Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
592
Views
0
Helpful
7
Replies

VRF-aware DMVPN Spoke-only (non-hub) assist?

thyderndstudio
Level 1
Level 1

‎01-31-2017 05:00 PM - edited ‎03-08-2019 09:07 AM

Greets - I've reviewed a number of DMVPN-VRF aware configs and most of them deal with passing the entire vrf path across the tunnel, which is fine, but for the time being, I only need to implement vrf-lite on my spoke routers due to a security requirement for a guest WAP (onboard HWIC AP).

To date, the DMVPN has been functioning fine as a standalone spoke (among many), with Vlans where necessary, and in the lab the VRF side is functioning correctly.

I've been attempting to merge the VRF and the DMVPN spoke-only configs but the tunnel creation gets stuck in routing.

The attached config shows the DMVPN at the global routing level and still works fine - I want to apply the tunnel to vrf BLUE (only).

Thus with the attached config if I do a global ping 172.20.0.1, I have success. Of course if I ping vrf BLUE 172.20.0.1, I get nothing, but that's expected since there is no defined route for it.

I'm pretty sure something is happening at the NAT level where the Vlan NAT is happening before the final routing, thus should I be looking to add a BVI after the Vlan (taking the NAT out of the Vlan and putting it into the BVI, and then only VRF-ing the BVI? This would force the priority of Vlan -> Route -> Nat@BVI -> Exit (right?) but in doing that won't I lose the VRF delineation at the BVI? (thus negating the security needed for this experiment in the first place?)

I would have expected that something like:

Tunnel0

vrf forwarding BLUE

...

no ip route 172.20.0.0 255.255.0.0 10.0.0.254 !(to clear the global route)

ip route vrf BLUE 172.20.0.0 255.255.0.0 Gi0/0 10.0.0.254

would have spun things up, but it got me nowhere.

Do I really need the tunnel to forward the vrf, or in this instance is that command used just to indicate the protection to the vrf? (It does correctly show protected in the dmvpn if I do this, which is expected).

I'm sure I'm off by only a couple config lines, if anyone could shed some light on it, I'd certainly appreciate it. I've been enjoying my new foray into vrf; it's just a little difficult to wrap one's head around "when" certain things happen versus at just the global level.

Final note is there is NO vrf running at the hub level. I'm hoping that isn't a requirement. It may be an expansion in the future, but not at all necessary right now.

Thanks & Regards,

Ted.

Labels:
Preview file
4 KB
0 Helpful
7 Replies 7

Philip D'Ath
VIP Alumni
VIP Alumni

‎01-31-2017 07:24 PM

Is the blue vrf meant to be an "inner" (for traffic through the tunnel) or "outer" (for the encapsulated tunnel traffic itself) vrf?

0 Helpful

thyderndstudio
Level 1
Level 1
In response to Philip D'Ath

‎02-01-2017 04:17 AM

Philip - thanks for asking. BLUE is an inner vrf. I'm not dabbling in the global MPLS world yet....outside traffic is traditional mGRE directly over WAN.

(I know I can write this solution to just use vlans and a lot of ACLs, however I was hoping to "get with the times" as it were....)

Thanks,

Ted.

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to thyderndstudio

‎02-01-2017 11:26 AM

What you have done looks correct to me.  What is telling you that it is not working?

0 Helpful

thyderndstudio
Level 1
Level 1
In response to Philip D'Ath

‎02-01-2017 12:03 PM

Philip - I am unable to ping or transit any traffic from vrf BLUE (172.21.9.0) to the hub router 172.20.0.1. This connection would be built only if the tunnel and routing is in place. None of my modifications would allow this to happen (so far).

The config attached in my original post (which has the dmvpn tunnel on the global routing table) works as expected, such that only global routing table clients (like the spoke router itself) transit the tunnel - this at least lets me know that the tunnel is functional, it just doesn't get applied to vrf BLUE.

Ted

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to thyderndstudio

‎02-02-2017 11:34 AM

What hardware device and software version are you using?

0 Helpful

thyderndstudio
Level 1
Level 1
In response to Philip D'Ath

‎02-02-2017 12:07 PM

Philip - I'm running 15.1(4)M9 on an 2851 ISR (c2800nm-adventerprisek9-mz.151-4.M9)

It has an Aim2 (SSL), an NM-16ESW and an HWIC AP as WIC modules. Each of those modules separately and together are considered working.

Ted.

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to thyderndstudio

‎02-02-2017 12:12 PM

I would upgrade to the gold star release 15.1.4M12a.  I suspect you might just be running into a bug.

https://software.cisco.com/download/release.html?mdfid=279120819&softwareid=280805680&release=15.1.4M12a&relind=AVAILABLE&rellifecycle=MD&reltype=latest

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card