DMVPN Hub and Spoke

jbessee74 · ‎05-23-2007

Hello,

I am working for a compnay that has 150+ branch offices. We wish to configure a VPN solution that is scalable, will work if an IP address is changed, and will not allow the branches to create tunnels to themselves (not alllow DMVPN spoke-to-spoke).

I have read some stuff on DMVPN that makes it sound like this is possible, but all of the configuration examples I have seen indicate that the remote sites will automatically configure the spoke tunnel.

Thank you for your assistance.

All routers are 1751 with VPN modules and running at least 12.0, most are upgraded to at least 12.2, and a couple have been upgraded to 12.3(22).

kbingeman · ‎05-23-2007

It is possible. See this link: http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455c71.html#wp1053984

See step 13 in the spoke configuration:

Step 13

tunnel mode gre multipoint

OR

tunnel destination hub-physical-ip-address

Example:

Router(config-if)# tunnel mode gre multipoint

OR

Router(config-if)# tunnel destination

Sets the encapsulation mode to mGRE for the tunnel interface. Use this command if data traffic can use dynamic spoke-to-spoke traffic.

Specifies the destination for a tunnel interface. Use this command if data traffic can use hub-and-spoke tunnels

On our DMVPN, we use the spoke routers as firewalls with the IOS-FW feature along with DMVPN. In the access-list we only allow the public address of the hub dmvpn router to the spoke router. This prevents other spokes from making connections as well. Some sites we have using hub<->spoke and spoke<->spoke traffic.

jbessee74 · ‎05-24-2007

Thank you very much.