Remote Teleworkers - DMVPN, VRF, and a Default Route

Unanswered Question

I am configuring a set of remote worker routers (871s & 1811Ws) that run DMVPN and I am running into an issue when it comes to separating the home and work sides of the router.


Routes for internal networks are obtained from EIGRP through the DMVPN connection (Tu0).

The default route for all internet access is obtained from the Cable/DSL provider through DHCP.

The company router is plugged directly into the cable/dsl modem through Fa0.

The employee is allowed to plug a wireless router/home pc into Fa4.

The “Work”, “Home”, and “Outside” networks are separated by the zone-based firewall. The “Home” and “Work” networks are not allowed to communicate with each other.


Because the routing table is shared, the systems on the Home side of the router try to access any public company addresses through the DMVPN tunnel, but are blocked by the FW. To try to solve this, I implemented VRF-lite to separate the routing tables.

This fixed the original issue, but now systems on the Work side of the router (in VRF “WORK”) cannot access anything on the internet because there is not a default route. All internet traffic needs to leave the router through the Fa0 interface and not be tunneled through DMVPN. The router will not allow me to set “ip route vrf WORK Fa0” and gives me the error “For VPN or topology routes, must specify a next hop IP address if not a point-to-point interface”.

Is there any way to get this default route into the VRF?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Laurent Aubert Tue, 11/03/2009 - 17:57
User Badges:
  • Cisco Employee,


What you could do also is to configure PBR on your Home interface to force all the traffic to Fa0:

route-map HOME permit 10

set ip next-hop dynamic dhcp


The next-hop will be automatically set to the one of the default route installed by DHCP.

This way, you don't need to use VRF anymore




This Discussion