03-26-2012 05:24 PM - edited 02-21-2020 05:58 PM
hey guys,
On my DMVPN head-end router (3845 - running 151-4.M2) , I'm learning a default route from the internal core that I want the remote spoke to learn via EIGRP (internet access is via tunnel and thru head-end f/w's). And to avoid having a static route configured for the remote public IP pointing to the internet router, I've tried using a local policy to set the next hop for all VPN traffic from the router to be the internet router. However, when I remove the static to the remote, I lose the remote peer and it seems the local policy is not engaged. Any help would be appreciated..
interface Loopback0
ip address 10.103.255.1 255.255.255.255
!
interface Tunnel10
bandwidth 10000
ip address 10.103.254.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 1
ip nhrp authentication xxx
ip nhrp map multicast dynamic
ip nhrp network-id 100
ip nhrp holdtime 600
ip nhrp redirect
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 1234
tunnel protection ipsec profile DMVPN-PROFILE
!
interface GigabitEthernet0/0
description Routed link to Core
ip address 10.100.160.105 255.255.255.252
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description Link to External segment
ip address 1.1.1.4 255.255.255.0
duplex auto
speed auto
media-type rj45
!
router eigrp 1
network 10.100.160.104 0.0.0.3
network 10.103.254.0 0.0.0.255
network 10.103.255.1 0.0.0.0
passive-interface default
no passive-interface Tunnel10
no passive-interface GigabitEthernet0/0
eigrp router-id 10.103.255.1
!
ip access-list extended vpn-traffic
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
route-map vpn-default permit 10
description Default route to Internet for encrypted traffic
match ip address vpn-traffic
set ip next-hop 1.1.1.2
!
ip local policy route-map vpn-default
Solved! Go to Solution.
03-27-2012 01:01 AM
Dave,
I think let's do the reasonable thing here and separate termination and tunneled traffic into VRFs (VRF-lite).
You can put gig0/1 into one VRF and leave everything else in global (remember to add "tunnel vrf ..." on tunnel interface.
Result - separation of overlay and transport - you can have two default routes, one for connectivity to spokes, one for traffic to be passed over tunnel.
Marcin
03-27-2012 01:01 AM
Dave,
I think let's do the reasonable thing here and separate termination and tunneled traffic into VRFs (VRF-lite).
You can put gig0/1 into one VRF and leave everything else in global (remember to add "tunnel vrf ..." on tunnel interface.
Result - separation of overlay and transport - you can have two default routes, one for connectivity to spokes, one for traffic to be passed over tunnel.
Marcin
03-27-2012 07:13 AM
Marcin- Good call, thanks. All is working using this method...
Thanks,
Dave
03-27-2012 08:56 AM
Dave,
rizwanr74's method could also work, but I still opt for mine.
Separation of overlay and transport is usually highly recommended.
Marcin
03-27-2012 07:03 AM
Please try this.
interface Tunnel10
ip summary-address eigrp 1 0.0.0.0 0.0.0.0 112
in this example value "112" is default-route cost, as you know static-rotue has the cost of 1.
If you trying to push default route via the tunnel then you need to adverties the default-route via the tunnel from hub-site with lower route cost.
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide