One of the engineers listening to my DMVPN webinars sent me a follow-up question (yes, I always try to reply to them) asking how to implement direct Internet access from the spoke sites (aka local exit) in combination with split default routing you have to use in DMVPN Phase 2 or Phase 3 networks.

It’s really simple: either you have a design requirement that requires split default routing, or you don’t.

Centralized Internet exit: you have to use two different default routes on the spoke site, one for transport (to get to the Internet directly), another one for user traffic (more details).

Local Internet exit: the default packet forwarding for user traffic and DMVPN transport traffic is the same– in both cases the packets should be sent to the Internet uplink interface.

Don’t over-complicate your design with VRFs and inter-VRF static routes or route leaking. All you need is a default route pointing to the Internet uplink, and NAT/firewall configured between the inside and outside.

The same principles are applied at the central site:

DMVPN traffic passes through the firewall. No need for special routing tricks, DMVPN hub router should treat DMVPN transport traffic in the same way as user traffic sent toward the Internet.

DMVPN traffic bypasses the firewall. User traffic sent toward the Internet takes a different path than the DMVPN traffic – use split default routing on the hub router.

Looking for more DMVPN information? Explore my blog posts and watch my DMVPN webinars (basics, newer features, design guidelines).