Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
523
Views
13
Helpful
7
Replies

DMVPN + 3845 network-list / access control - Help!

gloubier
Level 1
Level 1

‎11-27-2007 11:04 AM - edited ‎03-03-2019 07:42 PM

Hi,

We currently have a setup with 500 VPN connections ( with ezvpn and connected to a Cisco 3030 ) and we bought a 3845 because the 3030 his getting old.

In the 3030 we used "network-list" to control who can access who.

With the 3845 we want to use DMVPN but we don't want everybody to be able to access everybody.

Is there a way to control that, I know there's no "network-list" in the 3845 but maybe there's something similar or any other great idea.

Feel free to help!

Thank you!

Labels:
0 Helpful
7 Replies 7

gloubier
Level 1
Level 1

‎11-27-2007 11:08 AM

And in our lab we currently have 4 Cisco 871 connected to the 3845 using DMVPN.

So this part is working fine.

I trying to figure out what we could do about the access control for each DMVPN connections.

Thanks!

0 Helpful

gloubier
Level 1
Level 1
In response to gloubier

‎11-29-2007 05:43 AM

Hi,

Nobody have any idea of what I could do?!

Your help will be really appreciate.

Thanks.

0 Helpful

mmelbourne
Level 5
Level 5
In response to gloubier

‎11-29-2007 06:43 AM

Have you engineered your DMVPN to disallow the dynamic creation of spoke-to-spoke tunnels, thereby forcing all traffic through the hub(s)? If so, you could simply apply an ACL to the mGRE tunnel interface at the hub to control access.

gloubier
Level 1
Level 1
In response to mmelbourne

‎11-29-2007 08:23 AM

No I didn't, how you do that ( the DMVPN part, I'm ok for the ACL )?

Thanks for your reply.

0 Helpful

mmelbourne
Level 5
Level 5
In response to gloubier

‎11-29-2007 08:37 AM

The exact mechanism is subtly different depending on which phase of DMVPN is in use. However, a point-to-point GRE tunnel on the spokes will prevent any dynamic spoke-spoke tunnels being created. Are you just advertising a summary (or default) route towards your spokes?

Please rate helpful posts!

gloubier
Level 1
Level 1
In response to mmelbourne

‎11-29-2007 09:57 AM

I agree a point-to-point GRE tunnels could be another options, but we have 500+ routers so it's a lot of tunnel to create one by one.

We're using EIGRP for routing.

But I thought that maybe there's a good/easy way of having DMVPN on all routers and just block the access to each VPN we don't want to have dynamic tunnels to other spokes and open the access to each spokes who can built a tunnel to other spokes.

Am I right to think like that?

Thanks

0 Helpful

mmelbourne
Level 5
Level 5
In response to gloubier

‎12-03-2007 07:45 AM

If you have a p2p GRE tunnel on the spoke (rather than an mGRE interface), then spoke-to-spoke connections will not be formed and all traffic will traverse the hub.

It is possible to have a mGRE on the spokes when there are multiple hubs for resiliency within one DMVPN network (resiliency can also be achieved with dual hubs and two DMVPN networks, but the spokes require two tunnel interfaces, but this may provide more options for load balacing by tweaking routing metrics). It's still possible to have this arrangement and prevent spoke-to-spoke traffic.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card