INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

Routing public IP's over a tunnel

Routing public IP's over a tunnel

(OP)
I'd like to see if this is possible. We have a need to route some public IP's over a tunnel to a cisco ubr7246vxr from a 7206vxr. Basically, routing a /24 to be handed out to users over the tunnel. If it is possible, I may not have the config done correctly, since it was not working for me. Any help would be appreciated.

RE: Routing public IP's over a tunnel

Can you send scrubbed configs? What type of tunnel?

ip access-list extended IP-Options-and-Powerball
deny ip any any winning-powerball-ticket
permit ip any any option any-options
!
class-map ACL-Options-and-Powerball
match access-group name IP-Options-and-Powerball
!
policy-map CoPP-POLICY
class ACL-Options-and-Powerball
drop
!
control-plane
service-policy input CoPP-POLICY

RE: Routing public IP's over a tunnel

(OP)
Router A
interface Tunnel3
ip address 162.x.x.x 255.255.255.252
tunnel source 162.x.x.x
tunnel destination x.x.x.x

ip route 162.x.x.0 255.255.255.0 162.x.x.x

The tunnel comes up and we can ping the interface, but routing traffic doesn't work.

RE: Routing public IP's over a tunnel

im confused on the amount you've posted..

Subnet XX --> Router A ========== Router B <-- Subnet YY

is what you are trying to do im assuming ?

is XX and YY on the same /24 ? are they summerizable(?word)

i know you are like scurbbing your public range but for clarity why not use 1.1.1.0/24 and 2.2.2.0/24 or something

thanks,

We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

RE: Routing public IP's over a tunnel

(OP)
Sorry, here it is.

Router A
interface Tunnel3
ip address 1.1.1.1 255.255.255.252
tunnel source 1.2.2.2
tunnel destination 2.2.2.2

ip route 3.3.3.0 255.255.255.0 1.1.1.2

Router B
interface Tunnel3
ip address 1.1.1.2 255.255.255.252
tunnel source 2.2.2.2
tunnel destination 1.2.2.2

ip route 1.2.2.2 255.255.255.255 2.2.2.1
ip route 0.0.0.0 0.0.0.0 1.1.1.1

What we are trying to accomplish is this. We provide internet, voice and TV service to residents of MDU properties (apartments, mobile home parks, office parks, etc.). We have 2 locations where we couldn't get an on-net fiber solution in and had to work with another backhaul provider. I am trying to be able to hand out our public IP's to customers so they see us as their provider instead of our upstream and we hand out public IP's verses NATing everyone. I've been able to get these tunnels up no problem, but we are only working with 1918 ip space on those. We are running BGP on router A (we have our own ASN and ARIN public space).

As soon as I activate the config on router B, the connection drops, the only access is the backup modem. I am thinking it may be the first ip route line causing the issue. BTW, this is on a Cisco ubr7246VXR with an NPE-G1, router A is a 7206VXR with an NPE-G2.

RE: Routing public IP's over a tunnel

do you have any dynamic routing protocols running between A and B ? tunnel flaps are usually due to the tunnel learning its source/destination through the tunnel itself as a better route vs what it knows should be the better route..
that is assuming your tunnel is coming up correctly and is fully established..

im assuming on router A you have : ip route 2.2.2.2 255.255.255.255 1.1.1.2
and on router B you have ip route 1.2.2.2 255.255.255.255 2.2.2.1


on router B:
debug cry condition ipv4 peer 1.2.2.2
debug cry isa sa
term mon
conf t
int tun 3
shut
no shut

post results.

do the same on Router A instead the peer is 2.2.2.2

We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

RE: Routing public IP's over a tunnel

Routing protocols will not work over IPSEC tunnels, only GRE tunnels.


Most routing protocols require multicast/broadcast for routing update, and since ipsec can only encrypt unicast traffic, this typically will not work. The workaround is to run GRE tunnels over transport mode ipsec and run the routing protocol on the tunnel interfaces.

RE: Routing public IP's over a tunnel

KCMUSA do you see any ipsec config up there, cause if you do i must be blind as a bat..

We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

RE: Routing public IP's over a tunnel

kcmusa, that IS a jerry tunnel. Which can be protected w/IPSEC, which would make it a VTI tunnel. But not in this case.

Collard Green---you figure this out yet? Got an update?

ip access-list extended IP-Options-and-Powerball
deny ip any any winning-powerball-ticket
permit ip any any option any-options
!
class-map ACL-Options-and-Powerball
match access-group name IP-Options-and-Powerball
!
policy-map CoPP-POLICY
class ACL-Options-and-Powerball
drop
!
control-plane
service-policy input CoPP-POLICY

RE: Routing public IP's over a tunnel

(OP)
Not yet. The biggest issue is when I apply the default route to go over the tunnel, everything drops.

RE: Routing public IP's over a tunnel

when you do sh ip route before you add your own static route in there what is in your table?
also: try to get the info i asked aboot above..

We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close