01-26-2018 08:31 PM - edited 03-05-2019 09:49 AM
Can someone tell me what's the best way to block the traffic between spokes? I'm using DMVPN phase 1 + EIGRP with stub design. I send a summary address 0.0.0.0/0 down to all sites. All sites are able to reach other sites via Hub, i want to block those traffic and only allow remote sites to access the resources behind the hub.
Thanks in advance!
01-27-2018 01:07 AM
Shouldn't it default enabled EIGRP feature (split-horizon) do the work?
01-27-2018 01:13 AM
Hello,
As M.G. pointed out, if your spokes already have only a default route that points back to the hub, then they will send all outbound traffic, including the spoke-to-spoke traffic, through the hub.
However, if you want to prevent even a theoretical chance of spokes communicating with each other directly, there is a simple solution: Have the spokes configured with a point-to-point tunnel to the hub, rather than a multipoint tunnel. The spokes would still be running NHRP on the point-to-point tunnel just like with multipoint tunnels, and would still be capable of dynamically registering at the hub, but due to their point-to-point tunnels, they would never be able to send packets to each other directly.
You would not need to change the addressing on the tunnels - they can still remain the way they are set up now, including the netmasks.
Feel welcome to ask further!
Best regards,
Peter
01-28-2018 05:43 PM
Thanks Peter and M.G. for the quick response. Split-horizon is preventing the routes received from the interface from being sent back to the same interface, not the traffic. So it won't stop spoke-to-spoke communication through the hub. The traffic pattern will be Spoke1-Hub-Spoke2.
I'm intentionally using Phase 1 design here to prevent any spoke-to-spoke direct traffic, all the spokes are NOT configured at mGRE tunnel but point-to-point already.
One solution would be using 25470DMVPN (enabling MPLS over DMPVN) plus centralized firewall to control the traffic, but I feel there should be easier or more elegant solution there.
01-28-2018 08:59 PM
The problem you are having is not a routing but security problem. You want to block all traffic between spokes and allow spoke to hub traffic only.
If lucky and have structured IP addressing plan, the same ACLs can be deployed on the spokes to block the traffic to spokes and permit eveything else will do the work.
01-31-2018 04:25 PM
Thanks, i will dig more info accordingly.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide