07-23-2009 01:07 PM - edited 03-04-2019 05:31 AM
Hey guys,
I am running DMVPN using GRE over IPSec using multiple routers. I have two groups of users behind one of the spoke locations, guest and corporate users. I want the guest users to split tunnel out but the corporate users I want to route ALL traffic back to the home office. That way I can filter corporate internet traffic through Websense. Attached is a spoke config. I have tried using route-maps but not been successful. Any help would be fantastic.
Solved! Go to Solution.
07-23-2009 02:18 PM
Do you want default route coming in from DMVPN HUB or statically routed to the outside?
(you could have both by the way - http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/prod_white_paper0900aecd8034be03.html )
to answer your question, you need to use policy based routing (PBR) to route based on source IP
Your default currently points to the Internet. Configure "ip policy route-map PBR" on private LAN interface, and then configure the route-map matching ACL with private source subnet with any destination and "set ip next-hop" to the remote DMVPN tunnel IP.
ip access-list extended PBR
permit ip 10.42.59.0 0.0.0.255 any
!
route-map PBR permit 10
match ip address PBR
set ip next-hop 172.16.16.1
!
int fas0/1.2
no ip nat inside
ip policy route-map PBR
Otherwise, if default route is coming from DMVPN tunnel, configure "ip policy route-map PBR" on public LAN interface, and then configure the route-map matching the public source subnet with any destination and "set ip next-hop" to the Internet ISP's address. Your NAT configuration already looks good.
If you use default coming from DMVPN tunnel, don't forget to configure a route for DMVPN HUB's public IP address to route to ISP.
Regards,
Roman
07-23-2009 02:18 PM
Do you want default route coming in from DMVPN HUB or statically routed to the outside?
(you could have both by the way - http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/prod_white_paper0900aecd8034be03.html )
to answer your question, you need to use policy based routing (PBR) to route based on source IP
Your default currently points to the Internet. Configure "ip policy route-map PBR" on private LAN interface, and then configure the route-map matching ACL with private source subnet with any destination and "set ip next-hop" to the remote DMVPN tunnel IP.
ip access-list extended PBR
permit ip 10.42.59.0 0.0.0.255 any
!
route-map PBR permit 10
match ip address PBR
set ip next-hop 172.16.16.1
!
int fas0/1.2
no ip nat inside
ip policy route-map PBR
Otherwise, if default route is coming from DMVPN tunnel, configure "ip policy route-map PBR" on public LAN interface, and then configure the route-map matching the public source subnet with any destination and "set ip next-hop" to the Internet ISP's address. Your NAT configuration already looks good.
If you use default coming from DMVPN tunnel, don't forget to configure a route for DMVPN HUB's public IP address to route to ISP.
Regards,
Roman
07-27-2009 04:56 AM
The route-map worked. However I am now having a new problem. When I do a tracert from a windows computer I do see that my next hop is 172.16.16.1. This was not the case before so it is working. But......when it gets to 172.16.16.1, it stops there. I am not sure why this is. I would have thought the hub would use it's default route. I am not sure why the tracert stops there. I am using EIGRP as my routing protocol.
Any thoughts? Attached is my hub config.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: