cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1947
Views
3
Helpful
2
Replies

DMVPN and split tunnel

Joshua Engels
Level 1
Level 1

Hey guys,

I am running DMVPN using GRE over IPSec using multiple routers. I have two groups of users behind one of the spoke locations, guest and corporate users. I want the guest users to split tunnel out but the corporate users I want to route ALL traffic back to the home office. That way I can filter corporate internet traffic through Websense. Attached is a spoke config. I have tried using route-maps but not been successful. Any help would be fantastic.

1 Accepted Solution

Accepted Solutions

Roman Rodichev
Level 7
Level 7

Do you want default route coming in from DMVPN HUB or statically routed to the outside?

(you could have both by the way - http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/prod_white_paper0900aecd8034be03.html )

to answer your question, you need to use policy based routing (PBR) to route based on source IP

Your default currently points to the Internet. Configure "ip policy route-map PBR" on private LAN interface, and then configure the route-map matching ACL with private source subnet with any destination and "set ip next-hop" to the remote DMVPN tunnel IP.

ip access-list extended PBR

permit ip 10.42.59.0 0.0.0.255 any

!

route-map PBR permit 10

match ip address PBR

set ip next-hop 172.16.16.1

!

int fas0/1.2

no ip nat inside

ip policy route-map PBR

Otherwise, if default route is coming from DMVPN tunnel, configure "ip policy route-map PBR" on public LAN interface, and then configure the route-map matching the public source subnet with any destination and "set ip next-hop" to the Internet ISP's address. Your NAT configuration already looks good.

If you use default coming from DMVPN tunnel, don't forget to configure a route for DMVPN HUB's public IP address to route to ISP.

Regards,

Roman

View solution in original post

2 Replies 2

Roman Rodichev
Level 7
Level 7

Do you want default route coming in from DMVPN HUB or statically routed to the outside?

(you could have both by the way - http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/prod_white_paper0900aecd8034be03.html )

to answer your question, you need to use policy based routing (PBR) to route based on source IP

Your default currently points to the Internet. Configure "ip policy route-map PBR" on private LAN interface, and then configure the route-map matching ACL with private source subnet with any destination and "set ip next-hop" to the remote DMVPN tunnel IP.

ip access-list extended PBR

permit ip 10.42.59.0 0.0.0.255 any

!

route-map PBR permit 10

match ip address PBR

set ip next-hop 172.16.16.1

!

int fas0/1.2

no ip nat inside

ip policy route-map PBR

Otherwise, if default route is coming from DMVPN tunnel, configure "ip policy route-map PBR" on public LAN interface, and then configure the route-map matching the public source subnet with any destination and "set ip next-hop" to the Internet ISP's address. Your NAT configuration already looks good.

If you use default coming from DMVPN tunnel, don't forget to configure a route for DMVPN HUB's public IP address to route to ISP.

Regards,

Roman

The route-map worked. However I am now having a new problem. When I do a tracert from a windows computer I do see that my next hop is 172.16.16.1. This was not the case before so it is working. But......when it gets to 172.16.16.1, it stops there. I am not sure why this is. I would have thought the hub would use it's default route. I am not sure why the tracert stops there. I am using EIGRP as my routing protocol.

Any thoughts? Attached is my hub config.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco