Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DMVPN and split tunnel

Hey guys,

I am running DMVPN using GRE over IPSec using multiple routers. I have two groups of users behind one of the spoke locations, guest and corporate users. I want the guest users to split tunnel out but the corporate users I want to route ALL traffic back to the home office. That way I can filter corporate internet traffic through Websense. Attached is a spoke config. I have tried using route-maps but not been successful. Any help would be fantastic.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: DMVPN and split tunnel

Do you want default route coming in from DMVPN HUB or statically routed to the outside?

(you could have both by the way - http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/prod_white_paper0900aecd8034be03.html )

to answer your question, you need to use policy based routing (PBR) to route based on source IP

Your default currently points to the Internet. Configure "ip policy route-map PBR" on private LAN interface, and then configure the route-map matching ACL with private source subnet with any destination and "set ip next-hop" to the remote DMVPN tunnel IP.

ip access-list extended PBR

permit ip 10.42.59.0 0.0.0.255 any

!

route-map PBR permit 10

match ip address PBR

set ip next-hop 172.16.16.1

!

int fas0/1.2

no ip nat inside

ip policy route-map PBR

Otherwise, if default route is coming from DMVPN tunnel, configure "ip policy route-map PBR" on public LAN interface, and then configure the route-map matching the public source subnet with any destination and "set ip next-hop" to the Internet ISP's address. Your NAT configuration already looks good.

If you use default coming from DMVPN tunnel, don't forget to configure a route for DMVPN HUB's public IP address to route to ISP.

Regards,

Roman

2 REPLIES

Re: DMVPN and split tunnel

Do you want default route coming in from DMVPN HUB or statically routed to the outside?

(you could have both by the way - http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/prod_white_paper0900aecd8034be03.html )

to answer your question, you need to use policy based routing (PBR) to route based on source IP

Your default currently points to the Internet. Configure "ip policy route-map PBR" on private LAN interface, and then configure the route-map matching ACL with private source subnet with any destination and "set ip next-hop" to the remote DMVPN tunnel IP.

ip access-list extended PBR

permit ip 10.42.59.0 0.0.0.255 any

!

route-map PBR permit 10

match ip address PBR

set ip next-hop 172.16.16.1

!

int fas0/1.2

no ip nat inside

ip policy route-map PBR

Otherwise, if default route is coming from DMVPN tunnel, configure "ip policy route-map PBR" on public LAN interface, and then configure the route-map matching the public source subnet with any destination and "set ip next-hop" to the Internet ISP's address. Your NAT configuration already looks good.

If you use default coming from DMVPN tunnel, don't forget to configure a route for DMVPN HUB's public IP address to route to ISP.

Regards,

Roman

New Member

Re: DMVPN and split tunnel

The route-map worked. However I am now having a new problem. When I do a tracert from a windows computer I do see that my next hop is 172.16.16.1. This was not the case before so it is working. But......when it gets to 172.16.16.1, it stops there. I am not sure why this is. I would have thought the hub would use it's default route. I am not sure why the tracert stops there. I am using EIGRP as my routing protocol.

Any thoughts? Attached is my hub config.

1142
Views
3
Helpful
2
Replies
CreatePlease login to create content