Re: PBR between DMVPN tunnel interface and ethernet

victorgarciaternero · ‎06-13-2011

Hello, we have a DMVPN scenario with a central office with a 2821 (gi0/0 to the Internet an gi0/1 to the firewall, which is connected to the LAN with another ethernet port), and 6 remote offices with 877, 2801, 2811 or 2821 using EIGRP. I would like to route all traffic from remote offices to the Internet through the firewall in the central office, but I don't know how. Any idea in a simple way?

Thanks.

Regards

Giuseppe Larosa · ‎06-13-2011

Hello Victor,

if my understanding is correct :

you would like to have the firewall on the path between remote offices and the internet but your DMVPN is terminated on a router that is on the outside of the firewall

be aware that the firewall needs to see both directions of each flow or it will be a problem.

also where is NAT performed on the FW or the router. I guess you are doing NAT on the FW and this may be one reason for making also traffic from remote offices to go through it.

You should logically split the link between the router and the FW on two logical links using Vlan tagging based subinterfaces.

one link will be the outside of the FW and one link will be a new DMZ to which you will give a security level higher then outside.

The FW has to be configured to perform NAT for remote offices LAN subnets between DMZ and outside interface

central office NAT is performed between inside and outside interfaces on FW

the router has to do PBR inbound on the DMVPN mGRE tunnel towards DMZ as you have noticed.

the FW needs static routes for remote offices LAN subnets pointing to DMZ and using router interface on this logical subnet.

Hope to help

Giuseppe

victorgarciaternero · ‎06-14-2011

Hello Giuseppe, thanks for your response. Really I'm not sure the config I need to put into the routers. Here you are an scheme of network. The NAT is done from VLAN INTERNET to Public IP in Router A.

ROUTER B:

ip route 1.1.1.1 255.255.255.255 2.2.2.1 (ISP public ip address)

ip route 0.0.0.0 0.0.0.0 10.0.0.1

With this configuration in Router B the tunne will go up using the first route, and the rest of traffic will go to the route A through the tunnel interface (it is working right now and it's ok)

ROUTER A:

ip route 2.2.2.2 255.255.255.255 1.1.1.2 (ISP public ip address)

ip route 0.0.0.0 0.0.0.0 172.16.1.1

The problem I have is that Router A has a default gateway to the firewall, so I don't know how to route the traffic to the firewall, and when it returns from the firewall how to route through the Internet.

Regards.

Giuseppe Larosa · ‎06-14-2011

Hello Victor,

from the network diagram we see that the router is more external then the firewall so internet connection is clearly connected to the router

So I would expect default route on RA pointing to SP IP address on internet access link and specific static routes for internal networks and DMZ pointing to the firewall

But you say that you see:

>>

The problem I have is that Router A has a default gateway to the firewall, so I don't know how to route the traffic to the firewall, and when it returns from the firewall how to route through the Internet.

Is this setup already running or you are preparing this network?

if it is already up and running we should see the whole configuration of Router A, my guess is that Router A may be using a form of VRF lite to separate internet access from global routing table with communication between VRFs performed and controlled by the firewall.

remove all username/passwords and change public ip addresses with other addresses or use something like x.y.z.k if you decide to post interesting parts of router A configuration.

Hope to help

Giuseppe

victorgarciaternero · ‎06-15-2011

Hello Giuseppe, what is working now is the DMVPN, but the traffic from Remote office is going to the Internet without acrossing the firewall (RA is routing the traffic from tunnel interface directly to the Internet).

Now I have two options:

A) PBR: Using three PBR in three interfaces:

Tunnel Interface: from remote office ip to the internet through the firewall

VLAN Internet: from remote office ip to the internet through public interface in RA

VLAN Dmz: from the internet to remote office ip throug interface tunnel

The default gateway should be the ISP public ip address

B) VRF: Usifn vrf lite with two vrf:

VRF 1: tunnel interface and vlan DMZ (static routes to remote office through the tunnel interface and the firewall as default gateway)

VRF 2: vlan Internet and public interface (static route to remote office through the firewall and the default gateway through the public interface).

But tunnel interface is attached to the public interface (command "tunnel source GigabitEthernet0/0" under interface tunnel0), so I don't know if I can use the tunnel interface in a vrf and the GigabitEthernet0/0 in another vrf.

I have been analyzing both options and I think both should works. What is your opinion? What option do you think is better?

Thanks

Regards.

Giuseppe Larosa · ‎06-20-2011

Hello Victor,

Im sorry for late answer I didn't catch your followup

A)

from remote office you just need to have a default route pointing to the hub over the mGRE tunnel you don't need PBR.

FW can have specific static routes for the remote office LAN subnets pointing to the DMZ subinterface so no need for PBR n this direction too.

All you need is a PBR rule on hub RA mGRE pointing to DMZ interface to FW

B)

in this case the mGRE tunnel could be associated to A VRF with also the DMZ interface, point of attachement of mGRE can still be in default global routing table.

You would move the DMVPN within a VRF on the RA hub router.

>>

so I don't know if I can use the tunnel interface in a vrf and the GigabitEthernet0/0 in another vrf.

basically this is possible.

second solution may be more scalable on the long term

First solution may be easier to implement as at this point it requires just a PBR rule on RA.

Hope to help

Giuseppe

victorgarciaternero · ‎06-20-2011

Thanks again Giuseppe, I think we are going to implement the option B) using VRF, it seems a better solution.

Regards.

victorgarciaternero · ‎06-21-2011

Hello, I have seen the commands I need to configure the scenario, and this is what I get (Router A, I have supressed all commands which are no referred to vrf config):

ip vrf DMVPN

rd 10:10

!

interface tunnel0

ip address 10.0.0.1 255.255.255.0

ip vrf forwarding DMVPN

!

int gi0/0

ip address X.X.X.X

!

int gi0/1

ip address 192.168.232.2 255.255.255.0 (FIREWALL: 192.168.232.1)

!

int gi0/1.10

ip address 10.0.1.2 255.255.255.0 (FIREWALL: 10.0.1.1)

encapsulation dot1Q 10

ip vrf forwarding DMVPN

!

router eigrp 10

address-family ipv4 vrf DMVPN

autonomous-system 10

redistribute static

passive-interface GigabitEthernet0/0

passive-interface GigabitEthernet0/1

passive-interface GigabitEthernet0/1.10

network 10.0.0.0 0.0.1.255

no auto-summary

!

ip route vrf DMVPN 192.168.0.0 255.255.248.0 10.0.1.1

ip route vrf DMVPN 192.168.200.0 255.255.255.0 10.0.1.1

ip route vrf DMVPN 192.168.230.0 255.255.255.0 10.0.1.1

ip route vrf DMVPN 192.168.231.0 255.255.255.0 10.0.1.1

ip route vrf DMVPN 192.168.232.0 255.255.255.0 10.0.1.1

ip route vrf DMVPN 10.0.0.0 255.255.255.0 10.0.1.1

ip route vrf DMVPN 0.0.0.0 0.0.0.0 10.0.1.1

!

ip route 192.168.0.0 255.255.224.0 192.168.232.1

ip route 192.168.200.0 255.255.255.0 192.168.232.1

ip route 192.168.231.0 255.255.255.0 192.168.232.1

ip route 10.0.0.0 255.255.254.0 192.168.232.1

ip route 0.0.0.0 0.0.0.0 X.X.X.Y

!

X.X.X.X: Public ip address

X.X.X.Y: ISP public ip address

Central Office: 192.168.0.0/21, 192.168.200.0/24, 192.168.230.0/24, 192.168.231.0/24, 192.168.232.0/24

Remote Offices: 192.168.16.0/22, 192.168.20.0/22, 192.168.24.0/22, 192.168.28.0/22

DMVPN Tunnel interfaces: 10.0.0.X/24

Do you think it's ok?

Regards.

Giuseppe Larosa · ‎06-21-2011

Hello Victor,

this looks like a good starting point.

However, you need to add NAT to the picture and you will do NAT on the firewall at this point.

so in global routing table you will not try to route to central offices private addresses or remote offices but to the NAT pool(s) that you have assigned for source NAT translation as I have noted in my first post that are public addresses given to your by your ISP

Second note: I may be wrong but the passive interface command may be unsupported under a VRF address family.

Also you shouldn't list interfaces that are not part of the VRF like gi0/0 or gi0/1. This is not necessary they are not in the VRF topology.

Third note: defaul route propagation in EIGRP: I'm not sure that redistributing a static default route will work with EIGRP.

The use of

ip summary-address eigrp 10 0.0.0.0 0.0.0.0 201

on tunnel interface on hub router may achieve the desired result

see

http://www.cisco.com/en/US/docs/ios/iproute_eigrp/configuration/guide/ire_cfg_eigrp_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1060179

4th note: I would leave the main interface without an IP address and I would configure another VLAN based subinterface to be used in global routing table but this is more a question of style

Hope to help

Giuseppe

victorgarciaternero · ‎06-22-2011

Thank you Giuseppe. Following your notes:

1) I have not indicated NAT commands, but as I know:

int gi0/0

ip nat outside

int gi0/1

ip nat inside

ip nat inside source route-map NAT interface GigabitEthernet0/0

route-map NAT permit 1

match ip address 110

access-list 110 permit ip 192.168.0.0 0.0.7.255 any

access-list 110 permit ip 192.168.200.0 0.0.0.255 any

access-list 110 permit ip 192.168.230.0 0.0.0.255 any

access-list 110 permit ip 192.168.231.0 0.0.0.255 any

access-list 110 permit ip 192.168.232.0 0.0.0.255 any

access-list 110 permit ip 192.168.16.0 0.0.3.255 any

access-list 110 permit ip 192.168.20.0 0.0.3.255 any

access-list 110 permit ip 192.168.24.0 0.0.3.255 any

access-list 110 permit ip 192.168.28.0 0.0.3.255 any

2) I have worked previosuly with OSPF in VRF environments, but not with EIGRP. I will change the template as you say.

3) I am not interesting in propagate the default route. I will configured it in each remote router as a static router, so this route will have a administrative distance 1.

4) I aggre with you, I will try to change it.

Regards.