1. OVERVIEW
This document provides configuration guidance for users of Cisco® Dynamic Multipoint VPN (DMVPN) technology on Cisco IOS®
IPSec routers. The Cisco 7600 Series platform is an exception because
it does not support FVRF. The IVRF configuration described below shall
work on the Cisco 7600 Series and the Cisco Catalyst®
6500 Series as well. The testing was performed on Cisco 1841 integrated
services routers running Cisco IOS Software Releasae 12.3(11)T3. The
objective of the testing was to configure and test interaction of DMVPN
with Front VRF (FVRF) as well as internal VRF (IVRF).
Advantage:
The advantage of using an FVRF is primarily to carve out a separate
routing table from the global routing table (where tunnel interface
exists). The advantage of using an IVRF is to define a private space to
hold the DMVPN and private network information. Both these
configurations provide extra security from anyone trying to attack the
router from the Internet by separating out routing information. These
VRF configurations can be used on both DMVPN hub and spoke.
What is the configuration difference?
In case of FVRF, the tunnel destination lookup needs to be done in
FVRF. Secondly, since the Internet-facing interface is in a VRF, the
ISAKMP key lookup is also done in the VRF. As for using IVRF, the
tunnel, private subnets, and routing protocol need to be defined in the
IVRF space. The tunnel destination and ISAKMP key are looked up in
global space for this scenario.
No comments:
Post a Comment