Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1675
Views
0
Helpful
3
Replies

Acces-list for DMVPN

waradito
Level 1
Level 1

‎05-17-2018 11:55 PM - edited ‎03-08-2019 03:03 PM

hello all

 

could someone guide me to create access-list for DMVPN with RIp Ver 2 routing ?

i want to deny all ip lan except lan on whitelist

 

 

 

 

Labels:
0 Helpful
3 Replies 3

Georg Pauwen
VIP
VIP

‎05-18-2018 01:06 AM

Hello,

 

use a distribute-list either out or in. Here is an example:

 

This would only allow updates for network 11.11.11.11/32 to be sent to the other side. If you confgure the same distribute-list inbound on the receiving router, only updates for network 11.11.11.11/32 are received.

 

R1

 

ip prefix-list BLOCK_RIP permit 11.11.11.11/32

 

router rip

version 2

network 1.1.1.1

network 11.11.11.11

network 192.168.12.0

distribute-list prefix BLOCK_RIP out

no auto-summary

0 Helpful

waradito
Level 1
Level 1
In response to Georg Pauwen

‎05-18-2018 02:50 AM

 

 

Snip20180518_30.png

 

above is my network topology ,  with configuration below , i want to block spoke 2, how to do ?

 

interface Tunnel10000
 bandwidth 1024
 ip address 172.18.1.1 255.255.255.0
 no ip redirects
 ip mtu 1416
 ip nhrp authentication artha123
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 no ip split-horizon
 tunnel source Loopback1
 tunnel mode gre multipoint
 tunnel key 123
 tunnel protection ipsec profile testdmvpn
!

!
router rip
 version 2
 redistribute static
 network 172.18.0.0
 network 192.168.0.0

 

 

0 Helpful

khldk
Level 1
Level 1
In response to waradito

‎05-18-2018 07:16 AM

I'm unsure if I understand correct, but what you want is that traffic from the LAN side behind SPOKE2 is only allowed to communicate with certain IP's?

Or do you mean all lan clients behind both spokes?

 

If you only want to limit traffic from SPOKE2, placing an ACL on tunnel interface on spoke2 would be the simplest approach - if it's not just the tunnel but in generel you would change this to the inside interface or even subinterface.

 

Ie:

ip access-list extended Limit-traffic
 remark allow servers access to HQ Servers
 permit ip 10.0.10.0 0.0.0.255 10.10.10.0 0.0.0.255
 remark Block all other traffic
 deny  ip any any
exit

Then apply the acl on the tunnel interface

int tun0
ip access-group Limit-traffic in
exit

If you are talking about routing updates there was a solution posted ;)

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card