07-23-2009 01:07 PM - edited 03-04-2019 05:31 AM
Hey guys,
I am running DMVPN using GRE over IPSec using multiple routers. I have two groups of users behind one of the spoke locations, guest and corporate users. I want the guest users to split tunnel out but the corporate users I want to route ALL traffic back to the home office. That way I can filter corporate internet traffic through Websense. Attached is a spoke config. I have tried using route-maps but not been successful. Any help would be fantastic.
Solved! Go to Solution.
07-23-2009 02:18 PM
Do you want default route coming in from DMVPN HUB or statically routed to the outside?
(you could have both by the way - http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/prod_white_paper0900aecd8034be03.html )
to answer your question, you need to use policy based routing (PBR) to route based on source IP
Your default currently points to the Internet. Configure "ip policy route-map PBR" on private LAN interface, and then configure the route-map matching ACL with private source subnet with any destination and "set ip next-hop" to the remote DMVPN tunnel IP.
ip access-list extended PBR
permit ip 10.42.59.0 0.0.0.255 any
!
route-map PBR permit 10
match ip address PBR
set ip next-hop 172.16.16.1
!
int fas0/1.2
no ip nat inside
ip policy route-map PBR
Otherwise, if default route is coming from DMVPN tunnel, configure "ip policy route-map PBR" on public LAN interface, and then configure the route-map matching the public source subnet with any destination and "set ip next-hop" to the Internet ISP's address. Your NAT configuration already looks good.
If you use default coming from DMVPN tunnel, don't forget to configure a route for DMVPN HUB's public IP address to route to ISP.
Regards,
Roman
07-23-2009 02:18 PM
Do you want default route coming in from DMVPN HUB or statically routed to the outside?
(you could have both by the way - http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/prod_white_paper0900aecd8034be03.html )
to answer your question, you need to use policy based routing (PBR) to route based on source IP
Your default currently points to the Internet. Configure "ip policy route-map PBR" on private LAN interface, and then configure the route-map matching ACL with private source subnet with any destination and "set ip next-hop" to the remote DMVPN tunnel IP.
ip access-list extended PBR
permit ip 10.42.59.0 0.0.0.255 any
!
route-map PBR permit 10
match ip address PBR
set ip next-hop 172.16.16.1
!
int fas0/1.2
no ip nat inside
ip policy route-map PBR
Otherwise, if default route is coming from DMVPN tunnel, configure "ip policy route-map PBR" on public LAN interface, and then configure the route-map matching the public source subnet with any destination and "set ip next-hop" to the Internet ISP's address. Your NAT configuration already looks good.
If you use default coming from DMVPN tunnel, don't forget to configure a route for DMVPN HUB's public IP address to route to ISP.
Regards,
Roman
07-27-2009 04:56 AM
The route-map worked. However I am now having a new problem. When I do a tracert from a windows computer I do see that my next hop is 172.16.16.1. This was not the case before so it is working. But......when it gets to 172.16.16.1, it stops there. I am not sure why this is. I would have thought the hub would use it's default route. I am not sure why the tracert stops there. I am using EIGRP as my routing protocol.
Any thoughts? Attached is my hub config.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide