I'm building a network which needs to have All but one of it's private networks pass through a DMVPN, all the routes are advertised through EIGRP, that part works great!
I have a private VLAN that only has access onto the internet, the address is Nat'ed over to a public IP address. Each router, there's six of them, are neighbors to two other routers. The furthest router to the internet has to go through three routers to get to the internet. My current idea is to use static routes on all the routers to the Internet gateway router. Then let recursive routing sort out each hop. What I would rather do is have EIGRP do all that. I really don't want to mess with the EIGRP that's running for the DMVPN tunnels, I'd like to have another instance of EIGRP run on the routers that will route the users to the Internet.
Does anyone have any thoughts concerning this design.
I am not clear about what you are attempting to achieve and not very clear about the topology. So my answer may or may not be on target. If it is not perhaps you can help us understand a little better what is involved.
I believe that what you are saying is that you have an existing network with multiple locations connected over DMVPN and that you run EIGRP as the routing protocol for that network. I believe you are also saying that there is one network segment which needs access to the Internet but should not be able to access the other parts of your network.
You say that the address of this other segment is NATed but are not clear whether the translation is ont the router where the segment is located or is on the Internet gateway router.
Probably the traditional solution for this would be to provide a default route for this segment pointing toward the Internet gateway router, to have a route on the Internet gateway router (and other routers along the path toward where the network is located), and a series of access lists on each router along the way which allows passage to the Internet and denies access to local resources.
I would propose a somewhat different solution. I believe that it would work if you configure a GRE tunnel between the router where the segment is located and the Internet Gateway router. On the router where the segment is located you could do Policy Based Routing to send traffic from the private segment to the Internet over the GRE tunnel (which effectively isolates it from your other resources). You might want Policy Based Routing on the Internet gateway router to be sure that traffic from the private segment was forwarded only to the Internet (though you might not need that). The Internet gateway router could have a route (probably a static route) which sends traffic to the private segment over the GRE tunnel.
Let us know what you think of this. And if it is off the mark perhaps you could clarify a bit.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...