Solved: I need your help - Page 2

Andrew Hernandez · ‎02-02-2016

Greetings,

I'm hoping someone can help me on my issue. What I've done was create a DMVPN network between HUB A and spokes B & C. What I would like to do now is deny spoke top spoke traffic and only allow hub to spoke only.

So far I've tried and none seem to do the trick, or maybe I'm not doing it correctly?

1. Eigrp and putting the dmvpn network while enabling split horizon eigrp X network.

2. A deny access list and adding it the tunnel interface

3. Disabling no ip nhrp redirect on the tunnel interface and removing ip nhrp shortcut from the spoke.

Let me know what I can provide to help solve this.

Thanks in advance!

kennethgonzalesp · ‎08-18-2016

Hi Philip

I have a similar problem but using the OSPF instead of EIGRP. Just came to the point that is it possible to design an HUB and Spoke design but not allowing spoke to spoke connection using DMVPN.?

I you have an input kindly reply to this thread.

Thanks in Advance

Philip D'Ath · ‎08-21-2016

EIGRP can do this. OSPF is the devils work. I wouldn't like to try and do something tricky like this using OSPF. OSPF is just too much hard work.

Andrew Hernandez · ‎02-02-2016

Absolutely, thanks for the help, I'll attached my config for the hub and spoke as the pings are still going through even after the changes and reloading both spokes.

Spoke config:

interface Tunnel0
 ip address 10.4.254.4 255.255.255.0
 no ip redirects
 ip mtu 1416
 ip nhrp map multicast 2.2.2.2
 ip nhrp map 10.4.254.1 2.2.2.2
 ip nhrp network-id 1
 ip nhrp nhs 10.4.254.1
 ip nhrp server-only
 keepalive 25 5
 cdp enable
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel protection ipsec profile protect-gre

Hub config:

router eigrp 2
 network 10.4.254.0 0.0.0.255
!
interface Tunnel250
 description DMVPN_NHS_MULTIPIOINT_SOURCE
 ip address 10.4.254.1 255.255.255.0
 no ip redirects
 no ip next-hop-self eigrp 2
 ip flow ingress
 ip nhrp network-id 250
 ip nhrp redirect
 no ip split-horizon eigrp 2
 ip tcp adjust-mss 1400
 keepalive 5 25
 tunnel source 2.2.2.2
 tunnel mode gre multipoint
 tunnel protection ipsec profile protect-gre

Philip D'Ath · ‎02-02-2016

Make these changes to the spoke tunnel:

no tunnel mode gre multipoint
tunnel destination 2.2.2.2

Philip D'Ath · ‎02-03-2016

Make these changes to the hub tunnel:

no ip nhrp redirect

Philip D'Ath · ‎02-03-2016

If a spoke can still ping a spoke, please give me the output of "show ip route eigrp" from one spoke, and let me know the LAN subnet range for each spoke.

Each spoke should not have the routes for any other spoke.

Worst case, if the routes doe exist, and are all via the hub tunnel then we can apply an access-list in that one spot to resolve it.

eng_adel273 · ‎09-25-2016

I need your help

for

https://supportforums.cisco.com/discussion/13128086/one-lan-different-location

DMVPN Deny Spoke to Spoke Traffic