Difference between revisions of "DMVPN With Multiple VRFs"
Jump to navigation
Jump to search
Line 26: | Line 26: | ||
tunnel source Ethernet1 | tunnel source Ethernet1 | ||
tunnel mode gre multipoint | tunnel mode gre multipoint | ||
− | + | tunnel key 2112 | |
tunnel protection ipsec profile DMVPN_PROFILE shared | tunnel protection ipsec profile DMVPN_PROFILE shared | ||
! | ! |
Revision as of 22:28, 30 June 2015
This is similar to Hosting Multiple DMVPNs. In that article, I wrote how a Cisco router can host multiple DMVPNs. This assumes that each spokerouter only connects to one of the VRFs on the hubrouter(s). This time, I'll show how to set up multiple VRFs on the huband the spoke. This would be useful in cases where separate but similar services need to be delivered to a site, for example data and voice access.
Spoke Config
First, define any VRFs:
ip vrf DATA rd 1:1 ip vrf VOICE rd 1:2
Next, set up your tunnel interfaces.
interface Tunnel2112 description DMVPN TUNNEL TO OTHER SITES - DATA ip vrf forwarding DATA ip address 10.10.10.3 255.255.255.0 ip nhrp map 10.10.10.1 192.0.2.1 ip nhrp map multicast 192.0.2.1 ip nhrp map 10.10.10.2 203.0.113.28 ip nhrp map multicast 203.0.113.28 ip nhrp network-id 2112 ip nhrp nhs 10.10.10.1 ip nhrp nhs 10.10.10.2 tunnel source Ethernet1 tunnel mode gre multipoint tunnel key 2112 tunnel protection ipsec profile DMVPN_PROFILE shared ! interface Tunnel3113 description DMVPN TUNNEL TO OTHER SITES - VOICE ip vrf forwarding VOICE ip address 10.11.11.3 255.255.255.0 ip nhrp map 10.11.11.1 192.0.2.1 ip nhrp map multicast 192.0.2.1 ip nhrp map 10.11.11.2 203.0.113.28 ip nhrp map multicast 203.0.113.28 ip nhrp network-id 3113 ip nhrp nhs 10.11.11.1 ip nhrp nhs 10.11.11.2 tunnel source Ethernet1 tunnel mode gre multipoint tunnel key 3113 tunnel protection ipsec profile DMVPN_PROFILE shared
Note the differences between this and the standard config:
- Each service is in a separate VRF
- Both tunnel interfaces are using the same WAN IPs for the headends. They do have different private IPs mapped to them though.
- Each service uses a separate network-id
- Each service has a tunnel key assigned. The value of the key does not need to match the network-id number.
- The tunnels are using the same WAN interface and the same IPSec profile.
- The IPSec profile is shared
Hub Config
The hub config is set up identically, with the exception of not having a mapping for the remote sites.