DMVPN and split tunnel

Answered Question
Jul 23rd, 2009

Hey guys,


I am running DMVPN using GRE over IPSec using multiple routers. I have two groups of users behind one of the spoke locations, guest and corporate users. I want the guest users to split tunnel out but the corporate users I want to route ALL traffic back to the home office. That way I can filter corporate internet traffic through Websense. Attached is a spoke config. I have tried using route-maps but not been successful. Any help would be fantastic.





Correct Answer by Roman Rodichev about 7 years 7 months ago

Do you want default route coming in from DMVPN HUB or statically routed to the outside?


(you could have both by the way - http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/prod_white_paper0900aecd8034be03.html )


to answer your question, you need to use policy based routing (PBR) to route based on source IP


Your default currently points to the Internet. Configure "ip policy route-map PBR" on private LAN interface, and then configure the route-map matching ACL with private source subnet with any destination and "set ip next-hop" to the remote DMVPN tunnel IP.


ip access-list extended PBR

permit ip 10.42.59.0 0.0.0.255 any

!

route-map PBR permit 10

match ip address PBR

set ip next-hop 172.16.16.1

!

int fas0/1.2

no ip nat inside

ip policy route-map PBR


Otherwise, if default route is coming from DMVPN tunnel, configure "ip policy route-map PBR" on public LAN interface, and then configure the route-map matching the public source subnet with any destination and "set ip next-hop" to the Internet ISP's address. Your NAT configuration already looks good.


If you use default coming from DMVPN tunnel, don't forget to configure a route for DMVPN HUB's public IP address to route to ISP.


Regards,


Roman



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (2 ratings)
Loading.
Correct Answer
Roman Rodichev Thu, 07/23/2009 - 14:18

Do you want default route coming in from DMVPN HUB or statically routed to the outside?


(you could have both by the way - http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/prod_white_paper0900aecd8034be03.html )


to answer your question, you need to use policy based routing (PBR) to route based on source IP


Your default currently points to the Internet. Configure "ip policy route-map PBR" on private LAN interface, and then configure the route-map matching ACL with private source subnet with any destination and "set ip next-hop" to the remote DMVPN tunnel IP.


ip access-list extended PBR

permit ip 10.42.59.0 0.0.0.255 any

!

route-map PBR permit 10

match ip address PBR

set ip next-hop 172.16.16.1

!

int fas0/1.2

no ip nat inside

ip policy route-map PBR


Otherwise, if default route is coming from DMVPN tunnel, configure "ip policy route-map PBR" on public LAN interface, and then configure the route-map matching the public source subnet with any destination and "set ip next-hop" to the Internet ISP's address. Your NAT configuration already looks good.


If you use default coming from DMVPN tunnel, don't forget to configure a route for DMVPN HUB's public IP address to route to ISP.


Regards,


Roman



Joshua Engels Mon, 07/27/2009 - 04:56

The route-map worked. However I am now having a new problem. When I do a tracert from a windows computer I do see that my next hop is 172.16.16.1. This was not the case before so it is working. But......when it gets to 172.16.16.1, it stops there. I am not sure why this is. I would have thought the hub would use it's default route. I am not sure why the tracert stops there. I am using EIGRP as my routing protocol.


Any thoughts? Attached is my hub config.



Attachment: 

Actions

This Discussion