SDN/SDDC Retreat in Miami, Florida (November 4th-6th)
Separate SDN hype from real life!

Tunnel Route Selection (recording from the webinar)

A while ago I wrote about the Tunnel Route Selection feature of Cisco IOS and how it could be used to solve the redundantly-connected spoke site issue. Here’s the basic design: you have two uplinks to two ISPs, two DMVPN tunnel interfaces, each one sourced from one of the uplinks and two default routes. Everything works great until one of the ISPs enables RPF checks ... and then the all hell breaks loose. More in a short clip made from a recording of my DMVPN – From Basics To Scalable Networks webinar.


  1. I love the "today I took too much antidepressives" background music :)

  2. In the scenario with a DMVPN built over the Internet and the need for redundancy, in the past I have used the Front-Door VRF DMVPN feature, with the Internet interface in the front-door VRF. This will only work if you are full tunneling Internet traffic from spokes to hub sites, but it solved the issue of having to have 2 different default routes for Internet and one for tunneled traffic quite nicely.

  3. Front-door VRF works nicely if you have the spoke site with link to one ISP (or two ISPs that don't do RPF check). If you have two uplinks to two ISPs, you have to use two VRFs (or tunnel route selection if you use two MPLS/VPN services and don't need IPSec).

  4. we use a vrf per ISP each with a different default route in each, and a 3rd default route in the global table for traffic going through the tunnels

  5. That's the perfect solution!


You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354 Emeritus, is an independent network architect. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.