Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1967
Views
3
Helpful
2
Replies

DMVPN and split tunnel

Go to solution
Joshua Engels
Level 1
Level 1

‎07-23-2009 01:07 PM - edited ‎03-04-2019 05:31 AM

Hey guys,

I am running DMVPN using GRE over IPSec using multiple routers. I have two groups of users behind one of the spoke locations, guest and corporate users. I want the guest users to split tunnel out but the corporate users I want to route ALL traffic back to the home office. That way I can filter corporate internet traffic through Websense. Attached is a spoke config. I have tried using route-maps but not been successful. Any help would be fantastic.

Labels:
Preview file
6 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Roman Rodichev
Level 7
Level 7

‎07-23-2009 02:18 PM

Do you want default route coming in from DMVPN HUB or statically routed to the outside?

(you could have both by the way - http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/prod_white_paper0900aecd8034be03.html )

to answer your question, you need to use policy based routing (PBR) to route based on source IP

Your default currently points to the Internet. Configure "ip policy route-map PBR" on private LAN interface, and then configure the route-map matching ACL with private source subnet with any destination and "set ip next-hop" to the remote DMVPN tunnel IP.

ip access-list extended PBR

permit ip 10.42.59.0 0.0.0.255 any

!

route-map PBR permit 10

match ip address PBR

set ip next-hop 172.16.16.1

!

int fas0/1.2

no ip nat inside

ip policy route-map PBR

Otherwise, if default route is coming from DMVPN tunnel, configure "ip policy route-map PBR" on public LAN interface, and then configure the route-map matching the public source subnet with any destination and "set ip next-hop" to the Internet ISP's address. Your NAT configuration already looks good.

If you use default coming from DMVPN tunnel, don't forget to configure a route for DMVPN HUB's public IP address to route to ISP.

Regards,

Roman

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Roman Rodichev
Level 7
Level 7

‎07-23-2009 02:18 PM

Do you want default route coming in from DMVPN HUB or statically routed to the outside?

(you could have both by the way - http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/prod_white_paper0900aecd8034be03.html )

to answer your question, you need to use policy based routing (PBR) to route based on source IP

Your default currently points to the Internet. Configure "ip policy route-map PBR" on private LAN interface, and then configure the route-map matching ACL with private source subnet with any destination and "set ip next-hop" to the remote DMVPN tunnel IP.

ip access-list extended PBR

permit ip 10.42.59.0 0.0.0.255 any

!

route-map PBR permit 10

match ip address PBR

set ip next-hop 172.16.16.1

!

int fas0/1.2

no ip nat inside

ip policy route-map PBR

Otherwise, if default route is coming from DMVPN tunnel, configure "ip policy route-map PBR" on public LAN interface, and then configure the route-map matching the public source subnet with any destination and "set ip next-hop" to the Internet ISP's address. Your NAT configuration already looks good.

If you use default coming from DMVPN tunnel, don't forget to configure a route for DMVPN HUB's public IP address to route to ISP.

Regards,

Roman

0 Helpful

Go to solution
Joshua Engels
Level 1
Level 1
In response to Roman Rodichev

‎07-27-2009 04:56 AM

The route-map worked. However I am now having a new problem. When I do a tracert from a windows computer I do see that my next hop is 172.16.16.1. This was not the case before so it is working. But......when it gets to 172.16.16.1, it stops there. I am not sure why this is. I would have thought the hub would use it's default route. I am not sure why the tracert stops there. I am using EIGRP as my routing protocol.

Any thoughts? Attached is my hub config.

Preview file
8 KB
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card