10-10-2017 02:16 AM - edited 03-12-2019 04:36 AM
Hi everyone,
I am reaching out to get your opinion on my below config, What i want to achieve is that a spoke having two vrf and two tunnels pointing to two different hubs, two eigrp instances with different AS numbers. Spoke will have two differnet ISP connections, two different LAN interfaces. I want to seggregate traffic. I am using ASR 1000x series router for this purpose. So below is the config and some key points.
ip vrf RED
ip vrf BLUE
interface GigabitEthernet0/0/1
ip vrf forwarding RED
ip address 10.225.254.8 255.255.255.240
interface GigabitEthernet0/0/2
ip vrf forwarding BLUE
ip address 172.23.0.68 255.255.255.240
ip route vrf RED 0.0.0.0 0.0.0.0 x.x.x.x
ip route vrf BLUE 0.0.0.0 0.0.0.0 x.x.x.x
router eigrp 120
distribute-list prefix LocalRangesToAdvertiseOverDMVPN out Tunnel1
distribute-list route-map IgnoreABCRoutesOriginallyFromXYZ out GigabitEthernet0/0/2
network 172.18.1.0 0.0.0.255
network 172.18.2.0 0.0.0.255
network 172.23.0.64 0.0.0.15
address-family ipv4 vrf BLUE
router eigrp testabc
address-family ipv4 unicast autonomous-system 220
address-family ipv4 vrf RED
af-interface default
passive-interface
exit-af-interface
af-interface Tunnel1
no passive-interface
exit-af-interface
af-interface GigabitEthernet0/0/0
no passive-interface
exit-af-interface
topology base
distribute-list LocalRangesToAdvertiseOverDMVPN out Tunnel2
redistribute static
offset-list MakeThesePreferableThroughSQLTunnel out 10000 Tunnel2
exit-af-topology
network 10.24.136.0 0.0.0.255
eigrp router-id x.x.x.x
exit-address-family
interface Tunnel1
description Data Tunnel
ip vrf forwarding BLUE
bandwidth 1000
ip address x.x.x.x 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication xxxxxxx
ip nhrp map multicast x.x.x.x
ip nhrp map x.x.x.x x.x.x.x
ip nhrp network-id 83
ip nhrp nhs x.x.x.x
ip tcp adjust-mss 1360
delay 500
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 83
tunnel protection ipsec profile CoverTunnels
end
interface Tunnel2
description User tunnel
ip vrf forwarding red
bandwidth 600000
ip address 10.24.137.10 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication xxxxx
ip nhrp network-id 85
ip nhrp nhs x.x.x.x nbma x.x.x.x multicast
ip nhrp redirect
ip tcp adjust-mss 1360
keepalive 10 3
tunnel source GigabitEthernet0/0/0
tunnel mode gre multipoint
tunnel key 85
tunnel protection ipsec profile CoverTunnels
hold-queue 4096 in
hold-queue 4096 out
end
10-11-2017 12:07 PM
Hi Junaid Shah,
3. I can create two VRF's to seperate traffic from each other or I can create one VRF and that will isolate traffic anyway from another ISP and dynamic routing etc ?
- You need to create two VRF's as you did in config in you post to segregate the traffic between customers.
4. I am not adding any VRF config on the hub side and that should be ok ?
- VRF are locally significants to router. If you want to segregate traffic at HUB side too then you need to add VRF at HUB side too.
5. ISP interfaces are also not added to VRF and that should be ok ?
- Yes. It will be ok. No need to worry about them
6. Added tunnel interfaces to VRF but not sure about using the command “tunnel vrf “ on the tunnel.
- "tunnel vrf" command defines the fvrf. If you have any vrf defined at ISP interface then you need to define tunnel vrf. But in your scenario, no need to define that.
10-11-2017 12:08 PM
Hi Junaid Shah,
3. I can create two VRF's to seperate traffic from each other or I can create one VRF and that will isolate traffic anyway from another ISP and dynamic routing etc ?
- You need to create two VRF's as you did in config in you post to segregate the traffic between customers.
4. I am not adding any VRF config on the hub side and that should be ok ?
- VRF are locally significants to router. If you want to segregate traffic at HUB side too then you need to add VRF at HUB side too.
5. ISP interfaces are also not added to VRF and that should be ok ?
- Yes. It will be ok. No need to worry about them
6. Added tunnel interfaces to VRF but not sure about using the command “tunnel vrf “ on the tunnel.
- "tunnel vrf" command defines the fvrf. If you have any vrf defined at ISP interface then you need to define tunnel vrf. But in your scenario, no need to define that.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: