Difference between revisions of "DMVPN With Multiple VRFs"

From Baranoski.ca
Jump to navigation Jump to search
Line 26: Line 26:
 
  tunnel source Ethernet1
 
  tunnel source Ethernet1
 
  tunnel mode gre multipoint
 
  tunnel mode gre multipoint
  tunnel key 2112
+
  '''tunnel key 2112'''
 
  tunnel protection ipsec profile DMVPN_PROFILE shared
 
  tunnel protection ipsec profile DMVPN_PROFILE shared
 
!
 
!

Revision as of 22:27, 30 June 2015

This is similar to Hosting Multiple DMVPNs. In that article, I wrote how a Cisco router can host multiple DMVPNs. This assumes that each spokerouter only connects to one of the VRFs on the hubrouter(s). This time, I'll show how to set up multiple VRFs on the huband the spoke. This would be useful in cases where separate but similar services need to be delivered to a site, for example data and voice access.

Spoke Config

First, define any VRFs:

ip vrf DATA
 rd 1:1
ip vrf VOICE
 rd 1:2

Next, set up your tunnel interfaces.

interface Tunnel2112
 description DMVPN TUNNEL TO OTHER SITES - DATA
 ip vrf forwarding DATA
 ip address 10.10.10.3 255.255.255.0
 ip nhrp map 10.10.10.1 192.0.2.1
 ip nhrp map multicast 192.0.2.1
 ip nhrp map 10.10.10.2 203.0.113.28
 ip nhrp map multicast 203.0.113.28
 ip nhrp network-id 2112
 ip nhrp nhs 10.10.10.1
 ip nhrp nhs 10.10.10.2
 tunnel source Ethernet1
 tunnel mode gre multipoint
 '''tunnel key 2112'''
 tunnel protection ipsec profile DMVPN_PROFILE shared
!
interface Tunnel3113
 description DMVPN TUNNEL TO OTHER SITES - VOICE
 ip vrf forwarding VOICE
 ip address 10.11.11.3 255.255.255.0
 ip nhrp map 10.11.11.1 192.0.2.1
 ip nhrp map multicast 192.0.2.1
 ip nhrp map 10.11.11.2 203.0.113.28
 ip nhrp map multicast 203.0.113.28
 ip nhrp network-id 3113
 ip nhrp nhs 10.11.11.1
 ip nhrp nhs 10.11.11.2
 tunnel source Ethernet1
 tunnel mode gre multipoint
 tunnel key 3113
 tunnel protection ipsec profile DMVPN_PROFILE shared

Note the differences between this and the standard config:

  • Each service is in a separate VRF
  • Both tunnel interfaces are using the same WAN IPs for the headends. They do have different private IPs mapped to them though.
  • Each service uses a separate network-id
  • Each service has a tunnel key assigned. The value of the key does not need to match the network-id number.
  • The tunnels are using the same WAN interface and the same IPSec profile.
  • The IPSec profile is shared

Hub Config

The hub config is set up identically, with the exception of not having a mapping for the remote sites.