Last active
August 29, 2015 14:07
-
-
Save stereocat/24359f01b3733b8fdf40 to your computer and use it in GitHub Desktop.
VPNs in VRF-mode (2)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
! | |
! Last configuration change at 16:02:19 JST Mon Oct 13 2014 | |
! NVRAM config last updated at 16:28:10 JST Mon Oct 13 2014 | |
! NVRAM config last updated at 16:28:10 JST Mon Oct 13 2014 | |
version 15.1 | |
service nagle | |
no service pad | |
service tcp-keepalives-in | |
service tcp-keepalives-out | |
service timestamps debug datetime msec localtime show-timezone | |
service timestamps log datetime msec localtime show-timezone | |
service password-encryption | |
! | |
hostname rtr1 | |
! | |
boot-start-marker | |
boot-end-marker | |
! | |
! | |
logging buffered 16384 | |
logging console informational | |
logging monitor informational | |
enable secret 5 $1$FEcA$tbEu2KrFMiq4kPpGDxspu1 | |
! | |
no aaa new-model | |
! | |
clock timezone JST 9 0 | |
crypto pki token default removal timeout 0 | |
! | |
! | |
dot11 syslog | |
ip source-route | |
! | |
! | |
! | |
! | |
! | |
ip vrf mgmt | |
rd 64594:99 | |
route-target export 64594:99 | |
route-target import 64594:99 | |
! | |
ip cef | |
no ip domain lookup | |
no ipv6 cef | |
! | |
multilink bundle-name authenticated | |
! | |
! | |
! | |
license udi pid CISCO1812-J/K9 sn FHK093523LC | |
! | |
! | |
ip tftp source-interface FastEthernet0 | |
! | |
crypto keyring branch1-keyring | |
pre-shared-key address 192.0.2.254 key branch1key | |
! | |
crypto isakmp policy 1 | |
encr aes | |
authentication pre-share | |
group 2 | |
lifetime 28800 | |
crypto isakmp keepalive 10 10 | |
crypto isakmp profile branch1-isakmp-profile | |
keyring branch1-keyring | |
match identity address 192.0.2.254 255.255.255.255 | |
! | |
crypto ipsec security-association replay window-size 128 | |
! | |
crypto ipsec transform-set branch1-vpn-tfset esp-aes esp-sha-hmac | |
crypto ipsec df-bit clear | |
! | |
crypto ipsec profile branch1-ipsec-profile | |
set transform-set branch1-vpn-tfset | |
set pfs group2 | |
! | |
! | |
! | |
! | |
! | |
! | |
interface Loopback0 | |
ip address 10.1.0.1 255.255.255.255 | |
! | |
interface Tunnel1 | |
ip address 169.254.1.2 255.255.255.252 | |
ip virtual-reassembly in | |
ip tcp adjust-mss 1396 | |
tunnel source Vlan711 | |
tunnel mode ipsec ipv4 | |
tunnel destination 192.0.2.254 | |
tunnel protection ipsec profile branch1-ipsec-profile | |
! | |
interface BRI0 | |
no ip address | |
encapsulation hdlc | |
shutdown | |
! | |
interface FastEthernet0 | |
ip vrf forwarding mgmt | |
ip address 192.168.7.101 255.255.255.0 | |
no ip proxy-arp | |
ip virtual-reassembly in | |
duplex auto | |
speed auto | |
! | |
interface FastEthernet1 | |
no ip address | |
shutdown | |
duplex auto | |
speed auto | |
! | |
interface FastEthernet2 | |
description "for Host Access Interface" | |
switchport mode trunk | |
no ip address | |
! | |
interface FastEthernet3 | |
no ip address | |
! | |
interface FastEthernet4 | |
no ip address | |
! | |
interface FastEthernet5 | |
no ip address | |
! | |
interface FastEthernet6 | |
no ip address | |
! | |
interface FastEthernet7 | |
no ip address | |
! | |
interface FastEthernet8 | |
no ip address | |
! | |
interface FastEthernet9 | |
no ip address | |
! | |
interface Vlan1 | |
no ip address | |
shutdown | |
! | |
interface Vlan711 | |
ip address 198.51.100.254 255.255.255.0 | |
! | |
interface Vlan911 | |
ip address 10.1.1.1 255.255.255.0 | |
! | |
interface Vlan912 | |
ip address 10.1.2.1 255.255.255.0 | |
! | |
router bgp 64601 | |
bgp router-id 10.1.0.1 | |
bgp log-neighbor-changes | |
neighbor 169.254.1.1 remote-as 64512 | |
neighbor 169.254.1.1 update-source Tunnel1 | |
neighbor 169.254.1.1 timers 10 30 30 | |
! | |
address-family ipv4 | |
network 10.1.0.1 mask 255.255.255.255 | |
network 10.1.1.0 mask 255.255.255.0 | |
network 10.1.2.0 mask 255.255.255.0 | |
neighbor 169.254.1.1 activate | |
neighbor 169.254.1.1 soft-reconfiguration inbound | |
exit-address-family | |
! | |
ip forward-protocol nd | |
no ip http server | |
no ip http secure-server | |
! | |
! | |
ip route 0.0.0.0 0.0.0.0 198.51.100.1 | |
ip route vrf mgmt 0.0.0.0 0.0.0.0 192.168.7.1 | |
! | |
! | |
! | |
! | |
! | |
! | |
! | |
control-plane | |
! | |
! | |
! | |
line con 0 | |
logging synchronous | |
exec prompt timestamp | |
line aux 0 | |
line vty 0 4 | |
exec-timeout 0 0 | |
password 7 0832585C0A18114247 | |
logging synchronous | |
login | |
exec prompt timestamp | |
transport input all | |
line vty 5 15 | |
exec-timeout 15 0 | |
login | |
transport input none | |
transport output none | |
! | |
ntp server vrf mgmt 192.168.7.16 | |
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
! | |
! Last configuration change at 16:03:05 JST Mon Oct 13 2014 | |
! NVRAM config last updated at 16:28:12 JST Mon Oct 13 2014 | |
! NVRAM config last updated at 16:28:12 JST Mon Oct 13 2014 | |
version 15.1 | |
service nagle | |
no service pad | |
service tcp-keepalives-in | |
service tcp-keepalives-out | |
service timestamps debug datetime msec localtime show-timezone | |
service timestamps log datetime msec localtime show-timezone | |
service password-encryption | |
! | |
hostname rtr2 | |
! | |
boot-start-marker | |
boot-end-marker | |
! | |
! | |
logging buffered 16384 | |
logging console informational | |
logging monitor informational | |
enable secret 5 $1$prRv$EiHn4TQwENz9lbLvvZouT/ | |
! | |
no aaa new-model | |
! | |
clock timezone JST 9 0 | |
crypto pki token default removal timeout 0 | |
! | |
! | |
dot11 syslog | |
ip source-route | |
! | |
! | |
! | |
! | |
! | |
ip vrf mgmt | |
rd 64594:99 | |
route-target export 64594:99 | |
route-target import 64594:99 | |
! | |
ip cef | |
no ip domain lookup | |
no ipv6 cef | |
! | |
multilink bundle-name authenticated | |
! | |
! | |
! | |
license udi pid CISCO1812-J/K9 sn FHK120722K6 | |
! | |
! | |
ip tftp source-interface FastEthernet0 | |
! | |
crypto keyring branch2-keyring | |
pre-shared-key address 192.0.2.254 key branch2key | |
! | |
crypto isakmp policy 1 | |
encr aes | |
authentication pre-share | |
group 2 | |
lifetime 28800 | |
crypto isakmp keepalive 10 10 | |
crypto isakmp profile branch2-isakmp-profile | |
keyring branch2-keyring | |
match identity address 192.0.2.254 255.255.255.255 | |
! | |
crypto ipsec security-association replay window-size 128 | |
! | |
crypto ipsec transform-set branch2-vpn-tfset esp-aes esp-sha-hmac | |
crypto ipsec df-bit clear | |
! | |
crypto ipsec profile branch2-ipsec-profile | |
set transform-set branch2-vpn-tfset | |
set pfs group2 | |
! | |
! | |
! | |
! | |
! | |
! | |
interface Loopback0 | |
ip address 10.2.0.1 255.255.255.255 | |
! | |
interface Tunnel1 | |
ip address 169.254.2.2 255.255.255.252 | |
ip virtual-reassembly in | |
ip tcp adjust-mss 1396 | |
tunnel source Vlan721 | |
tunnel mode ipsec ipv4 | |
tunnel destination 192.0.2.254 | |
tunnel protection ipsec profile branch2-ipsec-profile | |
! | |
interface BRI0 | |
no ip address | |
encapsulation hdlc | |
shutdown | |
! | |
interface FastEthernet0 | |
ip vrf forwarding mgmt | |
ip address 192.168.7.102 255.255.255.0 | |
no ip proxy-arp | |
ip virtual-reassembly in | |
duplex auto | |
speed auto | |
! | |
interface FastEthernet1 | |
no ip address | |
shutdown | |
duplex auto | |
speed auto | |
! | |
interface FastEthernet2 | |
description "for Host Access Interface" | |
switchport mode trunk | |
no ip address | |
! | |
interface FastEthernet3 | |
no ip address | |
! | |
interface FastEthernet4 | |
no ip address | |
! | |
interface FastEthernet5 | |
no ip address | |
! | |
interface FastEthernet6 | |
no ip address | |
! | |
interface FastEthernet7 | |
no ip address | |
! | |
interface FastEthernet8 | |
no ip address | |
! | |
interface FastEthernet9 | |
no ip address | |
! | |
interface Vlan1 | |
no ip address | |
shutdown | |
! | |
interface Vlan711 | |
no ip address | |
! | |
interface Vlan721 | |
ip address 203.0.113.254 255.255.255.0 | |
! | |
interface Vlan921 | |
ip address 10.2.1.1 255.255.255.0 | |
! | |
interface Vlan922 | |
ip address 10.2.2.1 255.255.255.0 | |
! | |
router bgp 64602 | |
bgp router-id 10.2.0.1 | |
bgp log-neighbor-changes | |
neighbor 169.254.2.1 remote-as 64512 | |
neighbor 169.254.2.1 update-source Tunnel1 | |
neighbor 169.254.2.1 timers 10 30 30 | |
! | |
address-family ipv4 | |
network 10.2.0.1 mask 255.255.255.255 | |
network 10.2.1.0 mask 255.255.255.0 | |
network 10.2.2.0 mask 255.255.255.0 | |
neighbor 169.254.2.1 activate | |
neighbor 169.254.2.1 soft-reconfiguration inbound | |
exit-address-family | |
! | |
ip forward-protocol nd | |
no ip http server | |
no ip http secure-server | |
! | |
! | |
ip route 0.0.0.0 0.0.0.0 203.0.113.1 | |
ip route vrf mgmt 0.0.0.0 0.0.0.0 192.168.7.1 | |
! | |
! | |
! | |
! | |
! | |
! | |
! | |
control-plane | |
! | |
! | |
! | |
line con 0 | |
logging synchronous | |
exec prompt timestamp | |
line aux 0 | |
line vty 0 4 | |
exec-timeout 0 0 | |
password 7 13160300080D107F7E | |
logging synchronous | |
login | |
exec prompt timestamp | |
transport input all | |
line vty 5 15 | |
exec-timeout 15 0 | |
login | |
transport input none | |
transport output none | |
! | |
ntp server vrf mgmt 192.168.7.16 | |
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
! | |
! Last configuration change at 16:56:18 JST Mon Oct 13 2014 | |
! NVRAM config last updated at 16:28:09 JST Mon Oct 13 2014 | |
! | |
version 15.0 | |
service nagle | |
no service pad | |
service tcp-keepalives-in | |
service tcp-keepalives-out | |
service timestamps debug datetime msec localtime show-timezone | |
service timestamps log datetime msec localtime show-timezone | |
service password-encryption | |
! | |
hostname rtr7 | |
! | |
boot-start-marker | |
boot-end-marker | |
! | |
logging buffered 16384 | |
logging console informational | |
logging monitor informational | |
enable secret 5 $1$DQ6.$iLJC0WIOJb6WF9nkE26CX0 | |
! | |
no aaa new-model | |
! | |
! | |
! | |
clock timezone JST 9 | |
! | |
! | |
ip source-route | |
! | |
! | |
ip vrf branch1-vrf | |
rd 64512:1 | |
route-target export 64512:1 | |
route-target import 64512:1 | |
route-target import 64512:2 | |
! | |
ip vrf branch2-vrf | |
rd 64512:2 | |
export map BRANCH2_EXPORT_MAP | |
route-target import 64512:1 | |
route-target import 64512:2 | |
! | |
ip vrf mgmt | |
rd 64594:99 | |
route-target export 64594:99 | |
route-target import 64594:99 | |
! | |
! | |
! | |
ip cef | |
no ip domain lookup | |
no ipv6 cef | |
! | |
! | |
multilink bundle-name authenticated | |
license udi pid CISCO892-K9 sn FGL1544235U | |
! | |
! | |
! | |
! | |
ip tftp source-interface FastEthernet8 | |
! | |
crypto keyring branch1-keyring | |
pre-shared-key address 198.51.100.254 key branch1key | |
crypto keyring branch2-keyring | |
pre-shared-key address 203.0.113.254 key branch2key | |
! | |
crypto isakmp policy 1 | |
encr aes | |
authentication pre-share | |
group 2 | |
lifetime 28800 | |
crypto isakmp keepalive 10 10 | |
crypto isakmp profile branch1-isakmp-profile | |
keyring branch1-keyring | |
match identity address 198.51.100.254 255.255.255.255 | |
crypto isakmp profile branch2-isakmp-profile | |
keyring branch2-keyring | |
match identity address 203.0.113.254 255.255.255.255 | |
! | |
crypto ipsec security-association replay window-size 128 | |
! | |
crypto ipsec transform-set branch1-vpn-tfset esp-aes esp-sha-hmac | |
crypto ipsec transform-set branch2-vpn-tfset esp-aes esp-sha-hmac | |
crypto ipsec df-bit clear | |
! | |
crypto ipsec profile branch1-ipsec-profile | |
set transform-set branch1-vpn-tfset | |
set pfs group2 | |
! | |
crypto ipsec profile branch2-ipsec-profile | |
set transform-set branch2-vpn-tfset | |
set pfs group2 | |
! | |
! | |
! | |
! | |
! | |
! | |
interface Loopback0 | |
ip address 10.0.0.0 255.255.255.255 | |
! | |
! | |
interface Loopback1 | |
ip vrf forwarding branch1-vrf | |
ip address 10.1.0.0 255.255.255.255 | |
! | |
! | |
interface Loopback2 | |
ip vrf forwarding branch2-vrf | |
ip address 10.2.0.0 255.255.255.255 | |
! | |
! | |
interface Tunnel1 | |
ip vrf forwarding branch1-vrf | |
ip address 169.254.1.1 255.255.255.252 | |
ip virtual-reassembly | |
ip tcp adjust-mss 1396 | |
tunnel source Vlan701 | |
tunnel mode ipsec ipv4 | |
tunnel destination 198.51.100.254 | |
tunnel protection ipsec profile branch1-ipsec-profile | |
! | |
! | |
interface Tunnel2 | |
ip vrf forwarding branch2-vrf | |
ip address 169.254.2.1 255.255.255.252 | |
ip virtual-reassembly | |
ip tcp adjust-mss 1396 | |
tunnel source Vlan701 | |
tunnel mode ipsec ipv4 | |
tunnel destination 203.0.113.254 | |
tunnel protection ipsec profile branch2-ipsec-profile | |
! | |
! | |
interface BRI0 | |
no ip address | |
encapsulation hdlc | |
shutdown | |
isdn termination multidrop | |
! | |
! | |
interface FastEthernet0 | |
! | |
! | |
interface FastEthernet1 | |
! | |
! | |
interface FastEthernet2 | |
description "for Host Access Interface" | |
switchport mode trunk | |
! | |
! | |
interface FastEthernet3 | |
! | |
! | |
interface FastEthernet4 | |
! | |
! | |
interface FastEthernet5 | |
! | |
! | |
interface FastEthernet6 | |
! | |
! | |
interface FastEthernet7 | |
! | |
! | |
interface FastEthernet8 | |
ip vrf forwarding mgmt | |
ip address 192.168.7.107 255.255.255.0 | |
no ip proxy-arp | |
ip virtual-reassembly | |
duplex auto | |
speed auto | |
! | |
! | |
interface GigabitEthernet0 | |
no ip address | |
shutdown | |
duplex auto | |
speed auto | |
! | |
! | |
interface Vlan1 | |
no ip address | |
shutdown | |
! | |
! | |
interface Vlan701 | |
ip address 192.0.2.254 255.255.255.0 | |
! | |
! | |
interface Vlan901 | |
ip vrf forwarding branch1-vrf | |
ip address 10.1.10.1 255.255.255.0 | |
! | |
! | |
interface Vlan902 | |
ip vrf forwarding branch2-vrf | |
ip address 10.2.10.1 255.255.255.0 | |
! | |
! | |
router bgp 64512 | |
no synchronization | |
bgp router-id 10.0.0.0 | |
bgp log-neighbor-changes | |
no auto-summary | |
! | |
address-family ipv4 vrf branch1-vrf | |
no synchronization | |
bgp router-id 10.1.0.0 | |
redistribute connected | |
neighbor 169.254.1.2 remote-as 64601 | |
neighbor 169.254.1.2 update-source Tunnel1 | |
neighbor 169.254.1.2 timers 10 30 30 | |
neighbor 169.254.1.2 activate | |
neighbor 169.254.1.2 soft-reconfiguration inbound | |
exit-address-family | |
! | |
address-family ipv4 vrf branch2-vrf | |
no synchronization | |
bgp router-id 10.2.0.0 | |
redistribute connected | |
neighbor 169.254.2.2 remote-as 64602 | |
neighbor 169.254.2.2 update-source Tunnel2 | |
neighbor 169.254.2.2 timers 10 30 30 | |
neighbor 169.254.2.2 activate | |
neighbor 169.254.2.2 soft-reconfiguration inbound | |
exit-address-family | |
! | |
ip forward-protocol nd | |
no ip http server | |
no ip http secure-server | |
! | |
! | |
ip route 0.0.0.0 0.0.0.0 192.0.2.1 | |
ip route vrf mgmt 0.0.0.0 0.0.0.0 192.168.7.1 | |
! | |
ip access-list standard BRANCH2_EXPORT_ACL | |
deny 10.2.2.0 0.0.0.255 | |
permit any | |
! | |
! | |
! | |
! | |
! | |
route-map BRANCH2_EXPORT_MAP permit 10 | |
match ip address BRANCH2_EXPORT_ACL | |
set extcommunity rt 64512:2 | |
! | |
! | |
! | |
control-plane | |
! | |
! | |
! | |
line con 0 | |
logging synchronous | |
exec prompt timestamp | |
line aux 0 | |
line vty 0 4 | |
exec-timeout 0 0 | |
password 7 0518121D224D5A5C4C | |
logging synchronous | |
login | |
exec prompt timestamp | |
line vty 5 15 | |
exec-timeout 15 0 | |
login | |
transport input none | |
transport output none | |
! | |
scheduler max-task-time 5000 | |
ntp server vrf mgmt 192.168.7.16 | |
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rtr7#sh bgp vpnv4 unicast all | |
Load for five secs: 4%/0%; one minute: 4%; five minutes: 3% | |
Time source is NTP, *20:31:11.336 JST Mon Oct 13 2014 | |
BGP table version is 24, local router ID is 10.0.0.0 | |
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, | |
r RIB-failure, S Stale | |
Origin codes: i - IGP, e - EGP, ? - incomplete | |
Network Next Hop Metric LocPrf Weight Path | |
Route Distinguisher: 64512:1 (default for vrf branch1-vrf) VRF Router ID 10.1.0.0 | |
*> 10.1.0.0/32 0.0.0.0 0 32768 ? | |
*> 10.1.0.1/32 169.254.1.2 0 0 64601 i | |
*> 10.1.1.0/24 169.254.1.2 0 0 64601 i | |
*> 10.1.2.0/24 169.254.1.2 0 0 64601 i | |
*> 10.1.10.0/24 0.0.0.0 0 32768 ? | |
*> 10.2.0.0/32 0.0.0.0 0 32768 ? | |
*> 10.2.0.1/32 169.254.2.2 0 0 64602 i | |
*> 10.2.1.0/24 169.254.2.2 0 0 64602 i | |
*> 10.2.10.0/24 0.0.0.0 0 32768 ? | |
*> 169.254.1.0/30 0.0.0.0 0 32768 ? | |
*> 169.254.2.0/30 0.0.0.0 0 32768 ? | |
Route Distinguisher: 64512:2 (default for vrf branch2-vrf) VRF Router ID 10.2.0.0 | |
*> 10.1.0.0/32 0.0.0.0 0 32768 ? | |
*> 10.1.0.1/32 169.254.1.2 0 0 64601 i | |
*> 10.1.1.0/24 169.254.1.2 0 0 64601 i | |
*> 10.1.2.0/24 169.254.1.2 0 0 64601 i | |
*> 10.1.10.0/24 0.0.0.0 0 32768 ? | |
*> 10.2.0.0/32 0.0.0.0 0 32768 ? | |
*> 10.2.0.1/32 169.254.2.2 0 0 64602 i | |
*> 10.2.1.0/24 169.254.2.2 0 0 64602 i | |
*> 10.2.2.0/24 169.254.2.2 0 0 64602 i | |
*> 10.2.10.0/24 0.0.0.0 0 32768 ? | |
*> 169.254.1.0/30 0.0.0.0 0 32768 ? | |
*> 169.254.2.0/30 0.0.0.0 0 32768 ? | |
rtr7# |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rtr7#sh vrf ipv4 detail branch1-vrf | |
Load for five secs: 4%/0%; one minute: 4%; five minutes: 4% | |
Time source is NTP, 20:44:03.004 JST Mon Oct 13 2014 | |
VRF branch1-vrf (VRF Id = 1); default RD 64512:1; default VPNID <not set> | |
Interfaces: | |
Lo1 Tu1 Vl901 | |
Address family ipv4 (Table ID = 1 (0x1)): | |
Export VPN route-target communities | |
RT:64512:1 | |
Import VPN route-target communities | |
RT:64512:1 RT:64512:2 | |
No import route-map | |
No export route-map | |
VRF label distribution protocol: not configured | |
VRF label allocation mode: per-prefix | |
rtr7#sh vrf ipv4 detail branch2-vrf | |
Load for five secs: 4%/0%; one minute: 4%; five minutes: 4% | |
Time source is NTP, 20:44:05.772 JST Mon Oct 13 2014 | |
VRF branch2-vrf (VRF Id = 2); default RD 64512:2; default VPNID <not set> | |
Interfaces: | |
Lo2 Tu2 Vl902 | |
Address family ipv4 (Table ID = 2 (0x2)): | |
No Export VPN route-target communities | |
Import VPN route-target communities | |
RT:64512:1 RT:64512:2 | |
No import route-map | |
Export route-map: BRANCH2_EXPORT_MAP | |
VRF label distribution protocol: not configured | |
VRF label allocation mode: per-prefix | |
rtr7# |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment