Header Only - DO NOT REMOVE - Extreme Networks

Remove primary iproute and inject secondary iproute when primary path is unavailable; then reverse when primary path is available


I'm trying to inject a static route 192.168.12.0/22 192.168.11.253 when gateway 192.168.8.12 fails. When 192.168.8.12 is once again available, I would like to remove the 192.168.12.0/22 192.168.11.253 route and replace it with 192.168.12.0/22 192.168.8.12. Both gateway devices are connected to my Summit L2/3 device 192.168.8.36/22. I've examined numerous documents; flow-redirect, IP SLA scripting, and route weighting. All of the knowledge base articles and user streams seem to have partial configs or the scripts are full of bugs\errors. I'm new to Extreme Networks, so my knowledge is a little lacking. I'm able to do this with my Cisco equipment using ip sla and tracking statements, but of course it's well documented in comparison to what I've found with Extreme Networks. I would appreciate any help. I'm looking for detailed configs and\or explanation.

Drowning,

Jeff

16 replies

Userlevel 3
Hi,

if I understand correctly, you can't use dynamic routing protocols only static route?

--
Jarek
Correct Jarek. I inherited a network that is all static. I'm working on a backup\failover solution. I will be migrating to dynamic routing protocols once this project is done, but I have a bunch of industry no-no's to work around (ie. One site with <500 nodes using VLAN 1 10.0.0.0/8). There are so many gotchas with the way they've done things here, I can't afford to break things in the process of implementing the backup\failover solution.
Userlevel 6
Hi Jeff,

Our gtac knowledge site might be perfect for you. Based on what you are saying it sounds like flow redirect will work perfectly. Below is an article that explains how to configure it:

Browser View: https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-flow-redirect

I hope this helps!
Hey Patrick. I may be missing something. I have the flow-redirect configured and I can see the nexthop drop in and out. But nothing is routing to the next hop. Since everything is static here, do I need static routes for both the primary and secondary gateways in addition to the flow-redirect? I can ping from a host (192.168.11.250/22) to the Extreme Networks flow-redirect device (192.168.8.36/22), to the primary gateway (192.168.8.12/22), and the secondary gateway (192.168.11.253/22). But nothing past either of these devices.

USARB-SW010001.94 # show flow
Name Nexthop Active VR Name Inactive Health
Count IP address Nexthops Check
====================================================================
GTAC_redirect 2 192.168.8.12 VR-Default Forward PING

ND: Neighbor Discovery

USARB-SW010001.95 # show flow-redirect "GTAC_redirect"
Name : GTAC_redirect VR Name : VR-Default
Inactive Nexthops: Forward Health Check : PING
Nexthop Count : 2
Active IP Address : 192.168.8.12
Index State Priority IP Address Status Interval Miss
======================================================================
0 Enabled 250 192.168.8.12 UP 2 2
1 Enabled 200 192.168.11.253 UP 2 2

ND: Neighbor Discovery

And if I take down the primary gateway:

USARB-SW010001.96 # show flow
Name Nexthop Active VR Name Inactive Health
Count IP address Nexthops Check
====================================================================
GTAC_redirect 2 192.168.11.253 VR-Default Forward PING

ND: Neighbor Discovery

USARB-SW010001.97 # show flow-redirect "GTAC_redirect"
Name : GTAC_redirect VR Name : VR-Default
Inactive Nexthops: Forward Health Check : PING
Nexthop Count : 2
Active IP Address : 192.168.11.253
Index State Priority IP Address Status Interval Miss
======================================================================
0 Enabled 250 192.168.8.12 DOWN 2 2
1 Enabled 200 192.168.11.253 UP 2 2

ND: Neighbor Discovery

Thanks again,

Jeff
Userlevel 3
Jeff maybe this will help you, let's assume:
-vlan GW_primary,
-vlan GW_secondary,
-vlan Network,
-both gateway must be direct connected to the switch,
-IP address bellow in config.

create vlan GW_primary
configure vlan GW_primary tag 10
configure vlan GW_primary add ports 1 untagged
configure vlan GW_primary ipaddress 192.168.8.36/22
enable ipforwarding vlan GW_primary

create vlan GW_secondary
configure vlan GW_secondary tag 20
configure vlan GW_secondary add ports 2 untagged
configure vlan GW_secondary ipaddress 192.168.11.254/24
enable ipforwarding vlan GW_secondary

create vlan Network
configure vlan Network tag 30
configure vlan Network add ports 3 untagged

## Lets say Network has subnet 10.0.0.0/24

configure vlan Network ipaddress 10.0.0.1/24
enable ipforwarding vlan Network

## Now we need configure route to our secondary GW
## We need this, because we should know where to route traffic
## when the primary GW is unreachable

configure iproute add 192.168.12.0/22 192.168.11.253

## Now we create our flow redirect and configure IP adress of the primary GW

create flow-redirect primary_GW
configure flow-redirect primary_GW add nexthop 192.168.8.12 priority 100
configure flow-redirect primary_GW nexthop 192.168.8.12 ping health-check interval 60 miss 3

## Now we create an ACL primary_GW.pol for redirect traffic from network 10.0.0.0/24 to gw 192.168.8.12

entry Network1 {
if match all {
source-address 10.0.0.0/24;
destination-address 192.168.12.0/22;
} then {
permit;
redirect-name primary_GW;
}
}

### We apply the access list on vlan ingress

configure access-list primary_GW vlan Network ingress

#############################################

--
Jarek
Hey Jarek.
Thanks a bunch! It wasn't a direct solution for my scenario, but your detailed analysis allowed me to piece together my network needs. I was using the flow-redirect configuration in the complete opposite of how it should have been configured. I now have my traffic going to a monitored next hop. When that next hop becomes unavailable, depending on my "interval," it fails over to a default (the secondary) route. Works like a charm. I now have a good handle on it.

Thanks again!

Jeff
P.S. How do we close this thread?
Userlevel 7
Jeff McLeod wrote:

P.S. How do we close this thread?

I've marked it as answered. Glad to see you were able to get this worked out!

-Brandon
Jeff McLeod wrote:

P.S. How do we close this thread?

Can we open this back up? It didn't work. Due to the configurations that I was given, it's sill the same problem. The flow-redirect monitors the primary path, but never takes the primary path even when it's up. It always takes the default path which is the secondary path even if the primary path is up. I've stripped down my whole lab, configured it as Jarek documented (with a couple of modifications due to incorrect subnet designations), and it WILL NOT work. My original thought that it worked is because the traffic was ALWAYS taking the secondary path. So when I dropped the link on the primary path device, I mistakenly thought it was failing over, and it wasn't. It was just taking the same secondary path.

Thanks,

Jeff
Userlevel 6
Jeff McLeod wrote:

P.S. How do we close this thread?

Hi Jeff,

This is exactly how flow-redirect works. It will overpower what ever is in the routing table. You should be able to add in a second next hop address and give it a different priority. I will do some research to make sure this checks the availability of the hop.
Userlevel 3
Jeff McLeod wrote:

P.S. How do we close this thread?

Jeff, what extreme device do you have? -- Jarek
Userlevel 6
Hi Jeff,

You can utilize flow-redirect to fit your scenario by adding in another next hop with a higher priority than your redundant path and configuring the ping feature to check the availability. An example configuration is below:

create flow-redirect test
configure flow-redirect test add nexthop 10.10.10.1 priority 200
configure flow-redirect test add nexthop 10.10.10.2 priority 100 (Primary route)
configure flow-redirect test nexthop 10.10.10.2 ping health-check interval 2

Try this and see if this does what you expect.

Also, I noticed that a comment was made on this article. Was this you? I just wanted to get some feedback into this article on how I can improve it. Considering I personally made the article I will revise it to add in this scenario so it can be used if needed.

I hope this helps!

Patrick
Patrick Voss wrote:

Hi Jeff,

You can utilize flow-redirect to fit your scenario by adding in another next hop with a higher priority than your redundant path and configuring the ping feature to check the availability. An example configuration is below:

create flow-redirect test
configure flow-redirect test add nexthop 10.10.10.1 priority 200
configure flow-redirect test add nexthop 10.10.10.2 priority 100 (Primary route)
configure flow-redirect test nexthop 10.10.10.2 ping health-check interval 2

Try this and see if this does what you expect.

Also, I noticed that a comment was made on this article. Was this you? I just wanted to get some feedback into this article on how I can improve it. Considering I personally made the article I will revise it to add in this scenario so it can be used if needed.

I hope this helps!

Patrick

Yes. I made the comment. The problem is; if I don't enter a static or default route, the traffic NEVER gets routed to the nexthop, it just dies. And if I'm verifying correctly, I don't ever see it hit the access-list. I definitely see the flow-redirect health-check go up and down when the nexthop isn't available, but regardless, it never hits the nexthop indicated in the flow-redirect.
Userlevel 6
Patrick Voss wrote:

Hi Jeff,

You can utilize flow-redirect to fit your scenario by adding in another next hop with a higher priority than your redundant path and configuring the ping feature to check the availability. An example configuration is below:

create flow-redirect test
configure flow-redirect test add nexthop 10.10.10.1 priority 200
configure flow-redirect test add nexthop 10.10.10.2 priority 100 (Primary route)
configure flow-redirect test nexthop 10.10.10.2 ping health-check interval 2

Try this and see if this does what you expect.

Also, I noticed that a comment was made on this article. Was this you? I just wanted to get some feedback into this article on how I can improve it. Considering I personally made the article I will revise it to add in this scenario so it can be used if needed.

I hope this helps!

Patrick

Hi Jeff,

How are you verifying it is not hitting the ACL? Can you add a "count test;" in the then section of the ACL:

entry Network1 {
if match all {
source-address 10.0.0.0/24;
destination-address 192.168.12.0/22;
} then {
permit;
redirect-name primary_GW;
count test;
}
}

Then run "refresh policy " and "show access-list counter ingress"
Patrick Voss wrote:

Hi Jeff,

You can utilize flow-redirect to fit your scenario by adding in another next hop with a higher priority than your redundant path and configuring the ping feature to check the availability. An example configuration is below:

create flow-redirect test
configure flow-redirect test add nexthop 10.10.10.1 priority 200
configure flow-redirect test add nexthop 10.10.10.2 priority 100 (Primary route)
configure flow-redirect test nexthop 10.10.10.2 ping health-check interval 2

Try this and see if this does what you expect.

Also, I noticed that a comment was made on this article. Was this you? I just wanted to get some feedback into this article on how I can improve it. Considering I personally made the article I will revise it to add in this scenario so it can be used if needed.

I hope this helps!

Patrick

Hey Patrick. Thanks a bunch! Nothing was hitting the access-list. But I think the problem is the Virtual Image I was using. I swapped it out for the one with 15.7.x.x code and it all works! I can even see the access list getting hit. Now my question is: Will the 15.3.x.x code I'm using in my physical production area work? Or will it be non-functional like the virtual image. Where can I find a list of existing bugs for the EXOS I'm using?

Thanks again!!!!!!
Userlevel 3
Patrick Voss wrote:

Hi Jeff,

You can utilize flow-redirect to fit your scenario by adding in another next hop with a higher priority than your redundant path and configuring the ping feature to check the availability. An example configuration is below:

create flow-redirect test
configure flow-redirect test add nexthop 10.10.10.1 priority 200
configure flow-redirect test add nexthop 10.10.10.2 priority 100 (Primary route)
configure flow-redirect test nexthop 10.10.10.2 ping health-check interval 2

Try this and see if this does what you expect.

Also, I noticed that a comment was made on this article. Was this you? I just wanted to get some feedback into this article on how I can improve it. Considering I personally made the article I will revise it to add in this scenario so it can be used if needed.

I hope this helps!

Patrick

Jeff, You should check release notes pdf for that firmware. You must log in to extreme portal and there you can find firmware and docs. -- Jarek

Reply