Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1221
Views
5
Helpful
5
Replies

Block DMVPN Phase 1 spoke-to-spoke traffic, all spokes receive default 0.0.0.0/0 route only

beiyanlong
Level 1
Level 1

‎01-26-2018 08:31 PM - edited ‎03-05-2019 09:49 AM

Can someone tell me what's the best way to block the traffic between spokes? I'm using DMVPN phase 1 + EIGRP with stub design. I send a summary address 0.0.0.0/0 down to all sites. All sites are able to reach other sites via Hub, i want to block those traffic and only allow remote sites to access the resources behind the hub. 

 

Thanks in advance! 

Labels:
0 Helpful
5 Replies 5

M. G.
Level 1
Level 1

‎01-27-2018 01:07 AM

Shouldn't it default enabled EIGRP feature (split-horizon) do the work? 

Peter Paluch
Cisco Employee
Cisco Employee

‎01-27-2018 01:13 AM

Hello,

As M.G. pointed out, if your spokes already have only a default route that points back to the hub, then they will send all outbound traffic, including the spoke-to-spoke traffic, through the hub.

However, if you want to prevent even a theoretical chance of spokes communicating with each other directly, there is a simple solution: Have the spokes configured with a point-to-point tunnel to the hub, rather than a multipoint tunnel. The spokes would still be running NHRP on the point-to-point tunnel just like with multipoint tunnels, and would still be capable of dynamically registering at the hub, but due to their point-to-point tunnels, they would never be able to send packets to each other directly.

You would not need to change the addressing on the tunnels - they can still remain the way they are set up now, including the netmasks.

Feel welcome to ask further!

Best regards,
Peter

0 Helpful

beiyanlong
Level 1
Level 1
In response to Peter Paluch

‎01-28-2018 05:43 PM

Thanks Peter and M.G. for the quick response. Split-horizon is preventing the routes received from the interface from being sent back to the same interface, not the traffic. So it won't stop spoke-to-spoke communication through the hub. The traffic pattern will be Spoke1-Hub-Spoke2. 

 

I'm intentionally using Phase 1 design here to prevent any spoke-to-spoke direct traffic, all the spokes are NOT configured at mGRE tunnel but point-to-point already. 

 

One solution would be using 25470DMVPN (enabling MPLS over DMPVN) plus centralized firewall to control the traffic, but I feel there should be easier or more elegant solution there. 

0 Helpful

M. G.
Level 1
Level 1
In response to beiyanlong

‎01-28-2018 08:59 PM

The problem you are having is not a routing but security problem. You want to block all traffic between spokes and allow spoke to hub traffic only. 

If lucky and have structured IP addressing plan, the same ACLs can be deployed on the spokes to block the traffic to  spokes and permit eveything else will do the work. 

0 Helpful

beiyanlong
Level 1
Level 1
In response to Peter Paluch

‎01-31-2018 04:25 PM

Thanks, i will dig more info accordingly. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card