Routing public IP's over a tunnel

[acollard83]

I'd like to see if this is possible. We have a need to route some public IP's over a tunnel to a cisco ubr7246vxr from a 7206vxr. Basically, routing a /24 to be handed out to users over the tunnel. If it is possible, I may not have the config done correctly, since it was not working for me. Any help would be appreciated.

 

[burtsbees]

Can you send scrubbed configs? What type of tunnel?

ip access-list extended IP-Options-and-Powerball
deny ip any any winning-powerball-ticket
permit ip any any option any-options
!
class-map ACL-Options-and-Powerball
match access-group name IP-Options-and-Powerball
!
policy-map CoPP-POLICY
class ACL-Options-and-Powerball
drop
!
control-plane
service-policy input CoPP-POLICY

 

[acollard83]

Router A
interface Tunnel3
ip address 162.x.x.x 255.255.255.252
tunnel source 162.x.x.x
tunnel destination x.x.x.x

ip route 162.x.x.0 255.255.255.0 162.x.x.x

The tunnel comes up and we can ping the interface, but routing traffic doesn't work.

 

[imbadatthis]

im confused on the amount you've posted..

Subnet XX --> Router A ========== Router B <-- Subnet YY

is what you are trying to do im assuming ?

is XX and YY on the same /24 ? are they summerizable(?word)

i know you are like scurbbing your public range but for clarity why not use 1.1.1.0/24 and 2.2.2.0/24 or something

thanks,



We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

 

[acollard83]

Sorry, here it is.

Router A
interface Tunnel3
ip address 1.1.1.1 255.255.255.252
tunnel source 1.2.2.2
tunnel destination 2.2.2.2

ip route 3.3.3.0 255.255.255.0 1.1.1.2

Router B
interface Tunnel3
ip address 1.1.1.2 255.255.255.252
tunnel source 2.2.2.2
tunnel destination 1.2.2.2

ip route 1.2.2.2 255.255.255.255 2.2.2.1
ip route 0.0.0.0 0.0.0.0 1.1.1.1

What we are trying to accomplish is this. We provide internet, voice and TV service to residents of MDU properties (apartments, mobile home parks, office parks, etc.). We have 2 locations where we couldn't get an on-net fiber solution in and had to work with another backhaul provider. I am trying to be able to hand out our public IP's to customers so they see us as their provider instead of our upstream and we hand out public IP's verses NATing everyone. I've been able to get these tunnels up no problem, but we are only working with 1918 ip space on those. We are running BGP on router A (we have our own ASN and ARIN public space).

As soon as I activate the config on router B, the connection drops, the only access is the backup modem. I am thinking it may be the first ip route line causing the issue. BTW, this is on a Cisco ubr7246VXR with an NPE-G1, router A is a 7206VXR with an NPE-G2.

 

[imbadatthis]

do you have any dynamic routing protocols running between A and B ? tunnel flaps are usually due to the tunnel learning its source/destination through the tunnel itself as a better route vs what it knows should be the better route..
that is assuming your tunnel is coming up correctly and is fully established..

im assuming on router A you have : ip route 2.2.2.2 255.255.255.255 1.1.1.2
and on router B you have ip route 1.2.2.2 255.255.255.255 2.2.2.1


on router B:
debug cry condition ipv4 peer 1.2.2.2
debug cry isa sa
term mon
conf t
int tun 3
shut
no shut

post results.

do the same on Router A instead the peer is 2.2.2.2

We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

 

[kcmusa]

Routing protocols will not work over IPSEC tunnels, only GRE tunnels.


Most routing protocols require multicast/broadcast for routing update, and since ipsec can only encrypt unicast traffic, this typically will not work. The workaround is to run GRE tunnels over transport mode ipsec and run the routing protocol on the tunnel interfaces.

 

[imbadatthis]

KCMUSA do you see any ipsec config up there, cause if you do i must be blind as a bat..



We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

 

[burtsbees]

kcmusa, that IS a jerry tunnel. Which can be protected w/IPSEC, which would make it a VTI tunnel. But not in this case.

Collard Green---you figure this out yet? Got an update?

ip access-list extended IP-Options-and-Powerball
deny ip any any winning-powerball-ticket
permit ip any any option any-options
!
class-map ACL-Options-and-Powerball
match access-group name IP-Options-and-Powerball
!
policy-map CoPP-POLICY
class ACL-Options-and-Powerball
drop
!
control-plane
service-policy input CoPP-POLICY

 

[acollard83]

Not yet. The biggest issue is when I apply the default route to go over the tunnel, everything drops.

 

[imbadatthis]

when you do sh ip route before you add your own static route in there what is in your table?
also: try to get the info i asked aboot above..



We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.