Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DMVPN interresing traffic


I have a DMVPN + OSPF set up. There is some self-encrypted traffic like https and ssh, which I want to sent into GRE tunnel without encryption, since they are already encrypted.

Is there any way I can implement this? For instance, sent all traffic into the tunnel, but only encrypt some type of the traffic?


Paulo Roque

joe Bronze

Re: DMVPN interresing traffic

sorry once you place the "tunnel protect" command on the tunnel traffic using the tunnel is encrypted;

you can use policy routing to avoid routing the already encrypted traffic through the tunnel... but why would you want to do that?

from a management and configuration standpoint its fine to have everything go through the tunnel. on a router with a hardware crypto engine its really not much overhead... if anything policy routing would ad more overhead than adding ipsec to already encrypted traffic.


New Member

Re: DMVPN interresing traffic

Thank you Joe,

Policy routing is not an option, because of its static nature.

The performance is the main point here, because this spoke router is an old 2620XM with no hardware encryption and it hits 80% of CPU utilization at 1Mbps of traffic and sometimes I need more traffic.

Thank you.

Paulo Roque

joe Bronze

Re: DMVPN interresing traffic


thats not true;

you should uprade the router to 12.4 so you can use dynamic policy routing. policy routing can now be configured to use track objects, and availability checks of the next hop. in your case i would policy route all ssh/https encrypted data around the tunnel (not much overhead here) and fallback to another path if necessary. evaulate the following configuration and let me know if you have any questions-

route-map vlan10-policy permit 10

match ip address MPLS-USERS-TO-VERIZON

set ip next-hop verify-availability 10 track 2

track 2 ip route reachability

Here, I'm tracking Verizon is sending me a route on R2, and this route is sent on to R1 where the policy route is configured.

in your case i would run an IP SLA ping, and track that. If that succeeds dont take the dmvpn, if it fails take the dmvpn, or vice versa depending on your overall goal.


New Member

Re: DMVPN interresing traffic

High Joe.

Thank you again.

My concerns about pbr are on the hub routers. If I use pbr only in spoke router, I would have asymmetric routing on hubs sites, because they would send returning traffic thru the tunnel.

On the other side, configuring PBR on the hub sites would be very complex and not scalable. There are 2 hub routers and they are in 2 different sites and these sites themselves are connected thru 2 other routers and 3 links.

Anyway, I didn't know about dynamic pbr. I think it will be useful for a couple of problems I have here.

Thank you!

Paulo Roque