DMVPN in a VRF Environment


In the lab, I have been introducing vrf environments into everything that I do. MPLS was the tip of the iceberg and then from there, I started tonight going over DMVPN in a vrf environment. On top of that, I went a step further and started having a few different combinations when it came to interface configurations:

  • ALL interfaces of a spoke in a vrf
  • WAN interface only in a vrf
  • WAN interface only interface NOT in a vrf

In the case of my lab, I have three interfaces in question, Ethernet0/0 (my WAN interface), Loopback0, and Tunnel0 (my DMVPN Tunnel). Being able to understand how a basic DMVPN hub and spoke environment works is key first and foremost. I always refer back to the Cisco documentation page when I am stuck on a command.

That page is located here: 

You can get a sample config for a hub and a spoke on that page. Definitely a good one to have bookmarked for when you need it. You can also watch my #RoutingTableLive video at the bottom of this post for a basic DMVPN setup.

On to the topic at hand. There are basic commands we need to use in this lab: “vrf forwarding MyVRF” and then “tunnel vrf MyVRF”, assuming your vrf is already created correctly with the name MyVRF. It’s pretty straight forward but I will explain it like this. If you actually want your tunnel subnet to be included in the vrf, use the command “vrf forwarding MyVRF” on the tunnel interface. The other command, “tunnel vrf MyVRF” is only used if your WAN interface is included in the vrf. That’s as easy as I can explain it. Now to my three different scenarios I previously mentioned to break it down in detail:

  • ALL interfaces of a spoke in a vrf.
    • All interfaces include “vrf forwarding MyVRF”.
    • Tunnel interface includes both “vrf forwarding MyVRF” and “tunnel vrf MyVRF”.
  • WAN interface only in a vrf.
    • Tunnel interface includes only “tunnel vrf MyVRF”.
  • WAN interface only interface NOT in a vrf.
    • All interfaces except WAN interface use “vrf forwarding MyVRF”, “tunnel vrf MyVRF” not used.

That’s all there is to it. Try it in a lab environment and let me know if there are any questions. Once your lab is done, write erase everything and do it again. Repetition is key to remembering these types of things. That being said, that documentation page I shared before is a great one to keep around from the official Cisco command reference. In my basic DMVPN video below, you can see I even referred back to it then.

Thanks for reading!

#RoutingTableLive Basic DMVPN Setup


  1. You can also do MPLS L3VPN over DMVPN. Multiple customers share a single DMVPN overlay with VPNv4 labels providing separation


