Difference between revisions of "DMVPN With Multiple VRFs"

From Baranoski.ca
Jump to navigation Jump to search
(Created page with "This is similar to Hosting Multiple DMVPNs. In that article, I wrote how a Cisco router can host multiple DMVPNs. This assumes that each CPE router only connects to one...")
 
Line 1: Line 1:
This is similar to [[Hosting Multiple DMVPNs]].  In that article, I wrote how a Cisco router can host multiple DMVPNs.  This assumes that each CPE router only connects to one of the VRFs on the headend router(s).  This time, I'll show how to set up multiple VRFs on the headend and the CPE.
+
This is similar to [[Hosting Multiple DMVPNs]].  In that article, I wrote how a Cisco router can host multiple DMVPNs.  This assumes that each CPE router only connects to one of the VRFs on the headend router(s).  This time, I'll show how to set up multiple VRFs on the headend and the CPE. This would be useful in cases where separate but similar services need to be delivered to a site, for example data and voice access.
 +
 
 +
First, define any VRFs:
 +
<PRE>
 +
ip vrf DATA
 +
rd 1:1
 +
ip vrf VOICE
 +
rd 1:2
 +
</PRE>
 +
 
 +
Next, set up your tunnel interfaces.
 +
<PRE>
 +
interface Tunnel2112
 +
description DMVPN TUNNEL TO OTHER SITES - DATA
 +
ip vrf forwarding DATA
 +
ip address 10.10.10.3 255.255.255.0
 +
ip nhrp map 10.10.10.1 192.0.2.1
 +
ip nhrp map multicast 192.0.2.1
 +
ip nhrp map 10.10.10.2 203.0.113.28
 +
ip nhrp map multicast 203.0.113.28
 +
ip nhrp network-id 2112
 +
ip nhrp nhs 10.10.10.1
 +
ip nhrp nhs 10.10.10.2
 +
tunnel source Ethernet1
 +
tunnel mode gre multipoint
 +
tunnel key 2112
 +
tunnel protection ipsec profile DMVPN_PROFILE shared
 +
!
 +
interface Tunnel3113
 +
description DMVPN TUNNEL TO OTHER SITES - VOICE
 +
ip vrf forwarding VOICE
 +
ip address 10.11.11.3 255.255.255.0
 +
ip nhrp map 10.11.11.1 192.0.2.1
 +
ip nhrp map multicast 192.0.2.1
 +
ip nhrp map 10.11.11.2 203.0.113.28
 +
ip nhrp map multicast 203.0.113.28
 +
ip nhrp network-id 3113
 +
ip nhrp nhs 10.11.11.1
 +
ip nhrp nhs 10.11.11.2
 +
tunnel source Ethernet1
 +
tunnel mode gre multipoint
 +
tunnel key 3113
 +
tunnel protection ipsec profile DMVPN_PROFILE shared
 +
</PRE>
 +
 
 +
Note the differences between this and the standard config:
 +
* Each service is in a separate VRF
 +
* Both tunnel interfaces are using the same WAN IPs for the headends.  They do have different private IPs mapped to them though.
 +
* Each service uses a separate network-id
 +
* Each service has a tunnel key assigned.  The value of the key does not need to match the network-id number.
 +
* The tunnels are using the same WAN interface and the same IPSec profile.
 +
* The IPSec profile is shared

Revision as of 22:24, 30 June 2015

This is similar to Hosting Multiple DMVPNs. In that article, I wrote how a Cisco router can host multiple DMVPNs. This assumes that each CPE router only connects to one of the VRFs on the headend router(s). This time, I'll show how to set up multiple VRFs on the headend and the CPE. This would be useful in cases where separate but similar services need to be delivered to a site, for example data and voice access.

First, define any VRFs:

ip vrf DATA
 rd 1:1
ip vrf VOICE
 rd 1:2

Next, set up your tunnel interfaces.

interface Tunnel2112
 description DMVPN TUNNEL TO OTHER SITES - DATA
 ip vrf forwarding DATA
 ip address 10.10.10.3 255.255.255.0
 ip nhrp map 10.10.10.1 192.0.2.1
 ip nhrp map multicast 192.0.2.1
 ip nhrp map 10.10.10.2 203.0.113.28
 ip nhrp map multicast 203.0.113.28
 ip nhrp network-id 2112
 ip nhrp nhs 10.10.10.1
 ip nhrp nhs 10.10.10.2
 tunnel source Ethernet1
 tunnel mode gre multipoint
 tunnel key 2112
 tunnel protection ipsec profile DMVPN_PROFILE shared
!
interface Tunnel3113
 description DMVPN TUNNEL TO OTHER SITES - VOICE
 ip vrf forwarding VOICE
 ip address 10.11.11.3 255.255.255.0
 ip nhrp map 10.11.11.1 192.0.2.1
 ip nhrp map multicast 192.0.2.1
 ip nhrp map 10.11.11.2 203.0.113.28
 ip nhrp map multicast 203.0.113.28
 ip nhrp network-id 3113
 ip nhrp nhs 10.11.11.1
 ip nhrp nhs 10.11.11.2
 tunnel source Ethernet1
 tunnel mode gre multipoint
 tunnel key 3113
 tunnel protection ipsec profile DMVPN_PROFILE shared

Note the differences between this and the standard config:

  • Each service is in a separate VRF
  • Both tunnel interfaces are using the same WAN IPs for the headends. They do have different private IPs mapped to them though.
  • Each service uses a separate network-id
  • Each service has a tunnel key assigned. The value of the key does not need to match the network-id number.
  • The tunnels are using the same WAN interface and the same IPSec profile.
  • The IPSec profile is shared