I have the following setup in GNS3:
There are other devices to the right, but they are not needed right now. I have a DMVPN configured with Router1 as hub an Routers 2, 3 and 4 as spokes.
On the switches I have user VLANs configured as follows:
Switch1 – VLAN10;
Switch2 – VLAN20;
Switch3 – VLAN30.
Everything works fine. Now I want to add a configuration so that traffic from one VLAN, say VLAN10, always passes through the tunnel, but traffic from other VLANs (VLAN20 and VLAN30) does not. I searched extensively, but couldn't find exactly what I was looking for.
Can someone tell me the commands needed for that or point me to a guide that describes it?
Thank you in advance.
P.S. Configuration of Router1:
Current configuration : 4080 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
clock timezone EET 2 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no ip icmp rate-limit unreachable
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
!
!
!
ip dhcp excluded-address 192.168.10.1
ip dhcp excluded-address 192.168.20.1
ip dhcp excluded-address 192.168.30.1
ip dhcp excluded-address 192.168.60.2
!
ip dhcp pool NEWPOOL1
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 8.8.8.8
!
ip dhcp pool NEWPOOL2
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 8.8.8.8
!
ip dhcp pool NEWPOOL3
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 8.8.8.8
!
!
no ip domain lookup
ip domain name Router1.net
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
username admin privilege 15 secret 5 $1$0HIq$mwZCmYYlKzNxi1qnQ6Hiq0
!
redundancy
!
!
ip tcp synwait-time 5
ip ssh version 2
!
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key freeride address 0.0.0.0
!
!
crypto ipsec transform-set NEW esp-3des esp-sha-hmac
!
crypto ipsec profile PROTECT-DMVPN
set transform-set NEW
!
!
!
!
!
!
!
interface Tunnel0
ip address 10.0.0.1 255.255.255.0
no ip redirects
ip mtu 1440
no ip next-hop-self eigrp 10
no ip split-horizon eigrp 10
ip nhrp authentication NHRPkey
ip nhrp map multicast dynamic
ip nhrp network-id 100
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel key 100
tunnel protection ipsec profile PROTECT-DMVPN
!
interface Ethernet0/0
ip address 20.20.20.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
!
interface Ethernet0/1
no ip address
ip nat inside
ip virtual-reassembly in
!
interface Ethernet0/1.10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Ethernet0/1.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Ethernet0/1.30
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Ethernet0/1.60
encapsulation dot1Q 60
ip address 192.168.60.2 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Ethernet0/2
no ip address
shutdown
!
interface Ethernet0/3
no ip address
shutdown
!
interface Ethernet1/0
no ip address
shutdown
!
interface Ethernet1/1
no ip address
shutdown
!
interface Ethernet1/2
no ip address
shutdown
!
interface Ethernet1/3
no ip address
shutdown
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/3
no ip address
shutdown
serial restart-delay 0
!
!
router eigrp 10
network 10.0.0.0 0.0.0.255
network 20.20.20.0 0.0.0.255
network 192.168.10.0
network 192.168.20.0
network 192.168.30.0
network 192.168.60.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface Ethernet0/0 overload
!
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 100 permit ip 192.168.20.0 0.0.0.255 any
access-list 100 permit ip 192.168.30.0 0.0.0.255 any
access-list 100 permit ip 192.168.60.0 0.0.0.255 any
!
!
!
control-plane
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login local
transport input ssh
!
!
end
Best Answer
One simple way to do this is to use PBR to change the route traffic.
This should redirect pings from the VLAN interfaces to the interface you want:
Disclaimer: This is not tested; I just created it from memory.