Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
584
Views
0
Helpful
3
Replies

Block Spoke to Spoke Communication - DMVPN

ittechk4u1
Level 4
Level 4

‎09-03-2019 12:44 AM

Hello experts,

 

I am having below config on my HUB and spoke routers:

 

HUB1:

interface Tunnel5656
bandwidth 40000
ip address 10.13.198.4 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
ip nhrp authentication HA18BJ56
ip nhrp map multicast dynamic
ip nhrp network-id 4
ip nhrp holdtime 300
ip tcp adjust-mss 1360
delay 1000
tunnel source 195.243.205.120
tunnel mode gre multipoint
tunnel key 4
tunnel protection ipsec profile DMVPN

 

HUB2:

 

interface Tunnel5656
bandwidth 40000
ip address 10.13.198.5 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
ip nhrp authentication HA18BJ56
ip nhrp map 10.13.198.4 195.243.205.120
ip nhrp map multicast 195.243.205.120
ip nhrp network-id 4
ip nhrp holdtime 300
ip nhrp nhs 10.13.198.4
ip tcp adjust-mss 1360
delay 1500
tunnel source 212.185.41.204
tunnel mode gre multipoint
tunnel key 4
tunnel protection ipsec profile DMVPN

 

Spoke1(same for all other execpt ISP IP and tunnel IP):

 

interface Tunnel5656
bandwidth 20000
ip address 10.13.198.50 255.255.255.0
no ip redirects
ip mtu 1400
ip flow monitor NTAmonitor input
ip nhrp authentication HA18BJ56
ip nhrp map 10.13.198.4 195.243.205.120
ip nhrp map multicast 195.243.205.120
ip nhrp map 10.13.198.5 212.185.41.204
ip nhrp map multicast 212.185.41.204
ip nhrp network-id 4
ip nhrp holdtime 300
ip nhrp nhs 10.13.198.4 priority 1 cluster 4
ip nhrp nhs 10.13.198.5 priority 2 cluster 4
ip nhrp nhs cluster 4 max-connections 2
ip nhrp server-only
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/2
tunnel mode gre multipoint
tunnel key 4
tunnel vrf ISP1
tunnel protection ipsec profile DMVPN

 

spoke2:

interface Tunnel5656
bandwidth 20000
ip flow monitor NTAmonitor input
ip address 10.13.198.51 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication HA18BJ56
ip nhrp map 10.13.198.4 195.243.205.120
ip nhrp map multicast 195.243.205.120
ip nhrp map 10.13.198.5 212.185.41.204
ip nhrp map multicast 212.185.41.204
ip nhrp network-id 4
ip nhrp holdtime 300
ip nhrp nhs 10.13.198.5 priority 2 cluster 4
ip nhrp nhs 10.13.198.4 priority 1 cluster 4
ip nhrp nhs cluster 4 max-connections 2
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0/0
tunnel mode gre multipoint
tunnel key 4
tunnel vrf ISP1
tunnel protection ipsec profile DMVPN

 

Could you please help to stop spoke to spoke communication via tunnel 5656

 

Thanks in advance

Labels:
0 Helpful
3 Replies 3

Georg Pauwen
VIP
VIP

‎09-03-2019 02:14 AM

Hello,

 

my first thought would be to make the tunnels on the spokes point to point tunnels instead of multipoint tunnels. Are there any other spokes these two spokes have to communicate with ?

0 Helpful

ittechk4u1
Level 4
Level 4
In response to Georg Pauwen

‎09-03-2019 04:14 AM

I have in total 5 spoke and these spoke must only communicate with Both HUBs.

 

Thnaks

0 Helpful

Georg Pauwen
VIP
VIP
In response to ittechk4u1

‎09-03-2019 07:27 AM

Hello,

 

the easiest would probably be to just put an access list on the spoke tunnels, denying the NHRP addresses from the other spokes, and allowing those from the hubs. In the example below, 10.1.1.1 is the hub, and 10.1.1.2 and 10.1.1.3 are the spokes. The access list denies anything coming from the spokes, and allows everything from the hub. The access list is applied inbound to the tunnel interface of 10.1.1.4.

 

R3#sh ip nhrp
10.1.1.1/32 via 10.1.1.1
Tunnel0 created 00:17:42, never expire
Type: static, Flags: used
NBMA address: 192.168.0.2
10.1.1.2/32 via 10.1.1.2
Tunnel0 created 00:09:51, expire 01:50:08
Type: dynamic, Flags: router used nhop
NBMA address: 192.168.11.2
10.1.1.3/32 via 10.1.1.3
Tunnel0 created 00:05:30, expire 01:54:28
Type: dynamic, Flags: router used nhop
NBMA address: 192.168.12.2
10.1.1.4/32 via 10.1.1.4
Tunnel0 created 00:09:50, expire 01:54:29
Type: dynamic, Flags: router unique local
NBMA address: 192.168.13.2
(no-socket)

 

access-list 101 deny ip host 10.1.1.3 any
access-list 101 deny ip host 10.1.1.2 any
access-list 101 permit ip any any

 

interface Tunnel0
ip address 10.1.1.4 255.255.255.0
ip access-group 101 in
no ip redirects
ip mtu 1416
ip hold-time eigrp 1 35
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
ip nhrp network-id 1
ip nhrp nhs 10.1.1.1 nbma 192.168.0.2 multicast
ip nhrp shortcut
tunnel source 192.168.13.2
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card