I’m Watching You – An IP SLA Post

Standard

I wrote this for the CCNA sub but might as well share it here a well

Since everyone loves Infrastructure topics (right?!?!?) lets play with a neat feature on the R&S exam called IP SLA. I figure I might highlight some of the more overlooked topics in this sub.

Topology

Here is today’s topology

sla-topology

Basically I’m just using 4 routers in a square topology, each router has a loopback and a server attached to it to have stuff to ping.

SLA Config

First things first we can enable a basic SLA monitor with the ip sla # command and then telling the router what we want to monitor. The CCNA only cares about ping so we’ll start with that. We define a destination IP and optionally a source-ip or interface.

Note: The source-ip does not have to exist on the router however the ICMP reply will have to find its way back to the SLA router for it to be considered a success.

The only mandatory option is frequency which is how often the test is ran though you can also set the timeout (how long SLA will wait for a response), threshold (a warning interval that is either less than or equal to the timeout), we can also set the TOS on a packet if you want a certain QoS value, I’ll set it to 160 for the fun of it.

R01(config)#ip sla 1
 R01(config-ip-sla)# icmp-echo 10.0.11.100 source-ip 10.0.11.254
 R01(config-ip-sla-echo)# tos 160
 R01(config-ip-sla-echo)# threshold 1000
 R01(config-ip-sla-echo)# timeout 3000
 R01(config-ip-sla-echo)# frequency 10
 R01(config-ip-sla-echo)#exit

Now that the SLA created we need to start it, we have it run immediately and forever like so:

​​​​​R01(config)#ip sla schedule 1 start now life forever

But you can also have it run at certain times or even randomly!

Verification

To see what is going on I turned on a packet capture on S01, we can see that R01 is endlessly pinging the server. We can also see the TOS is working since 0xa0 is 160 in hex.

cisco@S01:~$ sudo tcpdump -i eth1 icmp -vvv
 tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
 04:24:52.553376 IP (tos 0xa0, ttl 253, id 57, offset 0, flags [none], proto ICMP (1), length 64)
 10.0.11.254 > 10.0.11.100: ICMP echo request, id 49, seq 1, length 44
 04:24:52.553412 IP (tos 0xa0, ttl 64, id 58293, offset 0, flags [none], proto ICMP (1), length 64)
 10.0.11.100 > 10.0.11.254: ICMP echo reply, id 49, seq 1, length 44
 04:25:02.553032 IP (tos 0xa0, ttl 253, id 58, offset 0, flags [none], proto ICMP (1), length 64)
 10.0.11.254 > 10.0.11.100: ICMP echo request, id 50, seq 1, length 44
 04:25:02.553069 IP (tos 0xa0, ttl 64, id 60087, offset 0, flags [none], proto ICMP (1), length 64)
 10.0.11.100 > 10.0.11.254: ICMP echo reply, id 50, seq 1, length 44
 04:25:12.553370 IP (tos 0xa0, ttl 253, id 59, offset 0, flags [none], proto ICMP (1), length 64)
 10.0.11.254 > 10.0.11.100: ICMP echo request, id 51, seq 1, length 44
 04:25:12.553402 IP (tos 0xa0, ttl 64, id 60255, offset 0, flags [none], proto ICMP (1), length 64)
 10.0.11.100 > 10.0.11.254: ICMP echo reply, id 51, seq 1, length 44
 04:25:22.551884 IP (tos 0xa0, ttl 253, id 60, offset 0, flags [none], proto ICMP (1), length 64)
 10.0.11.254 > 10.0.11.100: ICMP echo request, id 52, seq 1, length 44
 04:25:22.551935 IP (tos 0xa0, ttl 64, id 60343, offset 0, flags [none], proto ICMP (1), length 64)
 10.0.11.100 > 10.0.11.254: ICMP echo reply, id 52, seq 1, length 44

On the router side we can verify the SLA configuration

R01(config)#do sh ip sla configuration
 IP SLAs Infrastructure Engine-III
 Entry number: 1
 Owner:
 Tag:
 Operation timeout (milliseconds): 3000
 Type of operation to perform: icmp-echo
 Target address/Source address: 10.0.11.100/10.0.11.254
 Type Of Service parameter: 0xA0
 Request size (ARR data portion): 28
 Data pattern: 0xABCDABCD
 Verify data: No
 Vrf Name:
 Schedule:
 Operation frequency (seconds): 10 (not considered if randomly scheduled)
 Next Scheduled Start Time: Start Time already passed
 Group Scheduled : FALSE
 Randomly Scheduled : FALSE
 Life (seconds): Forever
 Entry Ageout (seconds): never
 Recurring (Starting Everyday): FALSE
 Status of entry (SNMP RowStatus): Active
 Threshold (milliseconds): 1000
 Distribution Statistics:
 Number of statistic hours kept: 2
 Number of statistic distribution buckets kept: 1
 Statistic distribution interval (milliseconds): 20
 Enhanced History:
 History Statistics:
 Number of history Lives kept: 0
 Number of history Buckets kept: 15
 History Filter Type: None

We can also see how successful it is by looking at the statistics

R01(config)#do show ip sla statistics
 IPSLAs Latest Operation Statistics

IPSLA operation id: 1
 Latest RTT: 1 milliseconds
 Latest operation start time: 04:31:39 UTC Thu Jun 29 2017
 Latest operation return code: OK
 Number of successes: 11
 Number of failures: 0
 Operation time to live: Forever

To prove it this fancy feature is actually working lets disable the server interface

cisco@S01:~$ sudo ifconfig eth1 down

Now we can see the failures are starting to rise!!!!

R01(config)#do show ip sla statistics
 IPSLAs Latest Operation Statistics

IPSLA operation id: 1
 Latest RTT: NoConnection/Busy/Timeout
 Latest operation start time: 04:32:19 UTC Thu Jun 29 2017
 Latest operation return code: Timeout
 Number of successes: 13
 Number of failures: 2
 Operation time to live: Forever

cisco@S01:~$ sudo ifconfig eth1 up

Well that was exciting and all the CCNA covers but lets take this up a notch and explore what kind of crazy things we can use this feature for.

 The Dynamic Static Route!

One of the drawbacks of static routes is that as long as the outgoing interface is up it doesn’t care about if the route is reachable or not. But what if I told you that SLA can help overcome this????????????????????

To play with this I enabled RIP everywhere, let’s see how things are routing to get to R04’s loopback.

Currently we can go through R02 and R03.

R01(config)#do sh ip route rip | be Gateway
 Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 11 subnets, 2 masks
 R 10.0.22.0/24 [120/1] via 10.1.2.2, 00:00:11, GigabitEthernet2
 R 10.0.33.0/24 [120/1] via 10.1.3.3, 00:00:02, GigabitEthernet3
 R 10.0.44.0/24 [120/2] via 10.1.3.3, 00:00:02, GigabitEthernet3
 [120/2] via 10.1.2.2, 00:00:11, GigabitEthernet2
 R 10.2.4.0/24 [120/1] via 10.1.2.2, 00:00:11, GigabitEthernet2
 R 10.3.4.0/24 [120/1] via 10.1.3.3, 00:00:02, GigabitEthernet3
 192.168.254.0/32 is subnetted, 4 subnets
 R 192.168.254.2 [120/1] via 10.1.2.2, 00:00:11, GigabitEthernet2
 R 192.168.254.3 [120/1] via 10.1.3.3, 00:00:02, GigabitEthernet3
 R 192.168.254.4 [120/2] via 10.1.3.3, 00:00:02, GigabitEthernet3
 [120/2] via 10.1.2.2, 00:00:11, GigabitEthernet2

Let’s raise the metric on R1 & R3 so that RIP prefers R2’s route

R01(config)#router rip
 R01(config-router)#offset-list 0 in 5 g3
 R01(config-router)#exit

R01(config)#do sh ip route rip | be Gateway
 Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 11 subnets, 2 masks
 R 10.0.22.0/24 [120/1] via 10.1.2.2, 00:00:21, GigabitEthernet2
 R 10.0.33.0/24 [120/3] via 10.1.2.2, 00:00:21, GigabitEthernet2
 R 10.0.44.0/24 [120/2] via 10.1.2.2, 00:00:21, GigabitEthernet2
 R 10.2.4.0/24 [120/1] via 10.1.2.2, 00:00:21, GigabitEthernet2
 R 10.3.4.0/24 [120/2] via 10.1.2.2, 00:00:21, GigabitEthernet2
 192.168.254.0/32 is subnetted, 4 subnets
 R 192.168.254.2 [120/1] via 10.1.2.2, 00:00:21, GigabitEthernet2
 R 192.168.254.3 [120/3] via 10.1.2.2, 00:00:21, GigabitEthernet2
 R 192.168.254.4 [120/2] via 10.1.2.2, 00:00:21, GigabitEthernet2

Now we will use a static route that prefers the R3 path but only if SLA can ping R04’s server from G3

R01(config)#ip sla 2
 R01(config-ip-sla)#icmp-echo 10.0.44.100 source-interface g3
 R01(config-ip-sla-echo)#freq 10
 R01(config-ip-sla-echo)#exit
 R01(config)#
 R01(config)#ip sla schedule 2 start now life forever

We’ll also make a static route to force the SLA ping through the R03 link

R01(config)#ip route 10.0.44.100 255.255.255.255 10.1.3.3

R01#show ip sla statistics 2
 IPSLAs Latest Operation Statistics

IPSLA operation id: 2
 Latest RTT: 2 milliseconds
 Latest operation start time: 04:58:26 UTC Thu Jun 29 2017
 Latest operation return code: OK
 Number of successes: 3
 Number of failures: 1
 Operation time to live: Forever

Next we make a track object and associate it to our new SLA, we can get fancy here and do some Boolean logic so that we can track multiple conditions but we’ll keep it simple

R01(config)#track 2 ip sla 2
 R01(config-track)#exit

Then we make a static route like normal but add the track keywork to it.

R01(config)#ip route 192.168.254.4 255.255.255.255 10.1.3.3 name SLA track 2

We can see the track is happy and that our static route is in the routing table.

R01(config)#do sh track
 Track 2
 IP SLA 2 state
 State is Up
 1 change, last change 00:03:52
 Latest operation return code: OK
 Latest RTT (millisecs) 2
 Tracked by:
 Static IP Routing 0

R01(config)#do sh ip route static | be Gateway
 Gateway of last resort is not set

192.168.254.0/32 is subnetted, 4 subnets
 S 192.168.254.4 [1/0] via 10.1.3.3

And we can see a traceroute is going through R03.

R01(config)#do traceroute 192.168.254.4 source l0
 Type escape sequence to abort.
 Tracing the route to 192.168.254.4
 VRF info: (vrf in name/id, vrf out name/id)
 1 10.1.3.3 3 msec 2 msec 2 msec
 2 10.3.4.4 3 msec * 10 msec

Now for the fun part where we break stuff!!!! We’ll make a ACL on R03 to block the pings and

R03(config)#ip access-list extended BLOCK_SLA
 R03(config-ext-nacl)#deny icmp any any
 R03(config-ext-nacl)#permit ip any any
 R03(config-ext-nacl)#int g3
 R03(config-if)#ip access-group BLOCK_SLA in

On R01 we see the track object go down.

R01(config)#
 *Jun 29 05:07:09.355: %TRACK-6-STATE: 2 ip sla 2 state Up -> Down

R01(config)#do sh track
 Track 2
 IP SLA 2 state
 State is Down
 2 changes, last change 00:00:38
 Latest operation return code: Timeout
 Tracked by:
 Static IP Routing 0

The static route is also gone from the routing table!

R01(config)#do sh ip route static
 Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2
 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 ia - IS-IS inter area, * - candidate default, U - per-user static route
 o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
 a - application route
 + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 12 subnets, 2 masks
 S 10.0.44.100/32 [1/0] via 10.1.3.3
 R01(config)#do sh ip route static | be Gateway
 Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 12 subnets, 2 masks
 S 10.0.44.100/32 [1/0] via 10.1.3.3

Once I remove the ACL the SLA route comes back

R01(config)#
 *Jun 29 05:19:29.429: %TRACK-6-STATE: 2 ip sla 2 state Down -> Up

This is a pretty powerful feature since we can use this to things like only advertise a default route if the router can ping google and the default gateway.

Speaking of Conditional default routes, let’s look at a simple(ish) example with RIP

The smart default route

Let’s add some loopbacks into R01 to simulate google on the internet so the other routers have something to ping.

R01(config)#int l8888
 R01(config-if)#ip add 8.8.8.8 255.255.255.255
 R01(config-if)#int l8844
 R01(config-if)#ip add 8.8.4.4 255.255.255.255

Since we still have our first SLA to S01 lets reuse that to save some time. It is good to recycle!

R01(config)#track 1 ip sla 1
 R01(config-track)#exit

The concept here is we want to add a static route into the routing table that RIP can use to decide whether or not to advertise a default route. Since we don’t want to impact any real routes I’ll use a APIPA address (the 169.254/16 space) and route it to the null interface.

R01(config)#ip route 169.254.0.1 255.255.255.255 null0 name PLACEHOLDER track 1

Next we need to match the static route, you can use a ACL or a prefix-list, I’ll use the prefix-list for the fun of it.

R01(config)#ip prefix-list PL_PLACEHOLDER permit 169.254.0.1/32

Then we make a route-map that matches our ACL or Prefix list.

R01(config)#route-map RM_DEFAULT
 R01(config-route-map)#match ip address prefix-list PL_PLACEHOLDER
 R01(config-route-map)#exit

Finally we add the route-map keyword to the default gateway command.

R01(config)#router rip
 R01(config-router)#default-information originate route-map RM_DEFAULT

**Note: **You might start to notice how various features can build together into a Voltron of awesomeness.

Verification

We can see that R04 has learned a default route and can ping “Google”

R04(config)# do sh ip route 0.0.0.0
 Routing entry for 0.0.0.0/0, supernet
 Known via "rip", distance 120, metric 2, candidate default path
 Redistributing via rip
 Last update from 10.2.4.2 on GigabitEthernet3, 00:00:03 ago
 Routing Descriptor Blocks:
 * 10.2.4.2, from 10.2.4.2, 00:00:03 ago, via GigabitEthernet3
 Route metric is 2, traffic share count is 1
 R04(config)#do ping 8.8.8.8
 Type escape sequence to abort.
 Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
 !!!!!
 Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/3 ms

If we disable S01’s interface though

cisco@S01:~$ sudo ifconfig eth1 down
 [sudo] password for cisco:
 cisco@S01:~$

We can see the default route is gone as soon as the SLA goes down, no holddown timer for it!

R04(config)#do sh ip route 0.0.0.0
 % Network not in table

But what else can it do?

Well I have a bit more scotch left in my glass so….lets turn this up to 11.

We can do something boring like add a track object to a FHRP protocol

​R01(config-if)#standby 1 track 1

Or….we can have the router disable an interface and make a log message!!!!!!!!!!!!!!!!!

I won’t dive too much into EEM (though I’ll likely do something with it eventually), the jist is that when the track object goes down EEM will disable the G3 interface and leave us a syslog message.

R01(config)#event manager applet MEOWCAT
 R01(config-applet)# event track 1 state down
 R01(config-applet)# action 010 cli command "enable"
 R01(config-applet)# action 020 cli command "conf t"
 R01(config-applet)# action 030 cli command "interface g3"
 R01(config-applet)# action 040 cli command "shutdown"
 R01(config-applet)# action 050 syslog msg "MEOW MEOW MEOW MEOW"
 R01(config-applet)#exit

Now if I take down the server, the script executes.

R01(config)#
 *Jun 29 05:52:14.632: %TRACK-6-STATE: 1 ip sla 1 state Up -> Down
 R01(config)#
 *Jun 29 05:52:14.886: %HA_EM-6-LOG: MEOWCAT: MEOW MEOW MEOW MEOW
 R01(config)#
 *Jun 29 05:52:16.793: %LINK-5-CHANGED: Interface GigabitEthernet3, changed state to administratively down
 *Jun 29 05:52:17.792: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet3, changed state to down

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s