08-10-2023 03:25 AM
dears,
we have 125 sites with dmvpn. and now we need just to turn off one of tunnel from hub side. is it possible ?
hub - isr 4431
08-10-2023 04:40 AM
@asmlicense ideally you'd disable the tunnel on the spoke, but from the hub side you could apply an ACL inbound on the physical interface deny ESP, UDP/500 and possibly UDP/4500 (if NAT) from the spoke in question and permit all other ESP, UDP/500 and UDP/4500.
08-10-2023 04:57 AM
let me explain in more details
we have main (dmvpn) and backup (3g with ipsec tunnel) lines
main isp have some problems on their equipment (tunnel is going down and up) so i want to block main tunnel (dmvpv).
i think if i will use access list traffic from hub side the traffic will be generated from spoke side and will be block only on hub side. so the dmvpn tunnel will be in up station
as you said, i can disable tunnel / pull out the cable of main isp and schedule restart in order to force switch up wit startup config but i don't want to risk with reloading device. i have bad practice when switch/router just didn't come up
08-10-2023 09:27 AM
@asmlicense wrote:
i think if i will use access list traffic from hub side the traffic will be generated from spoke side and will be block only on hub side. so the dmvpn tunnel will be in up station
No, if you apply the ACL inbound on the hub's physical interface this will stop an IPSec tunnel from being established to/from that spoke. If the tunnel is already up and established clear the tunnel. It's not ideal solution.
You could just shutdown the tunnel interface on the spoke, assuming you can manage the router via the outside/external facing interface.
08-10-2023 05:01 AM - edited 08-10-2023 06:40 AM
asmlicense,
It's possible, and you have options.
Option 1 -- You can block the current IP of the peer with an ACL. // Temporary. DMVPN will reconnect when the IP changes.
Option 2 -- You can update the DMVPN password on the Hub. // This is permanent, but you'll have to modify the other 124 sites.
Option 3 -- ACL to deny inbound network range of spoke. // Tunnel will form, but inbound traffic will be dropped.
If you have access to the spoke, it's best to remove the DMVPN configuration on that side. // Changing the password on the spoke, will stop the tunnel from coming up. As long as you can connect to the spoke again, you can revert the password when you want the tunnel to work again.
Chris
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide