06-02-2005 04:59 PM
I have a situation where the customer would like to run 2 different vrf's to keep there traffic completely seperated. I need to use DMVPN for the point to point link between the two router becouse 1 router will be a static base station and the other will be a remote unit connecting to the base router via the internet from differing locations. There will will more than one remote in the future.
I have tried quiet a few combinations to try and make it happen, but to no avail.
Anyway that may have something please let me know. here are the following prereq's.
1. Hub and spoke top (spoke ip unknown to base)
2. Link to hub from spoke will be IP 1 int/ 1 add
3. Link between 2 will need AES 256 encryption.
4. Must transport 2 different VRF's.
5. would like to use OSPF or EIGRP.
Thank you,
Rick Payne
06-08-2005 09:56 AM
Routing tables of the different LSRs are computed using an Interior Gateway Protocol (IGP). A link-state protocol such as Open Shortest Path First (OSPF) or Intermediate System-to-Intermediate System (IS-IS) is required if you are going to deploy MPLS TE.
http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a0080093f23.shtml
06-09-2005 04:17 AM
You could maybe use a combination of DMVPN, ezVPN and Multi-VRF. I have written down a quick and dirty config for the server side.. This is not tested at all just written in notepad from my head.. so there may very well be lots of errors... but you'll maybe get some ideas...
!
aaa authentication login spoke-auth local
aaa authorization network spoke-group local
username spoke1 password cisco123
!
ip vrf red
rd 1:1
route-target export 1:1
route-target import 1:1
ip vrf blue
rd 2:2
route-target export 2:2
route-target import 2:2
!
crypto keyring spoke-keys
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!
crypto isakmp policy 1
encr aes 256
hash sha
authentication pre-share
group 2
!
crypto isakmp client configuration address-pool local spoke-pool
crypto isakmp client configuration group spokes
key cisco123
pool spoke-pool
acl 100
save-password
!
crypto isakmp profile spoke-group-profile
keyring spoke-keys
match identity group spokes
client authentication list spoke-auth
isakmp authorization list spoke-group
client configuration address respond
!
crypto ipsec transform-set aes-sha esp-aes 256 esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set aes-sha
set isakmp-profile spoke-group-profile
reverse-route
!
crypto map cmap 10 ipsec-isakmp dynamic dynmap
!
interface Loopback100
ip vrf forwarding red
ip address 192.168.99.1 255.255.255.255
!
interface Loopback200
ip vrf forwarding blue
ip address 192.168.99.2 255.255.255.255
!
interface Tunnel100
ip vrf forwarding red
ip address 192.168.101.1 255.255.255.0
no ip redirects
ip mtu 1436
ip nhrp authentication dmvpnred
ip nhrp map multicast dynamic
ip nhrp network-id 100001
ip nhrp holdtime 300
delay 1000
tunnel source Loopback100
tunnel mode gre multipoint
tunnel key 100001
!
interface Tunnel200
ip vrf forwarding blue
ip address 192.168.201.1 255.255.255.0
no ip redirects
ip mtu 1436
ip nhrp authentication dmvpnblue
ip nhrp map multicast dynamic
ip nhrp network-id 200001
ip nhrp holdtime 300
delay 1000
tunnel source Loopback200
tunnel mode gre multipoint
tunnel key 200001
!
interface FastEthernet0/0
description To INTERNET
ip address 192.0.2.2 255.255.255.252
crypto map cmap
!
interface FastEthernet0/1
description To INSIDE
no ip address
!
interface FastEthernet0/1.100
description To one network
encapsulation dot1q 100
ip vrf forwarding red
ip address 192.168.100.1 255.255.255.0
!
interface FastEthernet0/1.200
description To the other network
encapsulation dot1q 200
ip vrf forwarding blue
ip address 192.168.200.1 255.255.255.0
!
router eigrp 1
!
address-family ipv4 vrf red
network 192.168.100.0 0.0.0.255
network 192.168.101.0 0.0.0.255
exit-address-family
!
address-family ipv4 vrf blue
network 192.168.200.0 0.0.0.255
network 192.168.201.0 0.0.0.255
exit-address-family
!
ip local pool spoke-pool 10.10.10.1 10.10.10.200
ip classless
!
ip route 0.0.0.0 0.0.0.0 192.0.2.1
ip route 192.168.99.1 255.255.255.255 Loopback100
ip route 192.168.99.2 255.255.255.255 Loopback200
ip route 192.168.100.0 255.255.255.0 FastEthernet0/0 192.0.2.1 global
ip route 192.168.200.0 255.255.255.0 FastEthernet0/0 192.0.2.1 global
!
!
access-list 100 permit ip 192.168.99.0 0.0.0.255 any
!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: