cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
326
Views
0
Helpful
2
Replies

**** MPLS over IP using low-end routers ****

rick.payne
Level 1
Level 1

I have a situation where the customer would like to run 2 different vrf's to keep there traffic completely seperated. I need to use DMVPN for the point to point link between the two router becouse 1 router will be a static base station and the other will be a remote unit connecting to the base router via the internet from differing locations. There will will more than one remote in the future.

I have tried quiet a few combinations to try and make it happen, but to no avail.

Anyway that may have something please let me know. here are the following prereq's.

1. Hub and spoke top (spoke ip unknown to base)

2. Link to hub from spoke will be IP 1 int/ 1 add

3. Link between 2 will need AES 256 encryption.

4. Must transport 2 different VRF's.

5. would like to use OSPF or EIGRP.

Thank you,

Rick Payne

2 Replies 2

didyap
Level 6
Level 6

Routing tables of the different LSRs are computed using an Interior Gateway Protocol (IGP). A link-state protocol such as Open Shortest Path First (OSPF) or Intermediate System-to-Intermediate System (IS-IS) is required if you are going to deploy MPLS TE.

http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a0080093f23.shtml

johansens
Level 4
Level 4

You could maybe use a combination of DMVPN, ezVPN and Multi-VRF. I have written down a quick and dirty config for the server side.. This is not tested at all just written in notepad from my head.. so there may very well be lots of errors... but you'll maybe get some ideas...

!

aaa authentication login spoke-auth local

aaa authorization network spoke-group local

username spoke1 password cisco123

!

ip vrf red

rd 1:1

route-target export 1:1

route-target import 1:1

ip vrf blue

rd 2:2

route-target export 2:2

route-target import 2:2

!

crypto keyring spoke-keys

pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123

!

crypto isakmp policy 1

encr aes 256

hash sha

authentication pre-share

group 2

!

crypto isakmp client configuration address-pool local spoke-pool

crypto isakmp client configuration group spokes

key cisco123

pool spoke-pool

acl 100

save-password

!

crypto isakmp profile spoke-group-profile

keyring spoke-keys

match identity group spokes

client authentication list spoke-auth

isakmp authorization list spoke-group

client configuration address respond

!

crypto ipsec transform-set aes-sha esp-aes 256 esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set aes-sha

set isakmp-profile spoke-group-profile

reverse-route

!

crypto map cmap 10 ipsec-isakmp dynamic dynmap

!

interface Loopback100

ip vrf forwarding red

ip address 192.168.99.1 255.255.255.255

!

interface Loopback200

ip vrf forwarding blue

ip address 192.168.99.2 255.255.255.255

!

interface Tunnel100

ip vrf forwarding red

ip address 192.168.101.1 255.255.255.0

no ip redirects

ip mtu 1436

ip nhrp authentication dmvpnred

ip nhrp map multicast dynamic

ip nhrp network-id 100001

ip nhrp holdtime 300

delay 1000

tunnel source Loopback100

tunnel mode gre multipoint

tunnel key 100001

!

interface Tunnel200

ip vrf forwarding blue

ip address 192.168.201.1 255.255.255.0

no ip redirects

ip mtu 1436

ip nhrp authentication dmvpnblue

ip nhrp map multicast dynamic

ip nhrp network-id 200001

ip nhrp holdtime 300

delay 1000

tunnel source Loopback200

tunnel mode gre multipoint

tunnel key 200001

!

interface FastEthernet0/0

description To INTERNET

ip address 192.0.2.2 255.255.255.252

crypto map cmap

!

interface FastEthernet0/1

description To INSIDE

no ip address

!

interface FastEthernet0/1.100

description To one network

encapsulation dot1q 100

ip vrf forwarding red

ip address 192.168.100.1 255.255.255.0

!

interface FastEthernet0/1.200

description To the other network

encapsulation dot1q 200

ip vrf forwarding blue

ip address 192.168.200.1 255.255.255.0

!

router eigrp 1

!

address-family ipv4 vrf red

network 192.168.100.0 0.0.0.255

network 192.168.101.0 0.0.0.255

exit-address-family

!

address-family ipv4 vrf blue

network 192.168.200.0 0.0.0.255

network 192.168.201.0 0.0.0.255

exit-address-family

!

ip local pool spoke-pool 10.10.10.1 10.10.10.200

ip classless

!

ip route 0.0.0.0 0.0.0.0 192.0.2.1

ip route 192.168.99.1 255.255.255.255 Loopback100

ip route 192.168.99.2 255.255.255.255 Loopback200

ip route 192.168.100.0 255.255.255.0 FastEthernet0/0 192.0.2.1 global

ip route 192.168.200.0 255.255.255.0 FastEthernet0/0 192.0.2.1 global

!

!

access-list 100 permit ip 192.168.99.0 0.0.0.255 any

!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: