Your browser failed to load CSS style sheets. Your browser or web proxy might not support elliptic-curve TLS

Building network automation solutions

9 module online course

Start now!
back to overview

Inter-VRF NAT in DMVPN Deployments

One of my users couldn’t get the inter-VRF NAT to work after watching the DMVPN webinars (no real surprise there, the VRF lite concept is covered in more details in the Enterprise MPLS/VPN webinar) so I decided to write a short document describing the details.

Please read our Blog Commenting Policy before writing a comment.


  1. Ivan - guess this depends on the private network being default-free though - sorry haven't watched the webinar yet so maybe covered elsewhere!

    1. Yes, the private network has to be default-free. Will add to the article. Thank you!

  2. Ivan,
    If the global is default free, what would be the use case for having front vrf. Seems to me that in this case we are splitting the network in separate vrfs just to join those vrfs later with NAT.

    Still this is definitely very useful if you have multiple VRFs on customer side - you can provide direct internet connectivity to all of them.

    1. Hi Pavel, really nice to hear from you after a long while.

      One of the scenarios would be two DMVPN tunnels on two Internet uplinks. If you want to make sure traffic from each tunnel uses its own uplink, two front VRFs are the only solution that work(ed?).

      Also, it seems IWAN uses the same approach (makes things consistent regardless of what you're doing on top of DMVPN).

  3. "While Cisco IOS doesn’t have a global-to-VRF route leaking functionality, PBR seems to be a good alternative."

    Sure it has, Cisco just makes you jump through hoops in order to make it work.

    Darren has an excellent post about this functionality.


Constructive courteous comments are most welcome. Anonymous trolling will be removed with prejudice.