DMVPN and Split Tunneling

venom43212 · ‎11-20-2009

Hello, for a backup to one of my sites MPLS connection, I have an internet connection using a DMVPN spoke back to HQ. I would like to use this link for alternate corporate wide internet access also. I know if this was a client based VPN connection, I could create a split tunnel by applying an ACL to the crypto map for the private destination networks and that traffic would go over the tunnel, all else would go out over the internet connection. I am looking to do something similar for the DMVPN tunnel....any suggestions? Thanks in advance.

andrew.prince · ‎11-20-2009

I'm not 100% on DMVPN, however I do know they are based on tunnels, a logical course of testing would be to write the ACL that defines the traffic that you want to traverse the DMVPN - then apply it to the tunnel interface in the oubound direction.

HTH>

venom43212 · ‎11-20-2009

Thanks Andrew, yeah I have a few ideas somewhere along those lines as well as some policy routing options. I was just wondering if there was a straight forward split tunnel parameter I might have overlooked. I'll be in the lab Monday doing some testing and will let you know how things work out.

-Derek

andrew.prince · ‎11-20-2009

Just for funzies, I will be in the lab Monday testing something else - I think I will tac this onto my list also!

kicharle · ‎11-22-2009

Hi

DMVPN only encrypts the traffic that goes through the tunnel. If you want split tunneling, then you need to just have the routing protocols in the DMVPN hub or spokes to advertize the networks that needs to be encrypted. By doing this, routes will be installed through the tunnel interface and traffic that uses that route will be encrypted.

Traffic not going through the route through tunnel interface will be not be encrypted and hence you achieve split tunneling.

With regards

Kings