DMVPN Hub and Spoke

Unanswered Question
May 23rd, 2007


I am working for a compnay that has 150+ branch offices. We wish to configure a VPN solution that is scalable, will work if an IP address is changed, and will not allow the branches to create tunnels to themselves (not alllow DMVPN spoke-to-spoke).

I have read some stuff on DMVPN that makes it sound like this is possible, but all of the configuration examples I have seen indicate that the remote sites will automatically configure the spoke tunnel.

Thank you for your assistance.

All routers are 1751 with VPN modules and running at least 12.0, most are upgraded to at least 12.2, and a couple have been upgraded to 12.3(22).

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
kbingeman Wed, 05/23/2007 - 15:32

It is possible. See this link:

See step 13 in the spoke configuration:

Step 13

tunnel mode gre multipoint


tunnel destination hub-physical-ip-address


Router(config-if)# tunnel mode gre multipoint


Router(config-if)# tunnel destination

Sets the encapsulation mode to mGRE for the tunnel interface. Use this command if data traffic can use dynamic spoke-to-spoke traffic.

Specifies the destination for a tunnel interface. Use this command if data traffic can use hub-and-spoke tunnels

On our DMVPN, we use the spoke routers as firewalls with the IOS-FW feature along with DMVPN. In the access-list we only allow the public address of the hub dmvpn router to the spoke router. This prevents other spokes from making connections as well. Some sites we have using hub<->spoke and spoke<->spoke traffic.


This Discussion