Solved: ip local policy - DMVPN head-end router

daveg18848 · ‎03-26-2012

hey guys,

On my DMVPN head-end router (3845 - running 151-4.M2) , I'm learning a default route from the internal core that I want the remote spoke to learn via EIGRP (internet access is via tunnel and thru head-end f/w's). And to avoid having a static route configured for the remote public IP pointing to the internet router, I've tried using a local policy to set the next hop for all VPN traffic from the router to be the internet router. However, when I remove the static to the remote, I lose the remote peer and it seems the local policy is not engaged. Any help would be appreciated..

interface Loopback0

ip address 10.103.255.1 255.255.255.255

!

interface Tunnel10

bandwidth 10000

ip address 10.103.254.1 255.255.255.0

no ip redirects

ip mtu 1400

no ip next-hop-self eigrp 1

ip nhrp authentication xxx

ip nhrp map multicast dynamic

ip nhrp network-id 100

ip nhrp holdtime 600

ip nhrp redirect

ip tcp adjust-mss 1360

no ip split-horizon eigrp 1

tunnel source GigabitEthernet0/1

tunnel mode gre multipoint

tunnel key 1234

tunnel protection ipsec profile DMVPN-PROFILE

!

interface GigabitEthernet0/0

description Routed link to Core

ip address 10.100.160.105 255.255.255.252

duplex auto

speed auto

media-type rj45

!

interface GigabitEthernet0/1

description Link to External segment

ip address 1.1.1.4 255.255.255.0

duplex auto

speed auto

media-type rj45

!

router eigrp 1

network 10.100.160.104 0.0.0.3

network 10.103.254.0 0.0.0.255

network 10.103.255.1 0.0.0.0

passive-interface default

no passive-interface Tunnel10

no passive-interface GigabitEthernet0/0

eigrp router-id 10.103.255.1

!

ip access-list extended vpn-traffic

permit esp any any

permit udp any any eq isakmp

permit udp any any eq non500-isakmp

route-map vpn-default permit 10

description Default route to Internet for encrypted traffic

match ip address vpn-traffic

set ip next-hop 1.1.1.2

!

ip local policy route-map vpn-default

Marcin Latosiewicz · ‎03-27-2012

Dave,

I think let's do the reasonable thing here and separate termination and tunneled traffic into VRFs (VRF-lite).

You can put gig0/1 into one VRF and leave everything else in global (remember to add "tunnel vrf ..." on tunnel interface.

Result - separation of overlay and transport - you can have two default routes, one for connectivity to spokes, one for traffic to be passed over tunnel.

Marcin

View solution in original post

Marcin Latosiewicz · ‎03-27-2012

Dave,

I think let's do the reasonable thing here and separate termination and tunneled traffic into VRFs (VRF-lite).

You can put gig0/1 into one VRF and leave everything else in global (remember to add "tunnel vrf ..." on tunnel interface.

Result - separation of overlay and transport - you can have two default routes, one for connectivity to spokes, one for traffic to be passed over tunnel.

Marcin

daveg18848 · ‎03-27-2012

Marcin- Good call, thanks. All is working using this method...

Thanks,

Dave

Marcin Latosiewicz · ‎03-27-2012

Dave,

rizwanr74's method could also work, but I still opt for mine.

Separation of overlay and transport is usually highly recommended.

Marcin

rizwanr74 · ‎03-27-2012

Please try this.

interface Tunnel10

ip summary-address eigrp 1 0.0.0.0 0.0.0.0 112

in this example value "112" is default-route cost, as you know static-rotue has the cost of 1.

If you trying to push default route via the tunnel then you need to adverties the default-route via the tunnel from hub-site with lower route cost.

thanks