Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
833
Views
0
Helpful
0
Comments

DMVPN Hub-Spoke Design and Direct Internet Access DIA

Meddane
VIP
VIP

on ‎02-03-2023 01:55 PM

Meddane_0-1675461244516.png

Meddane_1-1675461244533.png

Sometimes you have The requirement of Hub and Spoke in DMVPN with the following constraints: the corporate Internet traffic should be routed via the Hub (HQ Site) rather than directly out to the Internet to ensure that is passes through a security stack. To do this the administrator advertises a default route via EIGRP through the Gre Tunnel interface using the ip summary-address eigrp 1 0.0.0.0 0.0.0.0 command.

At the same time the Guest Internet traffic should not be routed through Hub (HQ Site), instead it must be routed directly to the Internet via the local gateway Spoke1.

The first challenge in this design is that the EIGRP Default route has higher AD than the Static default route on the Spokes, so the spokes will never install the EIGRP default route.

The second challenge is that we need both default routes:
-One default route (learned through EIGRP) to route the corporate internet traffic through the Hub.

-One default route (the static) for Guest internet traffic that points directly to ISP in order to route this traffic directly.

To do that, the VRF concept comes in rescue, we put the Guest network and the Internet’s Spoke interface in a VRF and we configure a default static route in this VRF routing table pointing to ISP, at the same time we kept the EIGRP learned default route in the Global routing table.

ip vrf INTERNET
!
interface Ethernet0/0
description to ISP Internet
ip vrf forwarding INTERNET
ip address 2.2.2.1 255.255.255.0
ip nat outside
!
interface Ethernet0/1
description to Guest network
ip vrf forwarding INTERNET
ip address 192.168.4.1 255.255.255.0
ip nat inside
!
interface Ethernet0/2
description to Corporate network
ip address 192.168.5.1 255.255.255.0
!
ip route vrf INTERNET 0.0.0.0 0.0.0.0 2.2.2.2

Another challenge is emerging, since the E0/0 interface connected to ISP is in the VRF called INTERNET, and the GRE tunnel is configured with the tunnel source e0/0, we need to instruct the Spoke1 router to use the VRF routing table to reach the HUB through internet transport in order to set up the GRE tunnel otherwise the tunnel will fail. The magic is possible with the tunnel vrf command under the tunnel interface of the Spoke1.

interface Tunnel1
tunnel vrf INTERNET

In a large deployement, it becomes complex to leverage this configuration which can lead to more complex implementation and troubleshooting. The Cisco SD-WAN provides intuitive concept of routing for Direct Internet Access challenge, using a centralized console vManage, you push a simple Data Policy to the WAN Edge in few second to provide INTERNET BREAKOUT.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents