Network topology:
R4 is the SP router/cloud with no special configuration,
R1 is the hub while R2 and R3 are the spokes.
R1 (Hub) Configuration:
|
ip vrf LOCALSP
rd 1:100
!
crypto keyring CCIE vrf
LOCALSP
local-address FastEthernet0/0
pre-shared-key address 10.1.24.2 key cisco2
pre-shared-key address 10.1.34.3 key cisco3
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp profile
ISAKMPPROFILE
vrf LOCALSP
keyring CCIE
match identity address 10.1.24.2
255.255.255.255 LOCALSP
match identity address 10.1.34.3
255.255.255.255 LOCALSP
local-address FastEthernet0/0
!
crypto ipsec transform-set
CCIEXFORM esp-aes
mode transport
!
crypto ipsec profile
DMVPNPROFILE
set transform-set CCIEXFORM
set isakmp-profile ISAKMPPROFILE
!
interface Loopback0
ip address 192.168.11.1 255.255.255.0
!
interface Tunnel0
bandwidth 1000
ip address 172.16.0.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 123
ip nhrp holdtime 300
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1380
delay 1000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel vrf LOCALSP
tunnel protection ipsec profile DMVPNPROFILE
!
interface FastEthernet0/0
ip vrf forwarding LOCALSP
ip address 10.1.14.1 255.255.255.0
!
router eigrp CCIE
!
address-family ipv4 unicast
autonomous-system 123
!
af-interface Tunnel0
no next-hop-self
no split-horizon
exit-af-interface
!
topology base
exit-af-topology
network 172.16.0.1 0.0.0.0
network 192.168.11.1 0.0.0.0
exit-address-family
!
ip route vrf LOCALSP 0.0.0.0
0.0.0.0 10.1.14.4
|
R2 (Spoke) Configuration:
|
ip vrf LOCALSP
rd 2:100
!
crypto keyring CCIE vrf
LOCALSP
local-address FastEthernet0/0
pre-shared-key address 10.1.14.1 key cisco2
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp profile
ISAKMPPROFILE
vrf LOCALSP
keyring CCIE
match identity address 0.0.0.0 LOCALSP
local-address FastEthernet0/0
!
crypto ipsec transform-set
CCIEXFORM esp-aes
mode transport
!
crypto ipsec profile
DMVPNPROFILE
set transform-set CCIEXFORM
set isakmp-profile ISAKMPPROFILE
!
interface Loopback0
ip address 192.168.12.1 255.255.255.0
!
interface Tunnel0
bandwidth 1000
ip address 172.16.0.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco
ip nhrp network-id 123
ip nhrp holdtime 300
ip nhrp nhs 172.16.0.1 nbma 10.1.14.1
multicast
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1380
delay 1000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel vrf LOCALSP
tunnel protection ipsec profile DMVPNPROFILE
!
interface FastEthernet0/0
ip vrf forwarding LOCALSP
ip address 10.1.24.2 255.255.255.0
!
router eigrp CCIE
!
address-family ipv4 unicast
autonomous-system 123
!
topology base
exit-af-topology
network 172.16.0.2 0.0.0.0
network 192.168.12.1 0.0.0.0
exit-address-family
!
ip route vrf LOCALSP 0.0.0.0
0.0.0.0 10.1.24.4
|
Few notes to pay attention:
Tunnel VRF <VRF_NAME>
allow the GRE tunnel to look for source/destination address in the VRF routing
table.
Using ip address vrf
forwarding <IP_ADDRESS> under the tunnel interface binds this interface
into the VRF routing table.
I’ve used different
pre-shared key for each spoke which can be replaced with 0.0.0.0 to note all
identities/addresses.
Make sure NBMA ip addresses
can ping each other.
No comments:
Post a Comment