DMVPN Hub-Spoke Design and Direct Internet Access DIA


Sometimes you have The requirement of Hub and Spoke in DMVPN with the following constraints: the corporate Internet traffic should be routed via the Hub (HQ Site) rather than directly out to the Internet to ensure that is passes through a security stack. To do this the administrator advertises a default route via EIGRP through the Gre Tunnel interface using the ip summary-address eigrp 1 0.0.0.0 0.0.0.0 command.

At the same time the Guest Internet traffic should not be routed through Hub (HQ Site), instead it must be routed directly to the Internet via the local gateway Spoke1.

The first challenge in this design is that the EIGRP Default route has higher AD than the Static default route on the Spokes, so the spokes will never install the EIGRP default route.

The second challenge is that we need both default routes:
-One default route (learned through EIGRP) to route the corporate internet traffic through the Hub.

-One default route (the static) for Guest internet traffic that points directly to ISP in order to route this traffic directly.

To do that, the VRF concept comes in rescue, we put the Guest network and the Internet’s Spoke interface in a VRF and we configure a default static route in this VRF routing table pointing to ISP, at the same time we kept the EIGRP learned default route in the Global routing table.

ip vrf INTERNET
!
interface Ethernet0/0
description to ISP Internet
ip vrf forwarding INTERNET
ip address 2.2.2.1 255.255.255.0
ip nat outside
!
interface Ethernet0/1
description to Guest network
ip vrf forwarding INTERNET
ip address 192.168.4.1 255.255.255.0
ip nat inside
!
interface Ethernet0/2
description to Corporate network
ip address 192.168.5.1 255.255.255.0
!
ip route vrf INTERNET 0.0.0.0 0.0.0.0 2.2.2.2

Another challenge is emerging, since the E0/0 interface connected to ISP is in the VRF called INTERNET, and the GRE tunnel is configured with the tunnel source e0/0, we need to instruct the Spoke1 router to use the VRF routing table to reach the HUB through internet transport in order to set up the GRE tunnel otherwise the tunnel will fail. The magic is possible with the tunnel vrf command under the tunnel interface of the Spoke1.

interface Tunnel1
tunnel vrf INTERNET

In a large deployement, it becomes complex to leverage this configuration which can lead to more complex implementation and troubleshooting. The Cisco SD-WAN provides intuitive concept of routing for Direct Internet Access challenge, using a centralized console vManage, you push a simple Data Policy to the WAN Edge in few second to provide INTERNET BREAKOUT.

Categories: Security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: