DMVPN With Internet In A Separate VRF
This is the complementary to Hosting Multiple DMVPNs and DMVPN With Multiple VRFs.
Let's say you want to have your Internet connection isolated in a VRF. This would allow you to use the global table for your private traffic. Or you're an ISP and want to keep everything isolated by VRFs, including Internet. That allows you to use your global table just for MPLS.
First, set up your Internet VRF:
ip vrf INTERNET rd 1:1 ! interface FastEthernet0 description INTERNET CONNECTION ip vrf forwarding INTERNET ip address 192.0.2.2 255.255.255.252 ! ip route vrf INTERNET 0.0.0.0 0.0.0.0 192.0.2.1 name DEFAULT_ROUTE
Everything else is configured like any of my other DMVPN examples, with the exception of two things.
Firstly, instead of defining a standard ISAKMP crypto key with the crypto isakmp key ... command, you'll create a keyring and associate it with a VRF:
crypto keyring CRYPTOKEYRING vrf INTERNET pre-shared-key address 0.0.0.0 0.0.0.0 key aw3s0m3crypt0k3y
Secondly, you need to associate the encapsulated tunnel traffic with the VRF. This is not the same as just using the ip vrf forwarding <VRF> command!
interface Tunnel0 tunnel vrf INTERNET