It would be interesting to see the show ip route from the spoke router, whether the 10.0.0.0/8 route turns up there, and if so how does the metric compare.

I noticed that the metric of the 10.0.0.0/8 route is considerably less than, for example, the 10.0.96.0/24 route. I wondered whether that might give us a clue. It seems to be closer than the Ethernet of the spoke router, so it looks like it come from inside the spoke router.

I thought it might be something to do with the default route 0.0.0.0/0 to Dialer1, but why that should be propagated as 10.0.0.0/8 is a mystery to me. I looked up the rules for redistribution of the default route into EIGRP, and the document says that if you want the 0.0.0.0/0 route distributed by EIGRP, then you have to specifically redistribute the static. So that looks like another dead-end, but here is the doc anyway:

http://www.cisco.com/warp/public/105/default.html

Both your central site and your spokes are ip classless, so no joy there.

I looked for no auto-summary, and you have that OK. I looked for some ip summary-address lines, but I did not see any of those either.

Sorry, I've checked everything I know about, and I still cannot see it. What does the routing table look like on a spoke router?

Kevin Dorrell

Luxembourg

Shouldn't the default route on the spoke router be to Tunnel0 rather than to Dialer1. Is the route coming from your access server? I'm no expert in these configurations, so tell me if I'm wrong.

Alternatively, could you use an EIGRP stub configuration?

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr_c/ipcprt2/1cfeigrp.htm#wp1003890

Kevin Dorrell

Luxembourg

Kevin,

Thanks for the reply.

Here is the routing table from the spoke:

GW1.0096>sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

70.0.0.0/32 is subnetted, 1 subnets

C 70.xx.xx.169 is directly connected, Dialer1

66.0.0.0/32 is subnetted, 1 subnets

S 66.xx.xx.186 is directly connected, Dialer1

172.16.0.0/24 is subnetted, 2 subnets

D EX 172.16.1.0 [170/15362560] via 10.64.0.1, 13:28:18, Tunnel0

D EX 172.16.2.0 [170/15362560] via 10.64.0.1, 13:28:18, Tunnel0

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

C 10.6.8.1/32 is directly connected, Dialer1

D 10.0.20.0/24 [90/15641600] via 10.64.0.1, 13:28:18, Tunnel0

C 10.64.0.0/24 is directly connected, Tunnel0

C 10.0.96.0/24 is directly connected, Ethernet0

S* 0.0.0.0/0 is directly connected, Dialer1

GW1.0096>

To answer your question on the default route being Dialer1 rather than Tunnel0, we actually have a split tunnel situation here where URL Filtering is in place.. all HTTP, POP3, HTTPS, and a few other protocol traffic are NAT'd to the IP of the Dialer1 interface, then sent directly to the internet. We could have just set the default route to Tunnel0, but we didn't want to tunnel everything through headquarters. We expect to eventually have 200 spokes connected, so tunneling all spokes would generate (and waste) ALOT of traffic on the hq WAN pipe.

I think EIGRP stub is intended for sending all traffic through a central router, similar to setting the default route to tunnel0... or am I wrong? I only briefly looked over the stub feature.

Thanks for the help.

Ryan

Why not do a show ip eigrp topology for the route on the spoke?

Why do you have the route 10.0.0.0/8 pointing to the null interface on the hub?.

My guess is that this static route is being redistributed into eigrp, advertised to the spokes and advertised back again. Consider that you have an administrative distance of 254, higher than all routing protocols.

The EIGRP topology would give you an idea of what is actually happening?.

Olorunloba,

I understand what you are suggesting, but there are three things I cannot reconcile about it:

1. If that were the mechanism, wouldn't there be a D entry in the spoke routing table for 10.0.0.0/8? Perhaps it would be useful to see the EIGRP database on the spoke.

2. Wouldn't split horizon stop the route being re-advertised out the port it came from?

3. For the static default route to be re-distributed into EIGRP, doesn't it have to be done explicitly in the configuration? I don't see it anywhere.

It is strange that we don't see a D entry for 10.0.0.0/8 on the spoke, yet it turns up in the hub, apparently coming from the spoke. There is something going on that I haven't seen yet.

Is there a route to 10.0.0.0/8 in the access server, and is it distributed by EIGRP? We haven't seen the config of the access server yet.

Kevin Dorrell

Luxembourg

I agree with Olorunloba.

The hub sends the 10.0.0.0/8 to the spokes

and the spokes send it back to the hub, which installs it as a D route.

There exists the static route "ip route 10.0.0.0 255.0.0.0 Null0 254" in the hub,

in conjunction with "redistribute static" under the eigrp 1.

The "distribute-list 90 out" allows 10.0.0.0/8.

The "no ip split-horizon eigrp 1" is in the tunnels.

Is the 254 distance necessary ?

I think it should be less than the eigrp AD.

If you have more specific routes they will be used.

Why the route is not in the spoke table needs investigation.

If you do not want the spokes to have it,

you can filter it in the hub.

M.

You are right. How did I miss the redistribute static and the no ip split-horizon? I think I need a new pair of eye glasses 9-)

Kevin Dorrell

Luxembourg

Thanks olorunloba, you're correct. The 10.0.0.0/8 static route on the hub is being distributed to the spokes, then distributed back to the hub.

I guess I should explain what I'm trying to accomplish because I have no clue how to do it.

All traffic destined for 10.0.0.0/8 gets forwarded to the VPN1 router (the DMVPN hub).

As is, a ping to a host on a unavailable network (say 10.65.0.1) looks like so

(note that I removed the route to 10.0.0.0/8 -> Null0, dist 254 before executing this ping)

ryan@euclid(172.16.1.1):~$ traceroute -n 10.65.0.1

traceroute to 10.65.0.1 (10.65.0.1), 30 hops max, 40 byte packets

1 172.16.1.200 0.8 ms 0.855 ms 0.792 ms

2 66.xx.xx.186 2.073 ms 1.806 ms 1.737 ms

3 66.xx.xx.189 2.309 ms 2.057 ms 2.097 ms

4 66.xx.xx.189 3.539 ms * 4.276 ms

^C

(with the route to 10.0.0.0/8 -> Null0, dist 254 in the route table on VPN1, the ping looks like so...)

ryan@euclid(172.16.1.1):~$ traceroute -n 10.65.0.1

traceroute to 10.65.0.1 (10.65.0.1), 30 hops max, 40 byte packets

1 172.16.1.200 0.816 ms 0.821 ms 0.8 ms

2 66.xx.xx.186 2.807 ms 1.71 ms 1.74 ms

3 * 10.64.0.96 58.861 ms 57.732 ms

4 * * *

^C

Now, back to the 10.0.0.0/8 ->Null0 route not being in the table.... Because VPN1 (66.xx.xx.186) has 66.xx.xx.189 as its default route, when VPN1 doesn't have

a routing entry for 10.65.0.1, then the packet gets forwarded to 66.xx.xx.189.

I would like for the VPN1 router to just send an unreachable response, this is why I placed

the "ip route 10.0.0.0 255.0.0.0 Null0 254" thinking it would take care of this, but it obviously didn't.

I realize this is a simple question, but I have no idea how to do it. Please help. :-)

If it helps, here is the topology table on the HUB:

VPN1#sh ip eigrp top

IP-EIGRP Topology Table for AS(1)/ID(192.168.1.1)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,

r - reply Status, s - sia Status

P 0.0.0.0/0, 1 successors, FD is 28160

via Rstatic (28160/0)

A 10.0.0.0/8, 1 Successors, FD is 15616000, Q

3 replies, active never, query-origin: Clear

via 10.64.0.96 (15616000/15360000), r, Tunnel0

Remaining replies:

via 10.64.0.200, r, Tunnel0

via 10.64.0.20, r, Tunnel0

P 10.0.20.0/24, 1 successors, FD is 2841600

via 10.64.0.20 (2841600/281600), Tunnel0

P 10.64.0.0/24, 1 successors, FD is 2816000

via Connected, Tunnel0

P 10.0.96.0/24, 1 successors, FD is 2841600

via 10.64.0.96 (2841600/281600), Tunnel0

P 172.16.1.0/24, 1 successors, FD is 28160

via Rstatic (28160/0)

P 172.16.2.0/24, 1 successors, FD is 28160

via Rstatic (28160/0)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,

r - reply Status, s - sia Status

P 10.0.200.0/24, 1 successors, FD is 2841600

via 10.64.0.200 (2841600/281600), Tunnel0

VPN1#

Simplest means will be to remove the config

no ip split-horizon eigrp 1

from the tunnel interfaces. This will ensure that the 10.0.0.0/8 route is not advertised back to the hub.

If you change the administrative distance on the route, say to anything less than 90 (can ommit it for the default of 1), I guess it should also work.