cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1324
Views
0
Helpful
3
Replies

dmvpn + local break out to the internet

Hi, 

I have a dmvpn network, with multiple spokes.

One of them, needs to have a local break out to the internet.

 

Wasn't able to find a configuration example, so maybe if someone could show how to config it.

Basically what I need is a split tunnel configuration, to redirect the internet traffic outside of the vpn-tunnel.

 

here's the config of my router,

 


!
hostname testrouter
!
boot-start-marker
boot-end-marker
!

!
aaa new-model
!
!
aaa group server radius testradius
 server name PRO007
!


!
!
!
no ip domain lookup
ip domain name test-domain
ip inspect WAAS flush-timeout 10
ip cef
no ipv6 cef
!
!
!
!

!
!
!
track 1 list threshold percentage
 object 101
 object 102
 delay down 180 up 5
!
track 101 ip sla 1 reachability
!
track 102 ip sla 2 reachability

!
!
crypto isakmp policy 10
 encr aes 256
 group 5
crypto isakmp profile ISAKMP-DMVPN-CA
   self-identity fqdn
   ca trust-point sec-ca
   match identity host domain alert.local
   keepalive 60 retry 10
!
!
crypto ipsec transform-set ESP-AES256-SHA-TRANSP esp-aes 256 esp-sha-hmac 
 mode transport
!
crypto ipsec profile ESP-AES256-SHA-CA
 set transform-set ESP-AES256-SHA-TRANSP 
 set isakmp-profile ISAKMP-DMVPN-CA
!
!
!
!
!
!
interface Loopback0
 ip address 10.168.244.134 255.255.255.255
!
interface Tunnel0
 bandwidth 5000
 ip address 10.168.246.134 255.255.254.0
 no ip redirects
 no ip proxy-arp
 ip mtu 1400
 ip nhrp authentication DMVPN_05
 ip nhrp map 10.168.246.1 xxx.xxx.xxx.xxx
 ip nhrp map 10.168.246.2 xxx.xxx.xxx.xxy
 ip nhrp map multicast xxx.xxx.xxx.xxx
 ip nhrp map multicast xxx.xxx.xxx.xxy
 ip nhrp network-id 121
 ip nhrp holdtime 600
 ip nhrp nhs 10.168.246.1
 ip nhrp nhs 10.168.246.2
 ip nhrp registration no-unique
 tunnel source FastEthernet4
 tunnel mode gre multipoint
 tunnel key 121
 tunnel path-mtu-discovery
 tunnel protection ipsec profile ESP-AES256-SHA-CA shared
!
interface FastEthernet0
 no ip address
 spanning-tree portfast
!
interface FastEthernet1
 no ip address
 spanning-tree portfast
!
interface FastEthernet2
 no ip address
 spanning-tree portfast
!
interface FastEthernet3
 no ip address
 spanning-tree portfast
!
interface FastEthernet4
 ip address dhcp client-id FastEthernet4
 ip access-group INET-INBOUND in
 no ip proxy-arp
 duplex auto
 speed auto
!
interface Vlan1
 ip address 10.169.6.177 255.255.255.248
 no ip proxy-arp
!
router eigrp 1
 distribute-list EIGRP-PERMIT-OUT out Tunnel0
 network 10.0.0.0
 passive-interface default
 no passive-interface Tunnel0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route xxx.xxx.xxx.xxy 255.255.255.255 FastEthernet4 dhcp
ip route xxx.xxx.xxx.xxx 255.255.255.255 FastEthernet4 dhcp
ip route xxx.xxx.xxx.xxw 255.255.255.255 FastEthernet4 dhcp
!
ip access-list standard EIGRP-PERMIT-OUT
 permit 10.169.0.0 0.0.31.255
 permit 10.168.244.0 0.0.1.255
!
ip access-list extended INET-INBOUND
 permit udp any any eq bootpc
 permit esp host xxx.xxx.xxx.xxy4 any
 permit gre host xxx.xxx.xxx.xxy4 any
 permit udp host xxx.xxx.xxx.xxy4 eq 2000 any
 permit udp host xxx.xxx.xxx.xxy4 any eq isakmp
 permit udp host xxx.xxx.xxx.xxy4 any eq non500-isakmp
 permit esp host xxx.xxx.xxx.xxy5 any
 permit gre host xxx.xxx.xxx.xxy5 any
 permit udp host xxx.xxx.xxx.xxy5 eq 2000 any
 permit udp host xxx.xxx.xxx.xxy5 any eq isakmp
 permit udp host xxx.xxx.xxx.xxy5 any eq non500-isakmp
 permit tcp host 193.164.88.196 eq www any
 permit udp host 193.164.88.196 eq 123 any
 permit icmp any any unreachable
 permit icmp any any echo-reply
 permit icmp any any time-exceeded
 deny   ip 10.0.0.0 0.0.0.255 any
 deny   ip 172.16.0.0 0.0.16.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip host 255.255.255.255 any
 deny   ip any any
!
ip radius source-interface Tunnel0
ip sla 1
 udp-echo 10.168.246.1 2000 control disable
 threshold 3000
 timeout 3500
 frequency 4
ip sla schedule 1 life forever start-time now
ip sla 2
 udp-echo 10.168.246.1 2000 control disable
 threshold 3000
 timeout 3500
 frequency 4
ip sla schedule 2 life forever start-time now
!
!
!
!
!
!
!
snmp-server community rvssnmp RO
snmp-server location BX
snmp-server contact Securitas RVS team
!
radius server SECEUAD001
 address ipv4 193.164.88.2 auth-port 1645 acct-port 1646
 key 0 V8gUp9avUruprec
!
!
!
!
line con 0
 exec-timeout 60 0
 privilege level 15
line aux 0
line vty 0 4
 exec-timeout 60 0
 transport input telnet ssh
 transport output telnet ssh
!
ntp server 10.168.246.1
ntp server 10.168.246.2
ntp server 193.164.88.196
ntp update-calendar

end
!

 

1 Accepted Solution

Accepted Solutions

adamtodd16
Level 3
Level 3

That's how it would work by default. 

Only tunnel IPs and those defined by EIGRP will go through the Tunnel interface. 

Please provide output of show ip route to see your gateway of last resort.. 

View solution in original post

3 Replies 3

adamtodd16
Level 3
Level 3

That's how it would work by default. 

Only tunnel IPs and those defined by EIGRP will go through the Tunnel interface. 

Please provide output of show ip route to see your gateway of last resort.. 

HI Adam,

 

Problem solved !

 

THX

Happy to hear it!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco