Cisco Support Community
Community Member

DMVPN Policy Routing

I have a 2 tunnel DMVPN setup where each remote site connects to 2 different hub sites. OSPF bandwidth values control the routing between the locations and all sites are up and running just fine. The only static routes on the remote site routers are host static routes pointing to the VPN head-ends at each hub site. Other than that all routes are learned and a default route is injected from one of the hub sites. Again, this is all working fine.

Now I need to take it to the next step where if another "dynamic" VPN session is needed that VPN traffic is sent out the local Internet pipe and not the default route, which takes the traffic towards one of the hubs. Since the other remote site VPN points aren't known when this dynamic session is started I can't add more host static routes. I need to use policy routing.

I've created the access-list and route-map but I am unsure as to which interface to apply the route-map. It seems as though there isn't a good interface since policies are applied as traffic enters the interface from the outside (meaning it doesn't matter if it comes from within the router - at least that is what I believe).

Remote Router:

S0/0/0 = T1 to main HQ

F0/0 = LAN interface

F0/1 = DSL Internet connection

TUN100 = DMVPN #1 to main DC (source = F0/1)

TUN200 = DMVPN #2 to second DC (source = F0/1)

The default route that is learned through OSPF points out S0/0/0. The two static routes for the to hub locations (DC #1 & DC #2) point out F0/1 via an IP next hop (so ARP doesn't fail).

My access-list & route-map are as follows:

ip access-list extended VPN-Traffic

permit esp any any

permit ahp any any

permit udp any any eq isakmp

permit udp any any eq non500-isakmp

route-map VPN-Traffic permit 10

match ip address VPN-Traffic

set ip next-hop is the IP address of the DSL gateway device.

Anyone have any suggestions on how to get my VPN traffic to always leave the F0/1 interface?


Re: DMVPN Policy Routing

check the following url for the DVMPN policy routing

When using point-to-point GRE and IPsec hub-and-spoke VPN networks, the physical interface IP address of the spoke routers must be known to configure the hub router, because IP address should be configured as the GRE tunnel destination address. This feature allows spoke routers to have dynamic physical interface IP addresses (common for cable and DSL connections). When the spoke router comes online it sends registration packets to the hub router

Community Member

Re: DMVPN Policy Routing

While this document is useful for setting up a DMVPN scenario I already have that configured and working. Also this document is from the perspective that my default route for the spoke locations is out it's local Internet connection. For me that is not the case, I have effectively 3 WAN connections: a single T1 and two DMVPN tunnels over an Internet connection. The default route is learned via OSPF and typically points to the WAN T1 connection to go out the main DC Internet connection via the content filters. So, in my network I need to have the ability to have a default route be learned via OSPF so I point to the proper Internet demarc within the network depending upon the available Internet connections. Therein lies my problem, I need to route all unknown destinations and traffic through the learned default route. I also need to pass all VPN tunnel traffic out the local Internet connection. For the two hub data centers this is not a problem as I can host route to their external VPN head ends with a static route. BUT for the branch/spoke locations that are unknown and being learned via NHRP I need to use PRB to forward the VPN traffic our the local Internet connection instead of through the learned default route.



CreatePlease to create content