Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4265
Views
0
Helpful
8
Replies

Filtering eigrp routes in DMVPN

alif
Level 1
Level 1

‎02-10-2011 12:41 PM - edited ‎03-04-2019 11:23 AM

How do we control eigrp route advertisement in a multipoint GRE Tunne. On static GRE+IPSec tunnels we can associate distribute-list to a particular tunnel and filter out routes to particular site. How do we do that in DMVPN network.

Labels:
0 Helpful
8 Replies 8

ghostinthenet
Level 7
Level 7

‎02-12-2011 10:39 AM

I've been doing this with inbound route filters at the spokes. I haven't found a mechanism for doing it at the hubs, but am quite interested if someone has a means of doing so.

0 Helpful

west33637
Level 1
Level 1

‎02-12-2011 06:48 PM

Hello Alif. On the spoke routers configure EIGRP stub. This will filter the routes that the spokes send out to the hub. you can use eigrp stub with any of the following keywords below to filter the routes depending on what route types you want to send to the hub. Once you have the spokes configured as EIGRP stub, the hub EIGRP router will not query these stubs for other EIGRP neighbor routes.

static

connected

redistributed

summary

Example - router eigrp 10

                redistribute static

                eigrp stub static  ----  this router will only send static routes to the hub

                ip route 10.10.10.0 255.255.255.0 10.10.10.1

                ip route 10.20.20.0 255.255.255.0 10.20.20.1

if you want to further filter these static routes to advertise to the hub router, you can use a prefix-list and a route-map.

ip prefix-list static-to-eigrp seq 5 permit 10.10.10.0/24

route-map static-to-eigrp permit 5

match ip address ip prefix-list static-to-eigrp

then under the routing process tie the route-map to the redistribute static command and this will only allow the 10.10.10.0 network to be advertised to the hub router.

redistribute static route-map static-to-eigrp

to read more on filtering routes using eigrp stub see the link below. please remember to rate if this helps.

http://www.cisco.com/en/US/docs/ios/12_2/iproute/command/reference/1rfeigrp.html#wp1024326

0 Helpful

skarthic
Cisco Employee
Cisco Employee
In response to west33637

‎02-13-2011 12:15 AM

1)Configure EIGRP stub in all the branch sitesso that they send their connected and static routes to the hub site

2)Configure Distribute list on the Hub so that it sends only a default route to the remote sites

But still this depends on how you would want to design

0 Helpful

alif
Level 1
Level 1
In response to skarthic

‎02-13-2011 05:27 AM

Filtering on spoke router is fine, however, is it possible to control on hub. Since, routers on other sites are managed by other admins, I like to have precaution on hub router to filter out erraneous routes if recieved. Currently we have classic GRE+IPSec site-to-site VPN tunnels and can control inbound EIGRP advertisement via distribute-list in per tunnel. But is there a similar way to do this on multipoint GRE tunnels?

0 Helpful

west33637
Level 1
Level 1
In response to alif

‎02-13-2011 07:15 PM

Hello Alif. On the hub side, you can configure prefix-lists to permit the networks that you are expecting from the spokes, then configure an inbound distribute list to match the prefix-list. this will filter any unwanted routes from the hub.

example

ip prefix-list allow seq10 permit 10.10.10.0/24
!
router eigrp 10
network 10.0.0.0
no auto-summary
distribute-list prefix allow in

0 Helpful

alif
Level 1
Level 1
In response to west33637

‎02-14-2011 08:34 AM

That is a global filter applying to all sites. If for example from spoke Site A I only want to allow 10.10.10.0/24 and from spoke Site B I only want to allow 10.10.11.0/24 route advertisement how can I do that, or is there no way of doing this in DMVPN.

0 Helpful

west33637
Level 1
Level 1
In response to alif

‎02-14-2011 05:26 PM

Per the example that you just gave. this will filter both site A and site B

ip prefix-list allow seq10 permit 10.10.10.0/24

ip prefix-list allow seq20 permit 10.10.11.0/24


!
router eigrp 10
distribute-list prefix allow in

now your hub will only receive 10.10.10.0 route advertisements for site A and 10.10.11.0 advertisements from site B.

0 Helpful

alif
Level 1
Level 1
In response to west33637

‎02-15-2011 08:58 AM

It will work, until Spoke B administrator decides he likes Spoke A's subnet and start using it. No way for me to stop that.

To be more specific, below is the classic GRE+IPSec site-to-site VPN tunnel configuration I like to see work on DMVPN.

interface Tunnel1

description Connected to Spoke A

interface Tunnel2

description Connected to Spoke B

access-list 1 permit 10.10.10.0

access-list 2 permit 10.10.11.0

router eigrp 100

distribute-list 1 in Tunnel1

distribute-list 2 in Tunnel2

exit

The key is enforcement by hub, the spokes cannot use any other subnet other than what is allocated to them.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card