cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
123
Views
0
Helpful
1
Replies
Enthusiast

DMVPN Block spoke to spoke communication

I have a Corp router and a Corp Home User and they connect via a GRE Tunnel and the tunnel (tunnel 200) is working correctly.

On the same Corp router there is a second GRE tunnel (tunnel 0) where we connect to our customers on an as needed basis.  The customer controls when the tunnel is operational via a custom web page on their Cisco router when they need us to make changes on their router.  In the rare case that we have two or more customers connected at the same time, we do not want them to be able to communicate over the GRE. This tunnel is also working correctly.

Also, customer sites will have the same IP's on the customer's side of the router. 

Here are our goals:

  • No customer should be able to connect to any of our networks, 10.110.0.1, 192.168.69.0, etc from their PCs or IP phones
  • We need to access the customer's router (have that now), switch(es), and access points via their customer side IP address from our PC's (SSH) x.x.x.1 through x.x.x.50. (if only from their router, then so be it).
  • No customer should ever be able to connect to another customer's router or network in any way.
  • Exactly what do I need to add/remove and where to do that?
  • The customer(s) may have their own remote workers and the same rules apply to them.

HQ Config

interface Tunnel0
description mGRE - DMVPN Tunnel for PSE customer remote support
bandwidth 10000
ip address 172.16.0.1 255.255.0.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco
ip nhrp network-id 123
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/2
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile PSE_SUPPORT-IPSEC shared
!
interface Tunnel200
description mGRE - DMVPN Tunnel for TDC Remote Home Users
bandwidth 100000
ip address 172.31.0.1 255.255.255.252
no ip redirects
ip mtu 1400
ip nhrp authentication CCNA
ip nhrp network-id 456
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/2
tunnel mode gre multipoint
tunnel key 456
tunnel protection ipsec profile PSE_SUPPORT-IPSEC shared
!
interface GigabitEthernet0/0.69
description "Data Network"
encapsulation dot1Q 69
ip address 192.168.69.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
no ip route-cache
ip tcp adjust-mss 1300
ip policy route-map clear-df
!
interface GigabitEthernet0/0.110
description "Voice Network"
encapsulation dot1Q 110
ip address 10.110.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
no ip route-cache
ip tcp adjust-mss 1300
ip policy route-map clear-df
!
interface GigabitEthernet0/2
description "Internet Connection"
ip address 1.4.2.5 255.255.255.248
ip nat outside
ip virtual-reassembly in
no ip route-cache
duplex auto
speed auto
!
ip nat inside source list 151 interface GigabitEthernet0/2 overload
!
ip route 0.0.0.0 0.0.0.0 1.4.2.7
ip route 10.110.0.2 255.255.255.255 ISM0/0
ip route 192.168.254.0 255.255.255.0 172.31.0.2
!
access-list 151 permit ip 10.0.0.0 0.255.255.255 any
access-list 151 permit ip 172.16.0.0 0.15.255.255 any
access-list 151 permit ip 192.168.0.0 0.0.255.255 any
!

CUSTOMER CONFIG

ip dhcp excluded-address 192.168.100.1 192.168.100.50
ip dhcp excluded-address 192.168.200.1 192.168.200.50
ip dhcp excluded-address 192.168.150.1 192.168.150.50
!
ip dhcp pool Customer_Data
network 192.168.100.0 255.255.255.0
dns-server 192.168.100.1
default-router 192.168.100.1
option 150 ip 192.168.200.1
lease 0 12
!
ip dhcp pool Customer_Guests
network 192.168.150.0 255.255.255.0
dns-server 192.168.150.1
default-router 192.168.150.1
lease 0 12
!
ip dhcp pool Customer_Voice
network 192.168.200.0 255.255.255.0
dns-server 192.168.200.1
default-router 192.168.200.1
option 150 ip 192.168.200.1
lease 0 12
!
interface Tunnel0
description DMVPN mGRE tunnel to PSE support
bandwidth 10000
ip address 172.16.1.3 255.255.0.0
no ip redirects
ip mtu 1400
ip nhrp authentication CCNA
ip nhrp network-id 456
ip nhrp nhs 172.16.0.1 nbma 1.4.2.5 multicast
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 456
tunnel protection ipsec profile PSE_SUPPORT-IPSEC
!
interface GigabitEthernet0/0
description Internet Access Connection
ip address dhcp
ip nat outside
ip virtual-reassembly in
no ip route-cache
duplex auto
speed auto
!
interface GigabitEthernet0/1.100
description Data Network
encapsulation dot1Q 100 native
ip address 192.168.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
no ip route-cache
!
interface GigabitEthernet0/1.150
description Guest WiFi Network
encapsulation dot1Q 150
ip address 192.168.150.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly in
no ip route-cache
!
interface GigabitEthernet0/1.200
description Voice Network
encapsulation dot1Q 200
ip address 192.168.200.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
no ip route-cache
!
ip dns server
ip nat inside source list 10 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
ip route 192.168.200.2 255.255.255.255 ISM0/0
!
access-list 10 remark Networks Allowed onto the Internet
access-list 10 permit 192.168.100.0 0.0.0.255
access-list 10 permit 192.168.150.0 0.0.0.255
access-list 10 permit 192.168.200.0 0.0.0.255
!
access-list 100 remark "Block Guest WiFi network to everything except ntp & the Internet
access-list 100 permit ip any 192.168.150.0 0.0.0.255
access-list 100 deny ip any 192.168.0.0 0.0.255.255
access-list 100 permit ip any any
!

 

Corp GRE Tunnel.jpg

 

 

Everyone's tags (1)
1 REPLY 1
Highlighted
Rising star

Re: DMVPN Block spoke to spoke communication

Hi,

   

     The best solution i can think of, which meets all requirements in a simple and efficient manner would be to make your DMVPN router behave like a PE, and have each remote customer dynamically assigned to its own VRF; this way you achieve the separation you want for both control-plane (advertised routes) and data-plane (inter-customer connectivity), and changes for mistakes are slim.

          1. You put your network from the HQ in the management VRF, Internet remains in the GRT, you configure NAT for management VRF to Internet. I see that each customer has local Internet access, so you don't have complex NAT requirements at HQ

          2. You put each customer in its own VRF (only on your side, on their side they can run in GRT), and you control via BGP VPNv4 which routes are leaked between customers (you said none so far, but you could make it in future if there is a need), and which routes are leaked between your management VRF and each customer prefixes (for management purposes)

 

For this, you would have to use what is called DMVPN Phase4, which requires IKEv2 on top (instead of IKEv1); it's still DMVPN, but implementation and architecture is a bit different. You'll have VRF's pre-configured with import-export values, you'll have redistribution between BGP and each customer IGP/BGP routing protocol pre-configured, and as each new customer connects, magically he's assigned to the proper VRF and all policies are enforced. This authorization, to dynamically assign each customer into its own VRF as he build a GRE/IPsec tunnel to your HQ router, can be done via a remote RADIUS server or via local configuration on the router.

 

Look at these 2 presentations from Cisco Live so that you have a better idea of the end functionality:

      1. This one gives you more insight into IKEv2 building blocks

      2. This one gives one example which perfectly match your requirements. Look for "Mixed Client and Branch Access"

 

Regards,

Cristian Matei.