Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
548
Views
0
Helpful
2
Replies

DMVPN split tunnling issue, not able to by pass http traffic at spoke end.

Go to solution
CSCO11181152
Level 1
Level 1

‎04-02-2014 10:42 PM - edited ‎02-21-2020 07:35 PM

Dear all,

I would appreciate please help me out to resolve following issue.
I have been using DMVPN setup (Routing protocol EIGRP) for 20 site no issue at all and everything is perfectly working.
Now I received one request that I would need to split corporate legitimate traffic and internet traffic at spoke end, so all internet traffic has to forward via local ADSL connection , but I tried to resolve it but  spoke router is  continuously forwarding all traffic to tunnel.
Moreover I found on internet that DMVPN has limitation that split tunneling is not possible.
Please can you suggest me how can I forward internet traffic (HTTP) via local ADSL connection
thanks and regards,

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎04-02-2014 11:22 PM

DMVPN is not based on policy, so split tunneling concepts do not apply. 

DMVPN relies on routing to figure out what traffic needs to be tunneled. 

In your cause you need to also differentiate between corporate and Internet HTTP traffic, best put correct routing in place. 

View solution in original post

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎04-03-2014 12:11 AM

I agree with Marcin.

At the spoke you would need to add a static default route for the internet traffic.  You are also, most likely, injecting a default route into the EIGRP process at the hub, but the static route at the spokes will override this as it has a lower metric.  Depending on your setup, if the ADSL line is on a different interface than that of the DMVPN you could leave the EIGRP default route and use it as a backup incase the ADSL goes down.  But if they are both located off the same interface then there is no point in keeping the injected default route.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎04-02-2014 11:22 PM

DMVPN is not based on policy, so split tunneling concepts do not apply. 

DMVPN relies on routing to figure out what traffic needs to be tunneled. 

In your cause you need to also differentiate between corporate and Internet HTTP traffic, best put correct routing in place. 

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎04-03-2014 12:11 AM

I agree with Marcin.

At the spoke you would need to add a static default route for the internet traffic.  You are also, most likely, injecting a default route into the EIGRP process at the hub, but the static route at the spokes will override this as it has a lower metric.  Depending on your setup, if the ADSL line is on a different interface than that of the DMVPN you could leave the EIGRP default route and use it as a backup incase the ADSL goes down.  But if they are both located off the same interface then there is no point in keeping the injected default route.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents