I have a remote site router that provides access for both employee general network access to internal resources and the Internet and provides access for student systems access to other training systems and the Internet via our main office site.
Currently the student network access is issolated by ACL's applied at the inbound LAN interface.
I would like to modify this configuration by extended an mGRE tunnel from our central student network to the remote site router and then force traffic from the remote student network and the central student network (as well as Internet traffic) to have to traverse the tunnel - and traffic from the central student network arriving vi the tunnel to only be sent out the Student network LAN interface.
I can see using Policy based routing applied to both the LAN interface and the tunnel to accomplish this, but would like to see if there are better methods to accomplish this.
My main concern is that traffic to\from the tunnel and student LAN interface can not manage to access any other network(s) then the Studeent network.
I can provide psuedo confings if necessary, but would mostly like ideas on how to correctly design the access process.
This link is the closest information I found on CCO but I admit it's not the best one..
We are talking here about one VRF for student network and keep the default routing table for employees network so there is no scalability issue with your current hw.
So the implementation should look like this:
- Create a VRF on the remote RTR and the main-office routers
- Split your WAN into two different sub-interfaces
- On the remote RTR, add one of the WAN sub-interface and G0/1 into the configured VRF
- On the main-office router, add the same WAN sub-interface and the interface connected to the main-student RTR into the VRF
- Make EIGRP VRF aware so you will have EIGRP adj on both sub-interfaces
- Nothing to change on the main-student
AT the end, EIGRP running in the default routing table will announce only the employees network and EIGRP running in the VRF only the student network. This way employees and student are not sharing the same routing table anymore so you don't need the inbound ACL as the default routing table will not have any route to join the student network and the VRF will not have any route to join the employee network.