09-03-2013 11:18 AM - edited 03-04-2019 08:56 PM
Hi,
I think I have a simple question. My router is basicly use to establish VPN with remote router. So, I have these line:
ip route 0.0.0.0 0.0.0.0 10.131.56.1
Also, for the users, the default gateway is this router. (10.131.56.4, the hub VPN)
I'm using EIGRP for routing.
So if I want to establish a VPN with a remote router I have to add this route
ip route [ip address remote router] 255.255.255.255 [default ip address provider internet]
With these lines, internet navigation go to 10.131.56.1 (that's perfect) because I don't want that an internet navigation use same internet for my VPN with remote site. For VPN, I'm using the provider attach to the router. That's perfect.
But, what I want to do is I would like to use DMVPN. So, the spoke could change public ip address any time. So, in the hub I would like to use this line:
ip route 0.0.0.0 0.0.0.0 [default ip address provider internet]
not this line
ip route 0.0.0.0 0.0.0.0 10.131.56.1 (for user's internet navigation, like presently)
So, what I have to do (i think) is a route-map.
Everything in 10.131.56.0 use this ip route (ip route 0.0.0.0 0.0.0.0 10.131.56.1)
and for other use ip route 0.0.0.0 0.0.0.0 [default ip address provider internet]
I don't know how to use route-map in this situation. Somebody could help me? Or, any other suggestion?
Thank you
09-03-2013 11:26 AM
Hi Mario,
maybe you would like to use PBR (Policy based routing).
Somethinkg like:
access-list 1 permit 10.131.56.0 0.0.0.255
!
interface [inbound interface]
ip policy route-map mymap
!
route-map mymap permit 10
match ip address 1
set ip next-hop 10.131.56.1
route-map mymap permit 20
set ip next-hop [default ip address provider internet]
In scenario like this, everyone in 10.131.56.0 /24 network will use 10.131.56.1 and all other traffic will use the internet provider ip address as next-hop.
Best regards,
Jan
09-03-2013 11:36 AM
It makes sense. But could I have a problem to use next-hop then ip route? Is it the same thing for routing? I apply it on inbound interface, do I have to add a line anywhere with
ip route 0.0.0.0 0.0.0.0 .... for VPN?
Thank you Jan
09-03-2013 11:46 AM
Hi Mario,
I'm not really sure if I got you right, but you don't have to add ip route anywhere.
Just one more thing regarding the command set ip next-hop:
The set ip next-hop command verifies the existence of the next hop specified, and…
if the next hop exists in the routing table, then the command policy routes the packet to the next hop.
if the next hop does not exist in the routing table, the command uses the normal routing table to forward the packet.
and regarding PBR - when applied to interface, everything is routed accordingly by the route-map. When there is no match, packet are routed according to the regular routing table.
If you have any questions, please feel free to ask or look at this document:
http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a00801f3b54.shtml
Best regards,
Jan
09-03-2013 05:39 PM
I tried PBR lines but the problem is I can't communicate to VPN remote site because I'm in 10.131.56.0 range and my next hop is 10.131.56.1. So, for example, I want to communicate to 10.135.50.X and this network is a remote site from VPN connection.
When I trace it it's:
10.131.56.5
10.131.56.1
10.131.56.5
10.131.56.1
...
It's a loop. So PBR bypass EIGRP table.
Thanks
09-04-2013 02:45 AM
Hi Mario,
Aaah I'm sorry, my bad, I didn't understand you correctly the first time. You want to use PBR on everything else and route 10.131.56.x according to the normal routing table, right?
In that case, try:
access-list 1 permit 10.131.56.0 0.0.0.255
!
interface [inbound interface]
ip policy route-map mymap
!
route-map mymap deny 10
match ip address 1
route-map mymap permit 20
set ip next-hop [default ip address provider internet]
In this scenario, everything in the 10.131.56.x /24 is routed by the normal routing table (is denied by the route-map) and everything else is routed by the route-map to the default ip address of ISP. I hope that I got it right this time.
Best regards,
Jan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: