Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Extranet use of DMVPN

Hi

I am looking at deploying DMVPN to be used in an extranet. The dual hub solution within a single dmvpn network is the path I am heading down. I have set all of it up in the lab, but have come across an issue. The spoke sites are able to communicate to each other.

Being a client extranet, we don't want any of the spoke routers to communicate to each other, but still retain the mGRE interface.

I have seen a networkers presentation which says this is possible, but they left out the all important thing of how to do it.

Can anyone point me in the right direction please.

Dale

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Extranet use of DMVPN

You can prevent the dynamic creation of spoke to spoke tunnels by limiting the number of IKE sessions a spoke can create to one (just spoke to hub) using the following command.

crypto call admission limit ike sa 1

You can also tell nhrp to only connect to the hub by issuing the following command on the tunnel interface:

ip nhrp server-only

This doesn't prevent the spoke from talking to another spoke though because you're using a dynamic routing protocol. You'll need to implement an access list on the inside interface of each spoke router to restrict traffic.

1 REPLY
New Member

Re: Extranet use of DMVPN

You can prevent the dynamic creation of spoke to spoke tunnels by limiting the number of IKE sessions a spoke can create to one (just spoke to hub) using the following command.

crypto call admission limit ike sa 1

You can also tell nhrp to only connect to the hub by issuing the following command on the tunnel interface:

ip nhrp server-only

This doesn't prevent the spoke from talking to another spoke though because you're using a dynamic routing protocol. You'll need to implement an access list on the inside interface of each spoke router to restrict traffic.

141
Views
0
Helpful
1
Replies
CreatePlease login to create content