Search This Blog

Thursday, March 5, 2015

DM-VPN VRF aware



Network Topology:



R7 is the hub and R10 is the spoke, both routers establish their tunnel using loopback 0 as source IP.

R7 and R10 are using VRF-lite in-front of the SP.

R7 [Hub] relevant configuration:

ip vrf LOCALSP
 rd 7:7
!
crypto keyring CCIE vrf LOCALSP
  local-address Loopback0
  pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp profile ISAKMP-DMVPN
   vrf LOCALSP
   keyring CCIE
   match identity address 0.0.0.0 LOCALSP
   local-address Loopback0
!
!
crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
 mode transport
!
crypto ipsec profile DMVPN
 set transform-set MYSET
 set isakmp-profile ISAKMP-DMVPN
!
!
interface Loopback0
 ip vrf forwarding LOCALSP
 ip address 7.7.7.7 255.255.255.255
!
!
interface Tunnel1
 ip vrf forwarding LOCALSP
 ip address 172.16.0.7 255.255.255.0
 no ip redirects
 ip nhrp authentication cisco
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 tunnel source Loopback0
 tunnel mode gre multipoint
 tunnel vrf LOCALSP
 tunnel protection ipsec profile DMVPN
!
interface Tunnel1
 ip vrf forwarding LOCALSP
 ip address 172.16.0.7 255.255.255.0
 no ip redirects
 ip nhrp authentication cisco
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 tunnel source Loopback0
 tunnel mode gre multipoint
 tunnel vrf LOCALSP
 tunnel protection ipsec profile DMVPN
!
router bgp 65003
 bgp log-neighbor-changes
 neighbor 10.1.78.8 remote-as 65002
 !
 address-family ipv4 vrf LOCALSP
  network 7.7.7.7 mask 255.255.255.255
  neighbor 10.1.117.11 remote-as 65001
  neighbor 10.1.117.11 activate
 exit-address-family

R10 [Spoke] relevant configuration:

ip vrf LOCALSP
 rd 10:10
!
crypto keyring CCIE vrf LOCALSP
  local-address Loopback0
  pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp profile ISAKMP-DMVPN
   vrf LOCALSP
   keyring CCIE
   match identity address 0.0.0.0 LOCALSP
   local-address Loopback0
!
crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
 mode transport
!
crypto ipsec profile DMVPN
 set transform-set MYSET
 set isakmp-profile ISAKMP-DMVPN
!
interface Loopback0
 ip vrf forwarding LOCALSP
 ip address 10.10.10.10 255.255.255.255
!
interface Tunnel1
 ip vrf forwarding LOCALSP
 ip address 172.16.0.10 255.255.255.0
 no ip redirects
 ip nhrp authentication cisco
 ip nhrp network-id 1
 ip nhrp nhs 172.16.0.7 nbma 7.7.7.7 multicast
 tunnel source Loopback0
 tunnel mode gre multipoint
 tunnel vrf LOCALSP
 tunnel protection ipsec profile DMVPN
!
interface FastEthernet0/1
 ip vrf forwarding LOCALSP
 ip address 10.1.104.10 255.255.255.0
 duplex auto
 speed auto
!
router bgp 65004
 bgp log-neighbor-changes
 neighbor 10.1.109.9 remote-as 65002
 !
 address-family ipv4 vrf LOCALSP
  network 10.10.10.10 mask 255.255.255.255
  neighbor 10.1.104.4 remote-as 65001
  neighbor 10.1.104.4 activate
 exit-address-family

Notes:
- The interface toward the SP is configured under the VRF hence the BGP should also.
- Tunnel interface must be VRF aware (tunnel vrf)
- Key-ring is configured for the specific VRF
- The identity match under the ISAKMP profile is also configured for the specific VRF

Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)