Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
375
Views
0
Helpful
3
Replies

how to do dynamic ipsec hub-spoke gre using IOS tunnel protect

cmccready
Level 1
Level 1

‎01-07-2004 06:26 PM - edited ‎02-21-2020 12:59 PM

I like the simplicity of the Dynamic Multipoint GRE tunnels using NHRP that are shown in a couple of the sample configurations, but my network doesn't have a need for spokes to talk to each other. How can I keep the simplicity of config but not create NHRP mesh connections between spokes?

Labels:
0 Helpful
3 Replies 3

gfullage
Cisco Employee
Cisco Employee

‎01-08-2004 07:10 PM

Dynamic spoke-to-spoke tunnel creation is really just a feature of DMVPN, there's not really any way or need to turn it off. If no traffic flows from spoke to spoke, then the routers won't create tunnels to them. The tunnel from spoke-to-hub is always created automatically, but spoke-to-spoke tunnels are only ever created if needed, so if there's no traffic then don't worry about it.

Even with spoke-to-spoke communication though, you need to make some routing protocol tweaks to make sure traffic still doesn't flow via the hub. Check out the EIGRP/OSPF sections under this sample config:

http://www.cisco.com/warp/public/105/dmvpn.html

In short, just configure it up as shown, and don't worry about the spoke-to-spoke tunnels cause they won't be created if they're not needed. DMVPN makes configuration of the hub in particular much, much easier.

0 Helpful

cmccready
Level 1
Level 1
In response to gfullage

‎01-09-2004 03:06 PM

That's the thing, though. In our WAN there should be no spoke-to-spoke tunnels since all the resources are at the hub. Yet, with all the viruses and things that are running around, some host that decides to do a scan will cause a bunch of transient tunnels to be created. Are there some thresholds or restrictions that can be implemented to make dynamic tunnel creation more "difficult"?

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to cmccready

‎01-09-2004 05:53 PM

OK, forget my first post, not enough coffee that morning.

If you really don't want spoke-to-spoke comms, just don't configure "tunnel mode gre multipoint" on the spokes. This turns them into a point-to-point connection and with the explicit "tunnel destination x.x.x.x" command pointing to the hub, the spokes can ONLY send packets to the hub.

Take a thorough read of http://www.cisco.com/warp/public/105/dmvpn.html, it'll tell you everything you ever need to know about DMVPN.

0 Helpful
Customers Also Viewed These Support Documents