DMVPN With Multiple VRFs

From Baranoski.ca
Jump to: navigation, search

This is similar to Hosting Multiple DMVPNs. In that article, I wrote how a Cisco router can host multiple DMVPNs. This assumes that each spoke router only connects to one of the VRFs on the hub router(s). This time, I'll show how to set up multiple VRFs on the hub and the spoke. This would be useful in cases where separate but similar services need to be delivered to a site, for example data and voice access.

Spoke Config

First, define any VRFs:

ip vrf DATA
 rd 1:1
ip vrf VOICE
 rd 1:2

Next, set up your tunnel interfaces.

interface Tunnel2112
 description DMVPN TUNNEL TO OTHER SITES - DATA
 ip vrf forwarding DATA
 ip address 10.10.10.3 255.255.255.0
 ip nhrp map 10.10.10.1 192.0.2.1
 ip nhrp map multicast 192.0.2.1
 ip nhrp map 10.10.10.2 203.0.113.28
 ip nhrp map multicast 203.0.113.28
 ip nhrp network-id 2112
 ip nhrp nhs 10.10.10.1
 ip nhrp nhs 10.10.10.2
 tunnel source Ethernet1
 tunnel mode gre multipoint
 tunnel key 2112
 tunnel protection ipsec profile DMVPN_PROFILE shared
!
interface Tunnel3113
 description DMVPN TUNNEL TO OTHER SITES - VOICE
 ip vrf forwarding VOICE
 ip address 10.11.11.3 255.255.255.0
 ip nhrp map 10.11.11.1 192.0.2.1
 ip nhrp map multicast 192.0.2.1
 ip nhrp map 10.11.11.2 203.0.113.28
 ip nhrp map multicast 203.0.113.28
 ip nhrp network-id 3113
 ip nhrp nhs 10.11.11.1
 ip nhrp nhs 10.11.11.2
 tunnel source Ethernet1
 tunnel mode gre multipoint
 tunnel key 3113
 tunnel protection ipsec profile DMVPN_PROFILE shared

Note the differences between this and the standard config:

  • Each service is in a separate VRF
  • Both tunnel interfaces are using the same WAN IPs for the headends. They do have different private IPs mapped to them though.
  • Each service uses a separate network-id
  • Each service has a tunnel key assigned. The value of the key does not need to match the network-id number.
  • The tunnels are using the same WAN interface and the same IPSec profile.
  • The IPSec profile is shared

Hub Config

The hub config is set up identically, with the exception of not having a mapping for the remote sites.