I am looking at deploying DMVPN to be used in an extranet. The dual hub solution within a single dmvpn network is the path I am heading down. I have set all of it up in the lab, but have come across an issue. The spoke sites are able to communicate to each other.
Being a client extranet, we don't want any of the spoke routers to communicate to each other, but still retain the mGRE interface.
I have seen a networkers presentation which says this is possible, but they left out the all important thing of how to do it.
Can anyone point me in the right direction please.
You can prevent the dynamic creation of spoke to spoke tunnels by limiting the number of IKE sessions a spoke can create to one (just spoke to hub) using the following command.
crypto call admission limit ike sa 1
You can also tell nhrp to only connect to the hub by issuing the following command on the tunnel interface:
ip nhrp server-only
This doesn't prevent the spoke from talking to another spoke though because you're using a dynamic routing protocol. You'll need to implement an access list on the inside interface of each spoke router to restrict traffic.