02-02-2016 05:26 PM - edited 02-21-2020 08:39 PM
Greetings,
I'm hoping someone can help me on my issue. What I've done was create a DMVPN network between HUB A and spokes B & C. What I would like to do now is deny spoke top spoke traffic and only allow hub to spoke only.
So far I've tried and none seem to do the trick, or maybe I'm not doing it correctly?
1. Eigrp and putting the dmvpn network while enabling split horizon eigrp X network.
2. A deny access list and adding it the tunnel interface
3. Disabling no ip nhrp redirect on the tunnel interface and removing ip nhrp shortcut from the spoke.
Let me know what I can provide to help solve this.
Thanks in advance!
Solved! Go to Solution.
08-18-2016 07:15 PM
Hi Philip
I have a similar problem but using the OSPF instead of EIGRP. Just came to the point that is it possible to design an HUB and Spoke design but not allowing spoke to spoke connection using DMVPN.?
I you have an input kindly reply to this thread.
Thanks in Advance
08-21-2016 01:38 PM
EIGRP can do this. OSPF is the devils work. I wouldn't like to try and do something tricky like this using OSPF. OSPF is just too much hard work.
02-02-2016 10:53 PM
Absolutely, thanks for the help, I'll attached my config for the hub and spoke as the pings are still going through even after the changes and reloading both spokes.
Spoke config:
interface Tunnel0
ip address 10.4.254.4 255.255.255.0
no ip redirects
ip mtu 1416
ip nhrp map multicast 2.2.2.2
ip nhrp map 10.4.254.1 2.2.2.2
ip nhrp network-id 1
ip nhrp nhs 10.4.254.1
ip nhrp server-only
keepalive 25 5
cdp enable
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile protect-gre
Hub config:
router eigrp 2
network 10.4.254.0 0.0.0.255
!
interface Tunnel250
description DMVPN_NHS_MULTIPIOINT_SOURCE
ip address 10.4.254.1 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 2
ip flow ingress
ip nhrp network-id 250
ip nhrp redirect
no ip split-horizon eigrp 2
ip tcp adjust-mss 1400
keepalive 5 25
tunnel source 2.2.2.2
tunnel mode gre multipoint
tunnel protection ipsec profile protect-gre
02-02-2016 11:59 PM
Make these changes to the spoke tunnel:
no tunnel mode gre multipoint
tunnel destination 2.2.2.2
02-03-2016 12:01 AM
Make these changes to the hub tunnel:
no ip nhrp redirect
02-03-2016 12:04 AM
If a spoke can still ping a spoke, please give me the output of "show ip route eigrp" from one spoke, and let me know the LAN subnet range for each spoke.
Each spoke should not have the routes for any other spoke.
Worst case, if the routes doe exist, and are all via the hub tunnel then we can apply an access-list in that one spot to resolve it.
09-25-2016 07:17 AM
I need your help
for
https://supportforums.cisco.com/discussion/13128086/one-lan-different-location
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: