Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1415
Views
0
Helpful
6
Replies

redistribute internet route 0.0.0.0 0.0.0.0 in eigrp

Go to solution
agrayson
Level 1
Level 1

‎03-22-2010 08:42 AM - edited ‎03-06-2019 10:15 AM

I want to see if there is a better ...best practice way to make the quad 0 internet availiable if the site fails over to VPN when main circuit is down. As it is now when a sitre fails over to VPN it uses that connection for internet traffic but I want it to use the our normal internet connection. This is the config I found but this does not seem to work. I am doing S2S VPN with routers and it works fine...just I would like to have the internet traffic go through our primary internet connection and not out the VPN failover connection.

router eigrp 1
redistribute static route-map static2eigrp

route-map static2eigrp permit 10
match ip address 10

access-list 10 permit 0.0.0.0

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to agrayson

‎03-23-2010 06:00 AM

Hello Alonzo,

without deploying at least a point to point GRE you cannot extend EIGRP over the VPN connection so there is no use in trying to generate a default route in EIGRP.

I would post a link to a solution reference network design using point-to-point GRE

DMVPN should be the target solution if the number of remote sites is high.

without GRE you should encrypt all traffic exiting the interface on remote site and so the ACL used for IPsec should contain an any keyword and this is not recommended

Hope to help

Giuseppe

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-22-2010 10:06 AM 

agrayson@langleyfcu.org
I want to see if there is a better ...best practice way to make the quad 0 internet availiable if the site fails over to VPN when main circuit is down. As it is now when a sitre fails over to VPN it uses that connection for internet traffic but I want it to use the our normal internet connection. This is the config I found but this does not seem to work. I am doing S2S VPN with routers and it works fine...just I would like to have the internet traffic go through our primary internet connection and not out the VPN failover connection.
router eigrp 1
 redistribute static route-map static2eigrp
route-map static2eigrp permit 10
 match ip address 10
access-list 10 permit 0.0.0.0

Alonzo

Could you clarify. You say the VPN is used when the main circuit is down but then talk about a normal internet connection ie. if the main circuit is down would you not have to use the VPN for internet ?

Not sure what you are asking.

Jon

0 Helpful

Go to solution
agrayson
Level 1
Level 1
In response to Jon Marshall

‎03-22-2010 10:22 AM

Jon

The primary circuit is the WAN connection. The VPN backup uses a HFC cable modem to access internet to spin up the VPN tunnels when WAN circuit is down. Since we have a limited BW and a 10MB internet pipe the thought was not to use the 10 MB internet pipe and also we can still use websense to monitor internet. Does that make since ??...currently the (HFC) Hybrib Fiber Coaxual is 2 MB down and 384 K up ....not real sure if this will with BW because all that traffic will be in the failover pipe...instead of NONAT split tunneled. However it will give us better visiblity and control on the internet traffic.

Just looking for thoughts and maybe best practice. Does following look correct???

router eigrp 1
redistribute static route-map static2eigrp

route-map static2eigrp permit 10
match ip address 10

access-list 10 permit 0.0.0.0

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to agrayson

‎03-22-2010 10:41 AM

Sorry, but i must be having a bad day because it still isn't making sense.

How is the internet normally accessed ?

what is the relation between the primary WAN circuit and access to the main internet connection

what exactly are you trying to achieve ie. if the WAN goes down an the main internet connection is accessed via the WAN link then surely the only way to get to the internet connection is via your backup VPN.

Perhaps a diagram with the connectivity details would help.

Also you have provided config but given no idea where this config would be applied, to which router in which location etc..

Jon

0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to Jon Marshall

‎03-22-2010 01:28 PM

Hello Jon,

I think Alonso have remote sites that when primary WAN link fail use a connection to the internet for two functions:

a) reaching central site over a site to site IPSec tunnel ( I hope with GRE inside)

b) for  accessing  the internet from the remote site itself.

This means that remote site to HQ site traffic is denied to NAT and is protected by IPSec and traffic from remote site to internet is locally natted.

Alonso would like to have traffic to the internet routed over the VPN tunnel (not NATTED here)  to HQ instead of going directly to the internet at remote site.

Now, if he is using a point to point GRE tunnel over IPSec he can run EIGRP over the GRE tunnel and could learn an EIGRP route representing the default route.

Simple redistrivbution of a static route at HQ in EIGRP may not work.

EIGRP can use other tools like the  ip default network to advertise a route that is flagged with the external flag.

Let's wait for Alonso to provide further information.

Hope to help

Giuseppe

0 Helpful

Go to solution
agrayson
Level 1
Level 1
In response to Giuseppe Larosa

‎03-23-2010 05:22 AM

Giuseppe

Yes you are correct. But I am not use GRE tunnels or the DMVPN solution. I do have a project to move to a DMVPN solution but we need to do a hardware refresh first. So what are my options since I am not using GRE.

Thanks

0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to agrayson

‎03-23-2010 06:00 AM

Hello Alonzo,

without deploying at least a point to point GRE you cannot extend EIGRP over the VPN connection so there is no use in trying to generate a default route in EIGRP.

I would post a link to a solution reference network design using point-to-point GRE

DMVPN should be the target solution if the number of remote sites is high.

without GRE you should encrypt all traffic exiting the interface on remote site and so the ACL used for IPsec should contain an any keyword and this is not recommended

Hope to help

Giuseppe

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card