08-19-2015 04:29 AM - edited 02-21-2020 08:24 PM
Hello everyone !
I came to know that we can use the same public ip for creating multiple tunnels to different sites using crypto-maps with multiple lines each representing a reference to a particular tunnel and using vrf aware IPsec but I would like to know what are differences / advantages / caveats .
Thanks for your time
Murali.
Solved! Go to Solution.
08-19-2015 07:48 AM
Murali
As far as I understand it the feature basically allows you to have multiple IPSEC tunnels and the traffic within the tunnel ie. the source and destination IPs of the end devices can be in different VRFs.
So it works primarily with MPLS VPNs ie. if you had multiple MPLS VPNs each with their own VRF you could then run ISPEC tunnels across the MPLS network and when the packets are received they are automatically in the correct VRF.
You couldn't do this normal crypto maps ie. you could still terminate multiple IPSEC tunnels on one public IP but the traffic would then all be in the same global routing table.
So the advantage is primarily the same as you get with any VRF setup ie. logical separation of traffic on a single device.
Can't really say much about caveats as I have never used it but there are certain restrictions.
See this link for full details -
Jon
08-19-2015 07:48 AM
Murali
As far as I understand it the feature basically allows you to have multiple IPSEC tunnels and the traffic within the tunnel ie. the source and destination IPs of the end devices can be in different VRFs.
So it works primarily with MPLS VPNs ie. if you had multiple MPLS VPNs each with their own VRF you could then run ISPEC tunnels across the MPLS network and when the packets are received they are automatically in the correct VRF.
You couldn't do this normal crypto maps ie. you could still terminate multiple IPSEC tunnels on one public IP but the traffic would then all be in the same global routing table.
So the advantage is primarily the same as you get with any VRF setup ie. logical separation of traffic on a single device.
Can't really say much about caveats as I have never used it but there are certain restrictions.
See this link for full details -
Jon
08-19-2015 10:47 PM
Hi Jon,
Thank you ! so the use case for vrf-aware IPSec could be ISP supporting multiple clients , it makes sense to have different routing tables for each customer.
Murali
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide