.11.253 when gateway 192.168.8.12 fails.  When 192.168.8.12 is once again available, I would like to remove the 192.168.12.0/22 192.168.11.253 route and replace it with 192.168.12.0/22 192.168.8.12.  Both gateway devices are connected to my Summit L2/3 device 192.168.8.36/22.  I've examined numerous documents; flow-redirect, IP SLA scripting, and route weighting.  All of the knowledge base articles and user streams seem to have partial configs or the scripts are full of bugs\errors.  I'm new to Extreme Networks, so my knowledge is a little lacking.  I'm able to do this with my Cisco equipment using ip sla and tracking statements, but of course it's well documented in comparison to what I've found with Extreme Networks.  I would appreciate any help.  I'm looking for detailed configs and\or explanation.

Drowning,

Jeff

Photo of Jeff McLeod

Jeff McLeod

  • 220 Points 100 badge 2x thumb
  • Lost and frustrated

Posted 2 years ago

  • 0
  • 1
Photo of Jarek

Jarek

  • 2,398 Points 2k badge 2x thumb
Hi,

if I understand correctly, you can't use dynamic routing protocols only static route?

--
Jarek
Photo of Jeff McLeod

Jeff McLeod

  • 220 Points 100 badge 2x thumb

Correct Jarek.  I inherited a network that is all static.  I'm working on a backup\failover solution.  I will be migrating to dynamic routing protocols once this project is done, but I have a bunch of industry no-no's to work around (ie. One site with <500 nodes using VLAN 1 10.0.0.0/8).  There are so many gotchas with the way they've done things here, I can't afford to break things in the process of implementing the backup\failover solution.

Photo of Patrick Voss

Patrick Voss, Employee

  • 11,474 Points 10k badge 2x thumb
Hi Jeff,

Our gtac knowledge site might be perfect for you. Based on what you are saying it sounds like flow redirect will work perfectly. Below is an article that explains how to configure it:

Browser View:
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-flow-redirect

I hope this helps!
(Edited)
Photo of Jeff McLeod

Jeff McLeod

  • 220 Points 100 badge 2x thumb

Hey Patrick.  I may be missing something.  I have the flow-redirect configured and I can see the nexthop drop in and out.  But nothing is routing to the next hop.  Since everything is static here, do I need static routes for both the primary and secondary gateways in addition to the flow-redirect?  I can ping from a host (192.168.11.250/22) to the Extreme Networks flow-redirect device (192.168.8.36/22), to the primary gateway (192.168.8.12/22), and the secondary gateway (192.168.11.253/22).  But nothing past either of these devices.

 USARB-SW010001.94 # show flow
Name          Nexthop  Active             VR Name     Inactive  Health
              Count    IP address                     Nexthops  Check
====================================================================
GTAC_redirect  2        192.168.8.12       VR-Default  Forward   PING

ND: Neighbor Discovery


USARB-SW010001.95 # show flow-redirect "GTAC_redirect"
Name             : GTAC_redirect         VR Name          : VR-Default
Inactive Nexthops: Forward               Health Check     : PING
Nexthop Count    : 2
Active IP Address : 192.168.8.12
Index    State      Priority  IP Address          Status Interval Miss
======================================================================
0        Enabled    250       192.168.8.12        UP     2        2
1        Enabled    200       192.168.11.253      UP     2        2

ND: Neighbor Discovery

And if I take down the primary gateway:

USARB-SW010001.96 # show flow
Name          Nexthop  Active             VR Name     Inactive  Health
              Count    IP address                     Nexthops  Check
====================================================================
GTAC_redirect  2        192.168.11.253     VR-Default  Forward   PING

ND: Neighbor Discovery

USARB-SW010001.97 # show flow-redirect "GTAC_redirect"
Name             : GTAC_redirect         VR Name          : VR-Default
Inactive Nexthops: Forward               Health Check     : PING
Nexthop Count    : 2
Active IP Address : 192.168.11.253
Index    State      Priority  IP Address          Status Interval Miss
======================================================================
0        Enabled    250       192.168.8.12        DOWN   2        2
1        Enabled    200       192.168.11.253      UP     2        2

ND: Neighbor Discovery


Thanks again,


Jeff



Photo of Jarek

Jarek

  • 2,398 Points 2k badge 2x thumb
Jeff maybe this will help you, let's assume:
-vlan GW_primary,
-vlan GW_secondary, 
-vlan Network,
-both gateway must be direct connected to the switch,
-IP address bellow in config.



create vlan GW_primary
configure vlan  GW_primary tag 10
configure vlan GW_primary add ports 1 untagged
configure vlan GW_primary ipaddress  192.168.8.36/22
enable ipforwarding vlan GW_primary

create vlan GW_secondary
configure vlan  GW_secondary tag 20
configure vlan GW_secondary add ports 2 untagged
configure vlan GW_secondary ipaddress  192.168.11.254/24
enable ipforwarding vlan GW_secondary

create vlan Network
configure vlan  Network tag 30
configure vlan Network add ports 3 untagged

## Lets say Network has subnet 10.0.0.0/24

configure vlan Network ipaddress  10.0.0.1/24
enable ipforwarding vlan Network

## Now we need configure route to our secondary GW 
## We need this, because we should know where to route traffic
## when the primary GW is unreachable

configure iproute add 192.168.12.0/22  192.168.11.253 

## Now we create our flow redirect and configure IP adress of the primary GW

create flow-redirect primary_GW
configure flow-redirect  primary_GW add nexthop  192.168.8.12 priority 100
configure flow-redirect primary_GW nexthop 192.168.8.12 ping health-check interval 60 miss 3

## Now we create an ACL primary_GW.pol for redirect traffic from network 10.0.0.0/24 to gw 192.168.8.12

entry Network1 {
if match all {
        source-address 10.0.0.0/24;
        destination-address 192.168.12.0/22;
} then {
        permit;
        redirect-name primary_GW;
}
}



### We apply the access list on vlan ingress 

configure access-list primary_GW vlan Network ingress


#############################################

--
Jarek
(Edited)
Photo of Jeff McLeod

Jeff McLeod

  • 220 Points 100 badge 2x thumb
Hey Jarek.
Thanks a bunch!  It wasn't a direct solution for my scenario, but your detailed analysis allowed me to piece together my network needs.  I was using the flow-redirect configuration in the complete opposite of how it should have been configured.  I now have my traffic going to a monitored next hop.  When that next hop becomes unavailable, depending on my "interval," it fails over to a default (the secondary) route.  Works like a charm.  I now have a good handle on it.

Thanks again!

Jeff
Photo of Jeff McLeod

Jeff McLeod

  • 220 Points 100 badge 2x thumb
P.S. How do we close this thread?
Photo of Brandon Clay

Brandon Clay, Escalation Support Engineer

  • 13,086 Points 10k badge 2x thumb
I've marked it as answered. Glad to see you were able to get this worked out!

-Brandon
Photo of Jeff McLeod

Jeff McLeod

  • 220 Points 100 badge 2x thumb

Can we open this back up?  It didn't work.  Due to the configurations that I was given, it's sill the same problem.  The flow-redirect monitors the primary path, but never takes the primary path even when it's up.  It always takes the default path which is the secondary path even if the primary path is up.  I've stripped down my whole lab, configured it as Jarek documented (with a couple of modifications due to incorrect subnet designations), and it WILL NOT work.  My original thought that it worked is because the traffic was ALWAYS taking the secondary path.  So when I dropped the link on the primary path device, I mistakenly thought it was failing over, and it wasn't.  It was just taking the same secondary path.

Thanks,


Jeff

Photo of Patrick Voss

Patrick Voss, Employee

  • 11,474 Points 10k badge 2x thumb
Hi Jeff,

This is exactly how flow-redirect works. It will overpower what ever is in the routing table. You should be able to add in a second next hop address and give it a different priority. I will do some research to make sure this checks the availability of the hop.
(Edited)
Photo of Jarek

Jarek

  • 2,398 Points 2k badge 2x thumb
Jeff,

what extreme device do you have?

--
Jarek
Photo of Patrick Voss

Patrick Voss, Employee

  • 11,474 Points 10k badge 2x thumb
Hi Jeff,

You can utilize flow-redirect to fit your scenario by adding in another next hop with a higher priority than your redundant path and configuring the ping feature to check the availability. An example configuration is below:

create flow-redirect test
configure flow-redirect test add nexthop 10.10.10.1 priority 200
configure flow-redirect test add nexthop 10.10.10.2 priority 100 (Primary route)
configure flow-redirect test nexthop 10.10.10.2 ping health-check interval 2

Try this and see if this does what you expect.

Also, I noticed that a comment was made on this article. Was this you? I just wanted to get some feedback into this article on how I can improve it. Considering I personally made the article I will revise it to add in this scenario so it can be used if needed.

I hope this helps!

Patrick
(Edited)
Photo of Jeff McLeod

Jeff McLeod

  • 220 Points 100 badge 2x thumb

Yes.  I made the comment.  The problem is; if I don't enter a static or default route, the traffic NEVER gets routed to the nexthop, it just dies.  And if I'm verifying correctly, I don't ever see it hit the access-list.  I definitely see the flow-redirect health-check go up and down when the nexthop isn't available, but regardless, it never hits the nexthop indicated in the flow-redirect.


Photo of Patrick Voss

Patrick Voss, Employee

  • 11,474 Points 10k badge 2x thumb
Hi Jeff,

How are you verifying it is not hitting the ACL? Can you add a "count test;" in the then section of the ACL:

entry Network1 {
if match all {
        source-address 10.0.0.0/24;
        destination-address 192.168.12.0/22;
} then {
        permit;
        redirect-name primary_GW;
        count test;
}
}

Then run "refresh policy <policy name>" and "show access-list counter ingress"
Photo of Jeff McLeod

Jeff McLeod

  • 220 Points 100 badge 2x thumb
Hey Patrick.  Thanks a bunch!  Nothing was hitting the access-list.  But I think the problem is the Virtual Image I was using.  I swapped it out for the one with 15.7.x.x code and it all works!  I can even see the access list getting hit.  Now my question is: Will the 15.3.x.x code I'm using in my physical production area work?  Or will it be non-functional like the virtual image.  Where can I find a list of existing bugs for the EXOS I'm using?

Thanks again!!!!!!
Photo of Jarek

Jarek

  • 2,398 Points 2k badge 2x thumb
Jeff,

You should check release notes pdf for that firmware.
You must log in to extreme portal and there you can find firmware and docs.

--
Jarek