Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

DMVPN clasify


How i configure ACL in DMVPN to decide that traffic i protec with Ipsec and that traffic i pass without protect?


Cisco Employee

Re: DMVPN clasify

There is no ACL's used in DMVPN, the traffic that is to be encrypted is defined as anything being routed over the "tunnel" interface. You would usually be running a routing protocol such as OSPF or EIGRP over this as well, so the spoke router will automatically learn the remote hub routes over the tunnel interface and traffic for those remote routes will automatically be encrypted.

Traffic destined for the Internet would follow the default route that points out the physical interface and therefore not be encrypted.

Re: DMVPN clasify

Then cannot I encrypt a type of traffic (http)destined for a net and not encrypt the rest?

Cisco Employee

Re: DMVPN clasify

No, but then you couldn't do that with standard IPSec either because that doesn't support putting port numbers into crypto ACL's.

You can encrypt ALL traffic destined for a certain net by simply adding a static route for that net that points over the tunnel interface, and traffic to other nets will be routed out the physical interface and not be encrypted.

CreatePlease login to create content