I am working for a compnay that has 150+ branch offices. We wish to configure a VPN solution that is scalable, will work if an IP address is changed, and will not allow the branches to create tunnels to themselves (not alllow DMVPN spoke-to-spoke).
I have read some stuff on DMVPN that makes it sound like this is possible, but all of the configuration examples I have seen indicate that the remote sites will automatically configure the spoke tunnel.
Thank you for your assistance.
All routers are 1751 with VPN modules and running at least 12.0, most are upgraded to at least 12.2, and a couple have been upgraded to 12.3(22).
Sets the encapsulation mode to mGRE for the tunnel interface. Use this command if data traffic can use dynamic spoke-to-spoke traffic.
Specifies the destination for a tunnel interface. Use this command if data traffic can use hub-and-spoke tunnels
On our DMVPN, we use the spoke routers as firewalls with the IOS-FW feature along with DMVPN. In the access-list we only allow the public address of the hub dmvpn router to the spoke router. This prevents other spokes from making connections as well. Some sites we have using hub<->spoke and spoke<->spoke traffic.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...