Filter
Top Products
26-14
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 26 GRE and DM VPNs
Dynamic Multipoint VPNs (DMVPN)
Hub Network Area ID
(OSPF only.)
The ID number of the area in which the hub’s protected networks will
be advertised, including the tunnel subnet. You can enter any number.
The default is 0.
Spoke Protected Network
Area ID
(OSPF only.)
The ID number of the area in which the remote protected networks will
be advertised, including the tunnel subnet. You can enter any number.
The default is 1.
Authentication Key
(OSPF and RIPv2.)
A string that indicates the OSPF or RIPv2 authentication key. The
string can be up to eight characters long.
Cost
(OSPF and RIPv2.)
The cost of sending a packet on the primary route interface.
If the selected protocol is OSPF, enter a value in the range 1-65535; the
default is 100.
If the selected protocol is RIPv2, enter a value in the range 1-15; the
default is 1.
Allow Direct Spoke to Spoke
Connectivity
Whether to enable direct communication between spokes without going
through the hub. Select the DMVPN phase you want to use, which
determines the types of connections that spokes can make:
• Phase 2—Spoke to spoke connections go through regional hubs
and routing protocol updates from hubs to spokes are not
summarized.
• Phase 3 (Default)—Spokes can create direct connections with each
other and routing updates from hubs to spokes are summarized.
This option allows the greatest scalability and reduces latency.
Devices must run IOS Software release 12.4(6)T or higher; ASRs
must run IOS XE Software release 2.4 (called 12.2(33)XND) or
higher. Security Manager automatically creates a phase 2
configuration for devices running a lower OS version.
For detailed information on how phase 2 and 3 differ, see “Migrating
from Dynamic Multipoint VPN Phase 2 to Phase 3” on Cisco.com.
Note With direct spoke-to-spoke communication, you must use the
Main Mode Address option for preshared key negotiation. For
more information, see Understanding IKEv1 Preshared Key
Policies in Site-to-Site VPNs, page 25-43.
Filter Dynamic Updates On
Spokes
Unavailable if you are using On-Demand Routing or a static route for
your DMVPN tunnel.
When selected, enables the creation of a redistribution list that filters
all dynamic routing updates (EIGRP, OSPF, and RIPv2) on spokes.
This forces the spoke devices to advertise (populate on the hub device)
only their own protected subnets and not other IP addresses.
Table 26-2 GRE Modes Page for DMVPN (Continued)
Element Description