Difference between revisions of "DMVPN With Internet In A Separate VRF"
Jump to navigation
Jump to search
Line 8: | Line 8: | ||
* You want to prevent the local users from using the local internet feed, and force them through some firewalls and content filters at your head office. | * You want to prevent the local users from using the local internet feed, and force them through some firewalls and content filters at your head office. | ||
* You're an ISP and want to keep everything isolated by VRFs, including Internet. That allows you to use your global table just for MPLS. | * You're an ISP and want to keep everything isolated by VRFs, including Internet. That allows you to use your global table just for MPLS. | ||
− | |||
==Configuration== | ==Configuration== |
Revision as of 23:23, 12 July 2015
This is the complementary to Hosting Multiple DMVPNs and DMVPN With Multiple VRFs.
Let's say you want to have your Internet connection isolated in a VRF. A couple scenarios why:
- You want to use the global table for your private traffic.
- You're using certain Cisco features that don't work in VRF's. For example, TACACS in some code versions
- You want the added security of having your inside and outside traffic separated by a VRF boundary.
- You want to prevent the local users from using the local internet feed, and force them through some firewalls and content filters at your head office.
- You're an ISP and want to keep everything isolated by VRFs, including Internet. That allows you to use your global table just for MPLS.
Configuration
First, set up your Internet VRF:
ip vrf INTERNET rd 1:1 ! interface FastEthernet0 description INTERNET CONNECTION ip vrf forwarding INTERNET ip address 192.0.2.2 255.255.255.252 ! ip route vrf INTERNET 0.0.0.0 0.0.0.0 192.0.2.1 name DEFAULT_ROUTE
Everything else is configured like any of my other DMVPN examples, with the exception of two things.
Firstly, instead of defining a standard ISAKMP crypto key with the crypto isakmp key ... command, you'll create a keyring and associate it with a VRF:
crypto keyring CRYPTOKEYRING vrf INTERNET pre-shared-key address 0.0.0.0 0.0.0.0 key aw3s0m3crypt0k3y
Secondly, you need to associate the encapsulated tunnel traffic with the VRF. This is not the same as just using the ip vrf forwarding <VRF> command!
interface Tunnel0 tunnel vrf INTERNET