05-23-2007 10:47 AM - edited 03-09-2019 06:02 PM
Hello,
I am working for a compnay that has 150+ branch offices. We wish to configure a VPN solution that is scalable, will work if an IP address is changed, and will not allow the branches to create tunnels to themselves (not alllow DMVPN spoke-to-spoke).
I have read some stuff on DMVPN that makes it sound like this is possible, but all of the configuration examples I have seen indicate that the remote sites will automatically configure the spoke tunnel.
Thank you for your assistance.
All routers are 1751 with VPN modules and running at least 12.0, most are upgraded to at least 12.2, and a couple have been upgraded to 12.3(22).
05-23-2007 03:32 PM
It is possible. See this link: http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455c71.html#wp1053984
See step 13 in the spoke configuration:
Step 13
tunnel mode gre multipoint
OR
tunnel destination hub-physical-ip-address
Example:
Router(config-if)# tunnel mode gre multipoint
OR
Router(config-if)# tunnel destination
Sets the encapsulation mode to mGRE for the tunnel interface. Use this command if data traffic can use dynamic spoke-to-spoke traffic.
Specifies the destination for a tunnel interface. Use this command if data traffic can use hub-and-spoke tunnels
On our DMVPN, we use the spoke routers as firewalls with the IOS-FW feature along with DMVPN. In the access-list we only allow the public address of the hub dmvpn router to the spoke router. This prevents other spokes from making connections as well. Some sites we have using hub<->spoke and spoke<->spoke traffic.
05-24-2007 07:12 AM
Thank you very much.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide