VRF Series Article 4 – VRF-lite in a DMVPN Network

As we’ve progressed through the Segmenting Layer 3 Networks with VRFs series, we have continued to build out a network that looks more like what we would see within an enterprise environment. This post takes it one step further and leverages the DMVPN (dynamic multipoint VPN) functionality to extend the network securely over the publicDMVPN Internet. In the examples here, we actually go one step beyond a typical DMVPN and map VRFs to tunnels using the tunnel key. This allows the pci and data VRFs to maintain isolation across the VPN.

One more thing that we will do that isn’t related to the core requirement of segmenting pci from data is leveraging a F-VRF (or front side vrf) on the DMVPN routers to isolate the Internet facing interfaces that connect them to the public cloud. This is my preferred method for DMVPN deployment if I’m not doing split tunnelling (i.e. I am back-hauling all traffic to a central location).

As a prerequisite, I will go ahead and build out the Internet router and the interface on Main that connects to DMVPN-hub.

Internet

hostname Internet

interface gig2
 description to DMVPN-hub
 ip address 1.1.1.1 255.255.255.0
 no shut
 
interface gig3
 description to DMVPN-spoke
 ip address 1.1.2.1 255.255.255.0
 no shut

//unnecessary defaults removed
no router ospf 1
no router bgp 1 

Main

//interface toward DMVPN-hub
interface GigabitEthernet3
 description to DMVPN-hub
 no ip address 
 no ip ospf cost 1
 negotiation auto
 no shut

interface GigabitEthernet3.103
 description to DMVPN-hub data
 encapsulation dot1q 103
 vrf forwarding data
 ip address 10.100.131.1 255.255.255.0

interface GigabitEthernet3.203
 description to DMVPN-hub pci
 encapsulation dot1q 203
 vrf forwarding pci
 ip address 10.200.131.1 255.255.255.0

//eigrp changes -- addition of above networks
router eigrp NAMEDMODE
 !
 address-family ipv4 unicast vrf data autonomous-system 1
  !
  network 10.100.131.0 0.0.0.255
 !
 address-family ipv4 unicast vrf pci autonomous-system 1
  !
  network 10.200.131.0 0.0.0.255

DMVPN-hub – base configuration (DMVPN will be a focus after we complete the base config)

//remove some VIRL Defaults
no router ospf 1
no router bgp 1
hostname DMVPN-hub
   
vrf definition internet
 !
 address-family ipv4
 exit-address-family

vrf definition data
 !
 address-family ipv4
 exit-address-family
 
vrf definition pci
 !
 address-family ipv4
 exit-address-family

interface gig2
 description to Internet
 vrf forwarding internet
 ip address 1.1.1.2 255.255.255.0
 no shut
!
ip route vrf internet 0.0.0.0 0.0.0.0 1.1.1.1 
 
interface GigabitEthernet3
 description to 410
 no ip address 
 no ip ospf cost 1
 negotiation auto
 no shut

interface GigabitEthernet3.103
 description to 410 data
 encapsulation dot1q 103
 vrf forwarding data
 ip address 10.100.131.2 255.255.255.0

interface GigabitEthernet3.203
 description to 410 pci
 encapsulation dot1q 203
 vrf forwarding pci
 ip address 10.200.131.2 255.255.255.0

router eigrp NAMEDMODE
 !
 address-family ipv4 unicast autonomous-system 1
  !
  topology base
  exit-af-topology
 exit-address-family
 !
 
 address-family ipv4 unicast vrf data autonomous-system 1
  !
  topology base
  exit-af-topology
  network 10.100.131.0 0.0.0.255
 exit-address-family
 !
 address-family ipv4 unicast vrf pci autonomous-system 1
  !
  topology base
  exit-af-topology
  network 10.200.131.0 0.0.0.255

DMVPN-spoke – base configuration (DMVPN will be a focus after we complete the base config)

//remove unnecessary defaults
no router ospf 1
no router bgp 1

hostname DMVPN-spoke
   
vrf definition internet
 !
 address-family ipv4
 exit-address-family

vrf definition data
 !
 address-family ipv4
 exit-address-family
 
vrf definition pci
 !
 address-family ipv4
 exit-address-family
 
interface gig2
 description to Internet
 vrf forwarding internet
 ip address 1.1.2.2 255.255.255.0
 no shut
!
ip route vrf internet 0.0.0.0 0.0.0.0 1.1.2.1 
 
interface GigabitEthernet3
 description to Branch
 no ip address 
 no ip ospf cost 1
 negotiation auto
 no shut

interface GigabitEthernet3.103
 description to Branch data
 encapsulation dot1q 103
 vrf forwarding data
 ip address 10.100.132.1 255.255.255.0

interface GigabitEthernet3.203
 description to Branch pci
 encapsulation dot1q 203
 vrf forwarding pci
 ip address 10.200.132.1 255.255.255.0

//dhcp for the local clients
ip dhcp excluded-address vrf data 10.100.132.1 10.100.132.10
ip dhcp pool data-3
 vrf data
 network 10.100.132.0 255.255.255.0
 default-router 10.100.132.1

ip dhcp excluded-address vrf pci 10.200.132.1 10.200.132.10
ip dhcp pool pci-3
 vrf pci
 network 10.200.132.0 255.255.255.0
 default-router 10.200.132.1

//eigrp configuration
router eigrp NAMEDMODE
 !
 address-family ipv4 unicast autonomous-system 1
  !
  topology base
  exit-af-topology
 exit-address-family
 !
 
 address-family ipv4 unicast vrf data autonomous-system 1
  !
  topology base
  exit-af-topology
  network 10.100.132.0 0.0.0.255
 exit-address-family
 !
 address-family ipv4 unicast vrf pci autonomous-system 1
  !
  topology base
  exit-af-topology
  network 10.200.132.0 0.0.0.255
  exit-address-family

iosvl2-2 Configuration

hostname iosl2-2

vlan 103
 name data-3
vlan 203
 name pci-3
 
interface Gi0/1
 description to DMVPN-spoke
 switchport trunk encapsulation dot1q
 switchport mode trunk 
 no shut
interface Gi0/2
 description to data-3
 switchport mode access
 switchport access vlan 103
 spanning-tree portfast
interface Gi0/3
 description to pci-4
 switchport mode access
 switchport access vlan 203
 spanning-tree portfast
 no shut

data-3 and pci-3 (hosts)

//remove unnecessary defaults
no router bgp 1
no router ospf 1

//configure dhcp
 int gig 0/1
  no ip ospf cost
  ip address dhcp
  no shut

Now we will get back into the core focus of this article and look at configuring VRF awareness with DMVPN. Most of the configuration is the same as found in any VPN configuration. The primary difference is that the Tunnel Key in the tunnel interface is unique per subinterface. This is how the routers differentiate between tunnels 101 and 102.

DMVPN-hub — DMVPN Configuration

//configure the crypto -- the FVRF is internet
crypto keyring vpn vrf internet 
  pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
!
crypto isakmp policy 10
 authentication pre-share
crypto isakmp profile ikeprof
   keyring vpn
   match identity address 0.0.0.0 internet
!
!
crypto ipsec transform-set myset esp-des 
 mode transport
!
crypto ipsec profile myprof
 set transform-set myset 
 set isakmp-profile ikeprof

//configure the tunnel interfaces (notice the tunnel keys)
!
interface Tunnel101
 vrf forwarding data
 ip address 10.100.133.1 255.255.255.0
 no ip redirects
 ip nhrp authentication cisco
 ip nhrp map multicast dynamic
 ip nhrp network-id 123
 tunnel source GigabitEthernet2
 tunnel mode gre multipoint
 tunnel key 101
 tunnel vrf internet
 tunnel protection ipsec profile myprof shared
!
interface Tunnel102
 vrf forwarding pci
 ip address 10.200.133.1 255.255.255.0
 no ip redirects
 ip nhrp authentication cisco
 ip nhrp map multicast dynamic
 ip nhrp network-id 123
 tunnel source GigabitEthernet2
 tunnel mode gre multipoint
 tunnel key 102
 tunnel vrf internet
 tunnel protection ipsec profile myprof shared

//configure eigrp and disable split horizon/next hop self

router eigrp NAMEDMODE
!
address-family ipv4 unicast vrf data autonomous-system 1
  !
  af-interface Tunnel 101
   no split-horizon
   no next-hop-self
   exit-af-interface
   network 10.100.133.0 0.0.0.255
 exit-address-family

!
address-family ipv4 unicast vrf pci autonomous-system 1
  !
  af-interface Tunnel 102
   no split-horizon
   no next-hop-self
   exit-af-interface
   network 10.200.133.0 0.0.0.255
 exit-address-family

DMVPN-spoke — DMVPN Configuration

//configure the crypto
crypto keyring vpn vrf internet 
  pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
!
crypto isakmp policy 10
 authentication pre-share
crypto isakmp profile ikeprof
   keyring vpn
   match identity address 0.0.0.0 internet
!
!
crypto ipsec transform-set myset esp-des 
 mode transport
!
!
crypto ipsec profile myprof
 set transform-set myset 
 set isakmp-profile ikeprof
!

//configure the tunnel interfaces -- note the tunnel key 
interface Tunnel101
 vrf forwarding data
 ip address 10.100.133.2 255.255.255.0
 no ip redirects
 ip nhrp authentication cisco
 ip nhrp map multicast dynamic
 ip nhrp map 10.100.133.1 1.1.1.2
 ip nhrp map multicast 1.1.1.2
 ip nhrp network-id 123
 ip nhrp holdtime 60
 ip nhrp nhs 10.100.133.1
 ip nhrp registration timeout 30
 tunnel source GigabitEthernet2
 tunnel mode gre multipoint
 tunnel key 101
 tunnel vrf internet
 tunnel protection ipsec profile myprof shared
!
interface Tunnel102
 vrf forwarding pci
 ip address 10.200.133.2 255.255.255.0
 no ip redirects
 ip nhrp authentication cisco
 ip nhrp map multicast dynamic
 ip nhrp map 10.200.133.1 1.1.1.2
 ip nhrp map multicast 1.1.1.2
 ip nhrp network-id 123
 ip nhrp holdtime 60
 ip nhrp nhs 10.200.133.1
 ip nhrp registration timeout 30
 tunnel source GigabitEthernet2
 tunnel mode gre multipoint
 tunnel key 102
 tunnel vrf internet
 tunnel protection ipsec profile myprof shared

//add the tunnel networks into EIGRP processes
router eigrp NAMEDMODE
 !
 
 address-family ipv4 unicast vrf data autonomous-system 1
  !
  network 10.100.133.0 0.0.0.255
 exit-address-family
 !
 address-family ipv4 unicast vrf pci autonomous-system 1
  !
  network 10.200.133.0 0.0.0.255
  exit-address-family

At this point our topology SHOULD be properly configured and allow communication only inside of the data and pci VRFs (and access to shared from everywhere).

Validation from data-3

//test to shared
data-3#ping 10.199.199.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.199.199.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/11 ms

//test to data
data-3#ping 10.100.129.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.129.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 17/21/33 ms

//test to pci
data-3#ping 10.200.129.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.129.11, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

Validation from pci-3

//testing to share
pci-3#ping 10.199.199.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.199.199.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/11/14 ms

//testing to pci
pci-3#ping 10.200.129.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.129.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 13/14/17 ms

//testing to data
pci-3#ping 10.100.129.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.129.11, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

As can be seen from the testing, the pci and data networks are reachable end-to-end. Additionally, the shared network is accessible from both pci and data while isolation has been maintained between pci and data.

The configuration and VIRL files can be found at the URL below. Note the VIRL topology is all inclusive but we have yet to cover and configure asav-1 component.

Conclusion

This article demonstrated the capability of maintaining isolation and segmentation by combining VRF capabilities into normal DMVPN functionality. This provides a method for extending and isolating areas of a given enterprise network. These tools may be used together in various ways to achieve the organizational objectives as it relates to security, policy and segmentation.

Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may does not reflect the position of past, present or future employers.

No related content found.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in Uncategorized and tagged , . Bookmark the permalink.

One Response to VRF Series Article 4 – VRF-lite in a DMVPN Network

  1. Pingback: Segmenting Layer 3 Networks with VRFs - PacketU

Leave a Reply