Difference between revisions of "DMVPN With Internet In A Separate VRF"

From Baranoski.ca
Jump to navigation Jump to search
(Created page with "This is the complementary to Hosting Multiple DMVPNs and DMVPN With Multiple VRFs. Let's say you want to have your Internet connection isolated in a VRF. This would...")
 
Line 1: Line 1:
 
This is the complementary to [[Hosting Multiple DMVPNs]] and [[DMVPN With Multiple VRFs]].
 
This is the complementary to [[Hosting Multiple DMVPNs]] and [[DMVPN With Multiple VRFs]].
  
Let's say you want to have your Internet connection isolated in a VRF.  This would allow you to use the global table for your private traffic.  Or you're an ISP and want to keep everything isolated by VRFs, including Internet.  That allows you to use your global table just for MPLS.
+
Let's say you want to have your Internet connection isolated in a VRF.  A couple scenarios why:
 +
 
 +
* You want to use the global table for your private traffic.
 +
* You're using certain Cisco features that don't work in VRF'sFor example, TACACS in some code versions
 +
* You want the added security of having your inside and outside traffic separated by a VRF boundary.
 +
* You want to prevent the local users from using the local internet feed, and force them through some firewalls and content filters at your head office.
 +
* You're an ISP and want to keep everything isolated by VRFs, including Internet.  That allows you to use your global table just for MPLS.
  
 
First, set up your Internet VRF:
 
First, set up your Internet VRF:

Revision as of 23:22, 12 July 2015

This is the complementary to Hosting Multiple DMVPNs and DMVPN With Multiple VRFs.

Let's say you want to have your Internet connection isolated in a VRF. A couple scenarios why:

  • You want to use the global table for your private traffic.
  • You're using certain Cisco features that don't work in VRF's. For example, TACACS in some code versions
  • You want the added security of having your inside and outside traffic separated by a VRF boundary.
  • You want to prevent the local users from using the local internet feed, and force them through some firewalls and content filters at your head office.
  • You're an ISP and want to keep everything isolated by VRFs, including Internet. That allows you to use your global table just for MPLS.

First, set up your Internet VRF:

ip vrf INTERNET
 rd 1:1
!
interface FastEthernet0
 description INTERNET CONNECTION
 ip vrf forwarding INTERNET
 ip address 192.0.2.2 255.255.255.252
!
ip route vrf INTERNET 0.0.0.0 0.0.0.0 192.0.2.1 name DEFAULT_ROUTE

Everything else is configured like any of my other DMVPN examples, with the exception of two things.

Firstly, instead of defining a standard ISAKMP crypto key with the crypto isakmp key ... command, you'll create a keyring and associate it with a VRF:

crypto keyring CRYPTOKEYRING vrf INTERNET
 pre-shared-key address 0.0.0.0 0.0.0.0 key aw3s0m3crypt0k3y

Secondly, you need to associate the encapsulated tunnel traffic with the VRF. This is not the same as just using the ip vrf forwarding <VRF> command!

interface Tunnel0
 tunnel vrf INTERNET