Requirement:Route guest network traffic using liveness probe feature on aruba sd branch.
Solution:Tips to route guest network traffic using liveness probe feature
–Typical network design model is to route guest traffic locally other than users to get onboarded/authenticated against CPPM.
–PBR Next-hops list can be used tunnels or VLANs (local-breakout)
–By using VLAN as next-hops, we have a feature liveness check (to check for next-hop is alive against the def-gw) to probe is the nexthop ip every 10 seconds
–“Nexthop ip” is in this case cable modem on 4094 plugged into one of the port on BGW uplink.
–Probes are set on ICMP
–Priority can be set if you have more uplinks.
CLI sample
#ip probe-profile default
$(ip-probe-default)# frequency <in seconds>
Default frequency is 10 seconds and user cannot change the frequency from UI (roadmap). Config available in CLI for now.
Recommended
The frequency should not be increased more than 14 seconds as IKE tunnels depend on the gateway probes to refresh the ARP cache. Increasing it more than 14 seconds may cause ARP entry to age out.
We reduce the frequency to probe faster
There are few ways or options to route the guest traffic and live probe feature for pbr is one of them which is effective and simple.
–Typical network design model is to route guest traffic locally other than users to get onboarded/authenticated against CPPM.
–Other designs involve sending all traffic to a 3rd party cloud security. PBR Next-hops list can be used tunnels or VLANs (local-breakout).
–When using local next-hops, the gateway can do ”liveness checks” against the immediate default gateway or against the PQM service.
–When set to ”default-gateway”, probes are sent via ICMP. When set to “WAN Health Check IP” the gateway uses the uplink status to determine whether the next-hop should be used.
–When using tunnel next-hops, the gateway can do “liveness” or “performance” checks against an IP behind the tunnel.
–This “tunnel monitor IP” is set as part of the tunnel definition. It’s also set by Cloud Connect when orchestrating tunnels to Zscaler.
–Priority can be set if you have more than one uplink
–Reminder! – When PBR priority or routing cost is the same, DPS can select from among multiple paths!
Routing should determine the next hop and WAN should determine the path.
Make sure your routing/PBR cost/priority is the same across all uplinks!!!
Please look at config screen shots for the same.
Configuration:
VerificationFew commands to verify
show ip route
show datapath route
show datapath session table | include <client ip address>
show ip nexthop-list
show datapath nexthop-list