DMVPN With Internet In A Separate VRF

From Baranoski.ca
Revision as of 23:18, 12 July 2015 by Casey (talk | contribs) (Created page with "This is the complementary to Hosting Multiple DMVPNs and DMVPN With Multiple VRFs. Let's say you want to have your Internet connection isolated in a VRF. This would...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

This is the complementary to Hosting Multiple DMVPNs and DMVPN With Multiple VRFs.

Let's say you want to have your Internet connection isolated in a VRF. This would allow you to use the global table for your private traffic. Or you're an ISP and want to keep everything isolated by VRFs, including Internet. That allows you to use your global table just for MPLS.

First, set up your Internet VRF:

ip vrf INTERNET
 rd 1:1
!
interface FastEthernet0
 description INTERNET CONNECTION
 ip vrf forwarding INTERNET
 ip address 192.0.2.2 255.255.255.252
!
ip route vrf INTERNET 0.0.0.0 0.0.0.0 192.0.2.1 name DEFAULT_ROUTE

Everything else is configured like any of my other DMVPN examples, with the exception of two things.

Firstly, instead of defining a standard ISAKMP crypto key with the crypto isakmp key ... command, you'll create a keyring and associate it with a VRF:

crypto keyring CRYPTOKEYRING vrf INTERNET
 pre-shared-key address 0.0.0.0 0.0.0.0 key aw3s0m3crypt0k3y

Secondly, you need to associate the encapsulated tunnel traffic with the VRF. This is not the same as just using the ip vrf forwarding <VRF> command!

interface Tunnel0
 tunnel vrf INTERNET