VRF Aware DMVPN

Expand all



Contents
Last updated: December 22, 2018

You must load the initial configuration files for the section, DMVPN, which can be found in CCIE R&S v5 Topology Diagrams & Initial Configurations.

Task

  • Configure VRFs as follows:
    • Create a VRF named UNDERLAY_TRANSPORT on R5, R6, and R9.
    • Use the RD 1:1.
    • Assign the VRF on R5's link to R4.
    • Assign the VRF on R6's links to R1 and R7.
    • Assign the VRF on R9's link to R7.
    • Create a new Loopback on R6 with the address 6.6.6.6/32 and assign it to the VRF.
    • Configure R5 with a static default route in the VRF pointing to R4.
    • Configure R9 with a static default route in the VRF pointing to R7.
  • Configure BGP routing as follows:
    • R1 and R4 are in AS 100.
    • R3 and R7 are in AS 200.
    • R6 is in AS 6.
    • R1 and R4 should peer iBGP.
    • R3 and R7 should peer iBGP.
    • R1 and R3 should peer EBGP.
    • R6 should peer EBGP with R1 and R7, and use BFD for fast failure detection.
    • R4 should advertise the link to R5 into BGP.
    • R6 should advertise its Loopback 6.6.6.6/32 into BGP.
    • R7 should advertise the link to R9 into BGP.
  • Create a DMVPN Phase 3 network between R5, R6, and R9 as follows:
    • R5 and R9 are the DMVPN spokes, and should source the tunnel from their VRF enabled interfaces.
    • R6 is the DMVPN Hub, and should source the tunnel from its Loopback 6.6.6.6/32.
    • Use IP addressing in the format 155.1.0.Y/24, where Y is the router number.
    • Use an NHRP network ID of 1.
    • Use an NHRP authentication string of NHRPAUTH.
    • Use GRE tunnel key of 2.
    • Configure the DMVPN Hub to redirect NHRP requests for spoke-to-spoke resolutions.
    • Configure the DMVPN Spokes to be able to install NHRP shortcut routes for spoke-to-spoke routing.
    • Ensure that the spokes can send multicast traffic to the hub, and vice versa.
    • To prevent the tunnel endpoints from having to do IPsec fragmentation, configure the GRE tunnel's IP MTU to 1400 bytes, and set them to adjust the TCP MSS accordingly.
  • Configure IGP routing over the DMVPN tunnel as follows:
    • Enable EIGRP in Multi-AF mode using AS 100 on the DMVPN tunnel interfaces.
    • Advertise the DMVPN routers' Loopback0 networks into EIGRP.
    • Configure R6 to advertise only a default route out the DMVPN tunnel.
  • Configure IPsec over the DMVPN tunnels as follows:
    • Use an ISAKMP Policy with the following options:
      • Pre-Shared Key: DMVPN_PSK
      • Encryption: AES 128 Bit
      • Hash: SHA 256 Bit
      • Diffie-Hellman Group: 16
      • Use a single VRF-aware wildcard Pre-Shared Key for all DMVPN peers.
    • Use a Crypto IPsec Profile named DMVPN_PROFILE with the following options:
      • Encrypt the traffic using AES 256 Bit.
      • Authenticate the traffic using SHA 512 Bit.
      • Use ESP Transport mode to save additional encapsulation overhead.
  • When complete, ensure that R5, R6, and R9 can reach each other's Loopback0 networks over the DMVPN network, and that spoke-to-spoke traffic does not transit the hub.
  • Additionally, ensure that spoke-to-hub and spoke-to-spoke reachability is maintained if R6 loses its peerings to either AS 100 or AS 200.

Configuration

R1:
interface GigabitEthernet1.146
 bfd interval 250 min_rx 250 multiplier 4
!
router bgp 100
 neighbor 155.1.13.3 remote-as 200
 neighbor 155.1.146.6 remote-as 6
 neighbor 155.1.146.6 fall-over bfd
 neighbor 169.254.100.4 remote-as 100
 neighbor 169.254.100.4 next-hop-self

R3:
router bgp 200
 neighbor 155.1.13.1 remote-as 100
 neighbor 155.1.37.7 remote-as 200
 neighbor 155.1.37.7 next-hop-self

R4:
router bgp 100
 network 155.1.45.0 mask 255.255.255.0
 neighbor 169.254.100.1 remote-as 100
 neighbor 169.254.100.1 next-hop-self

R5:
vrf definition UNDERLAY_TRANSPORT
 rd 1:1
 !
 address-family ipv4
 exit-address-family
! 
crypto keyring VRF_AWARE_PSK vrf UNDERLAY_TRANSPORT 
  pre-shared-key address 0.0.0.0 0.0.0.0 key DMVPN_PSK
!
crypto isakmp policy 10
 encr aes
 hash sha256
 authentication pre-share
 group 16
!
crypto ipsec transform-set ESP-AES-256-SHA-512 esp-aes 256 esp-sha512-hmac 
 mode transport
!
crypto ipsec profile DMVPN_PROFILE
 set transform-set ESP-AES-256-SHA-512 
!
interface Tunnel0
 ip address 155.1.0.5 255.255.255.0
 ip nhrp authentication NHRPAUTH
 ip nhrp map 155.1.0.6 6.6.6.6
 ip nhrp map multicast 6.6.6.6
 ip nhrp network-id 1
 ip nhrp nhs 155.1.0.6
 ip nhrp shortcut
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet1.45
 tunnel mode gre multipoint
 tunnel key 2
 tunnel vrf UNDERLAY_TRANSPORT
 tunnel protection ipsec profile DMVPN_PROFILE
!
interface GigabitEthernet1.45
 vrf forwarding UNDERLAY_TRANSPORT
 ip address 155.1.45.5 255.255.255.0
!
router eigrp DMVPN
 !
 address-family ipv4 unicast autonomous-system 100
  !
  af-interface default
   passive-interface
  exit-af-interface
  !
  af-interface Tunnel0
   no passive-interface
  exit-af-interface
  !
  topology base
  exit-af-topology
  network 150.1.0.0
  network 155.1.0.0
 exit-address-family
!
ip route vrf UNDERLAY_TRANSPORT 0.0.0.0 0.0.0.0 155.1.45.4

R6:
vrf definition UNDERLAY_TRANSPORT
 rd 1:1
 !
 address-family ipv4
 exit-address-family
!
crypto keyring VRF_AWARE_PSK vrf UNDERLAY_TRANSPORT 
  pre-shared-key address 0.0.0.0 0.0.0.0 key DMVPN_PSK
!
crypto isakmp policy 10
 encr aes
 hash sha256
 authentication pre-share
 group 16
!
crypto ipsec transform-set ESP-AES-256-SHA-512 esp-aes 256 esp-sha512-hmac 
 mode transport
!
crypto ipsec profile DMVPN_PROFILE
 set transform-set ESP-AES-256-SHA-512 
!
interface Loopback6
 vrf forwarding UNDERLAY_TRANSPORT
 ip address 6.6.6.6 255.255.255.255
!
interface Tunnel0
 ip address 155.1.0.6 255.255.255.0
 ip nhrp authentication NHRPAUTH
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip nhrp redirect
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source 6.6.6.6
 tunnel mode gre multipoint
 tunnel key 2
 tunnel vrf UNDERLAY_TRANSPORT
 tunnel protection ipsec profile DMVPN_PROFILE
!
interface GigabitEthernet1.67
 vrf forwarding UNDERLAY_TRANSPORT
 ip address 155.1.67.6 255.255.255.0
 bfd interval 250 min_rx 250 multiplier 4
    !
interface GigabitEthernet1.146
 vrf forwarding UNDERLAY_TRANSPORT
 ip address 155.1.146.6 255.255.255.0
 bfd interval 250 min_rx 250 multiplier 4
!
router eigrp DMVPN
 !
 address-family ipv4 unicast autonomous-system 100
  !
  af-interface default
   passive-interface
  exit-af-interface
  !
  af-interface Tunnel0
   no passive-interface
   summary-address 0.0.0.0 0.0.0.0
  exit-af-interface
  !
  topology base
  exit-af-topology
  network 150.1.0.0
  network 155.1.0.0
 exit-address-family
!
router bgp 6
 !
 address-family ipv4 vrf UNDERLAY_TRANSPORT
  network 6.6.6.6 mask 255.255.255.255
  neighbor 155.1.67.7 remote-as 200
  neighbor 155.1.67.7 fall-over bfd
  neighbor 155.1.67.7 activate
  neighbor 155.1.146.1 remote-as 100
  neighbor 155.1.146.1 fall-over bfd
  neighbor 155.1.146.1 activate
 exit-address-family

R7:
interface GigabitEthernet1.67
 bfd interval 250 min_rx 250 multiplier 4
!
router bgp 200
 network 155.1.79.0 mask 255.255.255.0
 neighbor 155.1.37.3 remote-as 200
 neighbor 155.1.67.6 remote-as 6
 neighbor 155.1.67.6 fall-over bfd

R9:
vrf definition UNDERLAY_TRANSPORT
 rd 1:1
 !
 address-family ipv4
 exit-address-family
! 
crypto keyring VRF_AWARE_PSK vrf UNDERLAY_TRANSPORT 
  pre-shared-key address 0.0.0.0 0.0.0.0 key DMVPN_PSK
!
crypto isakmp policy 10
 encr aes
 hash sha256
 authentication pre-share
 group 16
crypto isakmp key DMVPN_PSK address 0.0.0.0        
!
crypto ipsec transform-set ESP-AES-256-SHA-512 esp-aes 256 esp-sha512-hmac 
 mode transport
!
crypto ipsec profile DMVPN_PROFILE
 set transform-set ESP-AES-256-SHA-512 
!
interface Tunnel0
 ip address 155.1.0.9 255.255.255.0
 ip nhrp authentication NHRPAUTH
 ip nhrp map 155.1.0.6 6.6.6.6
 ip nhrp map multicast 6.6.6.6
 ip nhrp network-id 1
 ip nhrp nhs 155.1.0.6
 ip nhrp shortcut
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet1.79
 tunnel mode gre multipoint
 tunnel key 2
 tunnel vrf UNDERLAY_TRANSPORT
 tunnel protection ipsec profile DMVPN_PROFILE
!
interface GigabitEthernet1.79
 vrf forwarding UNDERLAY_TRANSPORT
 ip address 155.1.79.9 255.255.255.0
!
router eigrp DMVPN
 !
 address-family ipv4 unicast autonomous-system 100
  !
  af-interface default
   passive-interface
  exit-af-interface
  !
  af-interface Tunnel0
   no passive-interface
  exit-af-interface
  !
  topology base
  exit-af-topology
  network 150.1.0.0
  network 155.1.0.0
 exit-address-family
!
ip route vrf UNDERLAY_TRANSPORT 0.0.0.0 0.0.0.0 155.1.79.7

Verification

This example demonstrates VRF-aware IPsec with DMVPN, or what is sometimes referred to as a "Front Door VRF" (FVRF) configuration. The end result of this design is that the routing in the underlay transport network, which is used to establish the DMVPN tunnel control plane, and the overlay routing through the DMVPN tunnel are unrelated to each other. This type of design allows the spokes of the DMVPN to use simple default routing out the underlay transport network, while still being able to learn a default route dynamically over the DMVPN tunnel from the hub, because the overlapping default routes exist in different routing tables.

Per the below output, we can see that R5, a DMVPN spoke, has a static default in the VRF table, while dynamically learning default route via the DMVPN Hub from EIGRP. Note that because the tunnel source and destination are in the VRF table and not the global table, the tunnel vrf command is needed under the tunnel0 config.

R5#show ip route vrf *
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 155.1.0.6 to network 0.0.0.0

D*    0.0.0.0/0 [90/76800640] via 155.1.0.6, 1d01h, Tunnel0
      150.1.0.0/32 is subnetted, 1 subnets
C        150.1.5.5 is directly connected, Loopback0
      155.1.0.0/16 is variably subnetted, 6 subnets, 2 masks
C        155.1.0.0/24 is directly connected, Tunnel0
L        155.1.0.5/32 is directly connected, Tunnel0
C        155.1.5.0/24 is directly connected, GigabitEthernet1.5
L        155.1.5.5/32 is directly connected, GigabitEthernet1.5
C        155.1.58.0/24 is directly connected, GigabitEthernet1.58
L        155.1.58.5/32 is directly connected, GigabitEthernet1.58
      169.254.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        169.254.100.0/24 is directly connected, GigabitEthernet1.100
L        169.254.100.5/32 is directly connected, GigabitEthernet1.100

Routing Table: UNDERLAY_TRANSPORT
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 155.1.45.4 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 155.1.45.4
      155.1.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        155.1.45.0/24 is directly connected, GigabitEthernet1.45
L        155.1.45.5/32 is directly connected, GigabitEthernet1.45

Because the DMVPN tunnel is configured for Phase 3, spoke-to-spoke traffic does not traverse the hub. Instead, a more specific spoke-to-spoke route can be learned via NHRP, as seen below.

R5#show ip route 150.1.9.9
% Subnet not in table

R5#ping 150.1.9.9 source 150.1.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.9.9, timeout is 2 seconds:
Packet sent with a source address of 150.1.5.5 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/38/84 ms

R5#show ip route 150.1.9.9
Routing entry for 150.1.9.9/32
  Known via "nhrp", distance 250, metric 1
  Last update from 155.1.0.9 on Tunnel0, 00:00:38 ago
  Routing Descriptor Blocks:
  * 155.1.0.9, from 155.1.0.9, 00:00:38 ago, via Tunnel0
      Route metric is 1, traffic share count is 1
      MPLS label: none

Prior to failure of any of R6's links to its BGP providers, R9 uses the closest path to reach the underlay (tunnel source) address of R6.

R9#traceroute vrf UNDERLAY_TRANSPORT 6.6.6.6
Type escape sequence to abort.
Tracing the route to 6.6.6.6
VRF info: (vrf in name/id, vrf out name/id)
  1 155.1.79.7 4 msec 1 msec 1 msec
  2 155.1.67.6 1 msec *  2 msec

Next, R6's interface is shut down to simulate a link failure. Because BFD is tracking the BGP neighbor relationship, the remote provider immediately begins reconvergence.

R6#config t
Enter configuration commands, one per line.  End with CNTL/Z.
R6(config)#int gig1.67
R6(config-subif)#shut
R6(config-subif)#

R7#
%BGP-5-NBR_RESET: Neighbor 155.1.67.6 reset (BFD adjacency down)
%BGP-5-ADJCHANGE: neighbor 155.1.67.6 Down BFD adjacency down
%BGP_SESSION-5-ADJCHANGE: neighbor 155.1.67.6 IPv4 Unicast topology base removed from session  BFD adjacency down

The fast failover of BGP means that the EIGRP adjacency from the DMVPN spokes to the hub does not flap. Instead, the tunnel simply reroutes to the new available path.

R9#traceroute vrf UNDERLAY_TRANSPORT 6.6.6.6
Type escape sequence to abort.
Tracing the route to 6.6.6.6
VRF info: (vrf in name/id, vrf out name/id)
  1 155.1.79.7 3 msec 1 msec 1 msec
  2 155.1.37.3 1 msec 1 msec 1 msec
  3 155.1.13.1 1 msec 1 msec 7 msec
  4 155.1.146.6 10 msec *  2 msec

The end result is that spoke-to-spoke traffic is not affected by the hub's link failure, as long as the EIGRP adjacency does not flap.

R9#ping 150.1.5.5 source 150.1.9.9
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.5.5, timeout is 2 seconds:
Packet sent with a source address of 150.1.9.9 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 7/104/196 ms

R9#traceroute 150.1.5.5 source 150.1.9.9
Type escape sequence to abort.
Tracing the route to 150.1.5.5
VRF info: (vrf in name/id, vrf out name/id)
  1 155.1.0.5 5 msec *  3 msec
^ back to top