Difference between revisions of "DMVPN With Internet In A Separate VRF"

From Baranoski.ca
Jump to navigation Jump to search
Line 8: Line 8:
 
* You want to prevent the local users from using the local internet feed, and force them through some firewalls and content filters at your head office.
 
* You want to prevent the local users from using the local internet feed, and force them through some firewalls and content filters at your head office.
 
* You're an ISP and want to keep everything isolated by VRFs, including Internet.  That allows you to use your global table just for MPLS.
 
* You're an ISP and want to keep everything isolated by VRFs, including Internet.  That allows you to use your global table just for MPLS.
 
  
 
==Configuration==
 
==Configuration==

Revision as of 23:23, 12 July 2015

This is the complementary to Hosting Multiple DMVPNs and DMVPN With Multiple VRFs.

Let's say you want to have your Internet connection isolated in a VRF. A couple scenarios why:

  • You want to use the global table for your private traffic.
  • You're using certain Cisco features that don't work in VRF's. For example, TACACS in some code versions
  • You want the added security of having your inside and outside traffic separated by a VRF boundary.
  • You want to prevent the local users from using the local internet feed, and force them through some firewalls and content filters at your head office.
  • You're an ISP and want to keep everything isolated by VRFs, including Internet. That allows you to use your global table just for MPLS.

Configuration

First, set up your Internet VRF:

ip vrf INTERNET
 rd 1:1
!
interface FastEthernet0
 description INTERNET CONNECTION
 ip vrf forwarding INTERNET
 ip address 192.0.2.2 255.255.255.252
!
ip route vrf INTERNET 0.0.0.0 0.0.0.0 192.0.2.1 name DEFAULT_ROUTE

Everything else is configured like any of my other DMVPN examples, with the exception of two things.

Firstly, instead of defining a standard ISAKMP crypto key with the crypto isakmp key ... command, you'll create a keyring and associate it with a VRF:

crypto keyring CRYPTOKEYRING vrf INTERNET
 pre-shared-key address 0.0.0.0 0.0.0.0 key aw3s0m3crypt0k3y

Secondly, you need to associate the encapsulated tunnel traffic with the VRF. This is not the same as just using the ip vrf forwarding <VRF> command!

interface Tunnel0
 tunnel vrf INTERNET