Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1919
Views
0
Helpful
2
Replies

DMVPN spoke with multiple VRF

Junaid Shah
Level 1
Level 1

‎10-10-2017 02:16 AM - edited ‎03-12-2019 04:36 AM

Hi everyone,

 

I am reaching out to get your opinion on my below config, What i want to achieve is that a spoke having two vrf and two tunnels pointing to two different hubs, two eigrp instances with different AS numbers. Spoke will have two differnet ISP connections, two different LAN interfaces. I want to seggregate traffic. I am using ASR 1000x series router for this purpose. So below is the config and some key points. 

 

  1. DMVPN config is fine as tunnels are already up and working but on different spoke routers and i want to move them to one router so only focus here is VRF config
  2. I have free interfaces on ASR 1000 so i am not going to create trunk and sub interfaces
  3. I can create two VRF's to seperate traffic from each other or I can create one VRF and that will isolate traffic anyway from another ISP and dynamic routing etc ?
  4. I am not adding any VRF config on the hub side and that should be ok ?
  5. ISP interfaces are also not added to VRF and that should be ok ?
  6. Added tunnel interfaces to VRF but not sure about using the command “tunnel vrf “ on the tunnel.

 

ip vrf RED

 

ip vrf BLUE

 

interface GigabitEthernet0/0/1

ip vrf forwarding RED

ip address 10.225.254.8 255.255.255.240

 

 

interface GigabitEthernet0/0/2

ip vrf forwarding BLUE

ip address 172.23.0.68 255.255.255.240

 

 

ip route vrf RED 0.0.0.0 0.0.0.0 x.x.x.x

 

ip route vrf BLUE 0.0.0.0 0.0.0.0 x.x.x.x

 

 

router eigrp 120

distribute-list prefix LocalRangesToAdvertiseOverDMVPN out Tunnel1

distribute-list route-map IgnoreABCRoutesOriginallyFromXYZ out GigabitEthernet0/0/2

network 172.18.1.0 0.0.0.255

network 172.18.2.0 0.0.0.255

network 172.23.0.64 0.0.0.15

address-family ipv4 vrf BLUE

 

 

 

router eigrp testabc

address-family ipv4 unicast autonomous-system 220

address-family ipv4 vrf RED

  af-interface default

   passive-interface

  exit-af-interface

  af-interface Tunnel1

   no passive-interface

  exit-af-interface

  af-interface GigabitEthernet0/0/0

   no passive-interface

  exit-af-interface

  topology base

     distribute-list LocalRangesToAdvertiseOverDMVPN out Tunnel2

   redistribute static

   offset-list MakeThesePreferableThroughSQLTunnel out 10000 Tunnel2

     exit-af-topology

  network 10.24.136.0 0.0.0.255

  eigrp router-id x.x.x.x

exit-address-family

 

interface Tunnel1

description Data Tunnel 

ip vrf forwarding BLUE

bandwidth 1000

ip address x.x.x.x 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication xxxxxxx

ip nhrp map multicast x.x.x.x

ip nhrp map x.x.x.x x.x.x.x

ip nhrp network-id 83

ip nhrp nhs x.x.x.x

ip tcp adjust-mss 1360

delay 500

tunnel source GigabitEthernet0/0

tunnel mode gre multipoint

tunnel key 83

tunnel protection ipsec profile CoverTunnels

end

 

 

interface Tunnel2

description User tunnel

ip vrf forwarding red

bandwidth 600000

ip address 10.24.137.10 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication xxxxx

ip nhrp network-id 85

ip nhrp nhs x.x.x.x nbma x.x.x.x multicast

ip nhrp redirect

ip tcp adjust-mss 1360

keepalive 10 3

tunnel source GigabitEthernet0/0/0

tunnel mode gre multipoint

tunnel key 85

tunnel protection ipsec profile CoverTunnels

hold-queue 4096 in

hold-queue 4096 out

end

 

Labels:
0 Helpful
2 Replies 2

Spooster IT Services
Level 7
Level 7

‎10-11-2017 12:07 PM

Hi  Junaid Shah,

 

3. I can create two VRF's to seperate traffic from each other or I can create one VRF and that will isolate traffic anyway from another ISP and dynamic routing etc ?

- You need to create two VRF's as you did in config in you post to segregate the traffic between customers.

 

4. I am not adding any VRF config on the hub side and that should be ok ?

- VRF are locally significants to router. If you want to segregate traffic at HUB side too then you need to add VRF at HUB side too.

 

5. ISP interfaces are also not added to VRF and that should be ok ?

- Yes. It will be ok. No need to worry about them

 

6. Added tunnel interfaces to VRF but not sure about using the command “tunnel vrf “ on the tunnel.

- "tunnel vrf" command defines the fvrf. If you have any vrf defined at ISP interface then you need to define tunnel vrf. But in your scenario, no need to define that.

 

 

Spooster IT Services Team
0 Helpful

Spooster IT Services
Level 7
Level 7

‎10-11-2017 12:08 PM

Hi  Junaid Shah,
 
3. I can create two VRF's to seperate traffic from each other or I can create one VRF and that will isolate traffic anyway from another ISP and dynamic routing etc ?
- You need to create two VRF's as you did in config in you post to segregate the traffic between customers.
 
4. I am not adding any VRF config on the hub side and that should be ok ?
- VRF are locally significants to router. If you want to segregate traffic at HUB side too then you need to add VRF at HUB side too.
 
5. ISP interfaces are also not added to VRF and that should be ok ?
- Yes. It will be ok. No need to worry about them
 
6. Added tunnel interfaces to VRF but not sure about using the command “tunnel vrf “ on the tunnel.
- "tunnel vrf" command defines the fvrf. If you have any vrf defined at ISP interface then you need to define tunnel vrf. But in your scenario, no need to define that.

Spooster IT Services Team
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents