Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Remote Teleworkers - DMVPN, VRF, and a Default Route

I am configuring a set of remote worker routers (871s & 1811Ws) that run DMVPN and I am running into an issue when it comes to separating the home and work sides of the router.


Routes for internal networks are obtained from EIGRP through the DMVPN connection (Tu0).

The default route for all internet access is obtained from the Cable/DSL provider through DHCP.

The company router is plugged directly into the cable/dsl modem through Fa0.

The employee is allowed to plug a wireless router/home pc into Fa4.

The “Work”, “Home”, and “Outside” networks are separated by the zone-based firewall. The “Home” and “Work” networks are not allowed to communicate with each other.


Because the routing table is shared, the systems on the Home side of the router try to access any public company addresses through the DMVPN tunnel, but are blocked by the FW. To try to solve this, I implemented VRF-lite to separate the routing tables.

This fixed the original issue, but now systems on the Work side of the router (in VRF “WORK”) cannot access anything on the internet because there is not a default route. All internet traffic needs to leave the router through the Fa0 interface and not be tunneled through DMVPN. The router will not allow me to set “ip route vrf WORK Fa0” and gives me the error “For VPN or topology routes, must specify a next hop IP address if not a point-to-point interface”.

Is there any way to get this default route into the VRF?

New Member

Re: Remote Teleworkers - DMVPN, VRF, and a Default Route

My remote site layout

Cisco Employee

Re: Remote Teleworkers - DMVPN, VRF, and a Default Route


What you could do also is to configure PBR on your Home interface to force all the traffic to Fa0:

route-map HOME permit 10

set ip next-hop dynamic dhcp


The next-hop will be automatically set to the one of the default route installed by DHCP.

This way, you don't need to use VRF anymore