DMVPN With Multiple VRFs
This is similar to Hosting Multiple DMVPNs. In that article, I wrote how a Cisco router can host multiple DMVPNs. This assumes that each spoke router only connects to one of the VRFs on the hub router(s). This time, I'll show how to set up multiple VRFs on the hub and the spoke. This would be useful in cases where separate but similar services need to be delivered to a site, for example data and voice access.
First, define any VRFs:
ip vrf DATA rd 1:1 ip vrf VOICE rd 1:2
Next, set up your tunnel interfaces.
interface Tunnel2112 description DMVPN TUNNEL TO OTHER SITES - DATA ip vrf forwarding DATA ip address 10.10.10.3 255.255.255.0 ip nhrp map 10.10.10.1 192.0.2.1 ip nhrp map multicast 192.0.2.1 ip nhrp map 10.10.10.2 203.0.113.28 ip nhrp map multicast 203.0.113.28 ip nhrp network-id 2112 ip nhrp nhs 10.10.10.1 ip nhrp nhs 10.10.10.2 tunnel source Ethernet1 tunnel mode gre multipoint tunnel key 2112 tunnel protection ipsec profile DMVPN_PROFILE shared ! interface Tunnel3113 description DMVPN TUNNEL TO OTHER SITES - VOICE ip vrf forwarding VOICE ip address 10.11.11.3 255.255.255.0 ip nhrp map 10.11.11.1 192.0.2.1 ip nhrp map multicast 192.0.2.1 ip nhrp map 10.11.11.2 203.0.113.28 ip nhrp map multicast 203.0.113.28 ip nhrp network-id 3113 ip nhrp nhs 10.11.11.1 ip nhrp nhs 10.11.11.2 tunnel source Ethernet1 tunnel mode gre multipoint tunnel key 3113 tunnel protection ipsec profile DMVPN_PROFILE shared
Note the differences between this and the standard config:
- Each service is in a separate VRF
- Both tunnel interfaces are using the same WAN IPs for the headends. They do have different private IPs mapped to them though.
- Each service uses a separate network-id
- Each service has a tunnel key assigned. The value of the key does not need to match the network-id number.
- The tunnels are using the same WAN interface and the same IPSec profile.
- The IPSec profile is shared
The hub config is set up identically, with the exception of not having a mapping for the remote sites.