Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

ip local policy - DMVPN head-end router

hey guys,

     On my DMVPN head-end router (3845 - running 151-4.M2) , I'm learning a default route from the internal core that I want the remote spoke to learn via EIGRP (internet access is via tunnel and thru head-end f/w's).  And to avoid having a static route configured for the remote public IP pointing to the internet router, I've tried using a local policy to set the next hop for all VPN traffic from the router to be the internet router.  However, when I remove the static to the remote, I lose the remote peer and it seems the local policy is not engaged.  Any help would be appreciated..

interface Loopback0

ip address 10.103.255.1 255.255.255.255

!

interface Tunnel10

bandwidth 10000

ip address 10.103.254.1 255.255.255.0

no ip redirects

ip mtu 1400

no ip next-hop-self eigrp 1

ip nhrp authentication xxx

ip nhrp map multicast dynamic

ip nhrp network-id 100

ip nhrp holdtime 600

ip nhrp redirect

ip tcp adjust-mss 1360

no ip split-horizon eigrp 1

tunnel source GigabitEthernet0/1

tunnel mode gre multipoint

tunnel key 1234

tunnel protection ipsec profile DMVPN-PROFILE

!

interface GigabitEthernet0/0

description Routed link to Core

ip address 10.100.160.105 255.255.255.252

duplex auto

speed auto

media-type rj45

!

interface GigabitEthernet0/1

description Link to External segment

ip address 1.1.1.4 255.255.255.0

duplex auto

speed auto

media-type rj45

!

router eigrp 1

network 10.100.160.104 0.0.0.3

network 10.103.254.0 0.0.0.255

network 10.103.255.1 0.0.0.0

passive-interface default

no passive-interface Tunnel10

no passive-interface GigabitEthernet0/0

eigrp router-id 10.103.255.1

!

ip access-list extended vpn-traffic

permit esp any any

permit udp any any eq isakmp

permit udp any any eq non500-isakmp

route-map vpn-default permit 10

description Default route to Internet for encrypted traffic

match ip address vpn-traffic

set ip next-hop 1.1.1.2

!

ip local policy route-map vpn-default

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

ip local policy - DMVPN head-end router

Dave,

I think let's do the reasonable thing here and separate termination and tunneled traffic into VRFs (VRF-lite).

You can put gig0/1 into one VRF and leave everything else in global (remember to add "tunnel vrf ..." on tunnel interface.

Result - separation of overlay and transport - you can have two default routes, one for connectivity to spokes, one for traffic to be passed over tunnel.

Marcin

4 REPLIES
Cisco Employee

ip local policy - DMVPN head-end router

Dave,

I think let's do the reasonable thing here and separate termination and tunneled traffic into VRFs (VRF-lite).

You can put gig0/1 into one VRF and leave everything else in global (remember to add "tunnel vrf ..." on tunnel interface.

Result - separation of overlay and transport - you can have two default routes, one for connectivity to spokes, one for traffic to be passed over tunnel.

Marcin

New Member

ip local policy - DMVPN head-end router

Marcin-  Good call, thanks. All is working using this method...

Thanks,

  Dave

Cisco Employee

ip local policy - DMVPN head-end router

Dave,

rizwanr74's method could also work, but I still opt for mine.

Separation of overlay and transport is usually highly recommended.

Marcin

ip local policy - DMVPN head-end router

Please try this.

interface Tunnel10

  ip summary-address eigrp 1 0.0.0.0 0.0.0.0 112

in this example value "112" is default-route cost, as you know static-rotue has the cost of 1.

If you trying to push default route via the tunnel then you need to adverties the default-route via the tunnel from hub-site with lower route cost.

thanks

564
Views
0
Helpful
4
Replies
CreatePlease to create content