Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Multiple instances of EIGRP or static routes

I'm building a network which needs to have All but one of it's private networks pass through a DMVPN, all the routes are advertised through EIGRP, that part works great!

I have a private VLAN that only has access onto the internet, the address is Nat'ed over to a public IP address. Each router, there's six of them, are neighbors to two other routers. The furthest router to the internet has to go through three routers to get to the internet. My current idea is to use static routes on all the routers to the Internet gateway router. Then let recursive routing sort out each hop. What I would rather do is have EIGRP do all that. I really don't want to mess with the EIGRP that's running for the DMVPN tunnels, I'd like to have another instance of EIGRP run on the routers that will route the users to the Internet.

Does anyone have any thoughts concerning this design.




Re: Multiple instances of EIGRP or static routes

Without much thinking...I just would like to add that you can run 2 EIGRP process in 1 router, with no problems. But this doesnt mean that you'd have 2 routing tables.


Hall of Fame Super Silver

Re: Multiple instances of EIGRP or static routes


I am not clear about what you are attempting to achieve and not very clear about the topology. So my answer may or may not be on target. If it is not perhaps you can help us understand a little better what is involved.

I believe that what you are saying is that you have an existing network with multiple locations connected over DMVPN and that you run EIGRP as the routing protocol for that network. I believe you are also saying that there is one network segment which needs access to the Internet but should not be able to access the other parts of your network.

You say that the address of this other segment is NATed but are not clear whether the translation is ont the router where the segment is located or is on the Internet gateway router.

Probably the traditional solution for this would be to provide a default route for this segment pointing toward the Internet gateway router, to have a route on the Internet gateway router (and other routers along the path toward where the network is located), and a series of access lists on each router along the way which allows passage to the Internet and denies access to local resources.

I would propose a somewhat different solution. I believe that it would work if you configure a GRE tunnel between the router where the segment is located and the Internet Gateway router. On the router where the segment is located you could do Policy Based Routing to send traffic from the private segment to the Internet over the GRE tunnel (which effectively isolates it from your other resources). You might want Policy Based Routing on the Internet gateway router to be sure that traffic from the private segment was forwarded only to the Internet (though you might not need that). The Internet gateway router could have a route (probably a static route) which sends traffic to the private segment over the GRE tunnel.

Let us know what you think of this. And if it is off the mark perhaps you could clarify a bit.



CreatePlease to create content