Last active
March 3, 2019 10:18
-
-
Save stereocat/6b71401fc10e4840d2db to your computer and use it in GitHub Desktop.
VPNs in VRF-mode
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
! | |
! Last configuration change at 16:30:11 JST Sat Oct 11 2014 | |
! NVRAM config last updated at 16:49:35 JST Sat Oct 11 2014 | |
! NVRAM config last updated at 16:49:35 JST Sat Oct 11 2014 | |
version 15.1 | |
service nagle | |
no service pad | |
service tcp-keepalives-in | |
service tcp-keepalives-out | |
service timestamps debug datetime msec localtime show-timezone | |
service timestamps log datetime msec localtime show-timezone | |
service password-encryption | |
! | |
hostname rtr1 | |
! | |
boot-start-marker | |
boot-end-marker | |
! | |
! | |
logging buffered 16384 | |
logging console informational | |
logging monitor informational | |
enable secret 5 $1$FEcA$tbEu2KrFMiq4kPpGDxspu1 | |
! | |
no aaa new-model | |
! | |
clock timezone JST 9 0 | |
crypto pki token default removal timeout 0 | |
! | |
! | |
dot11 syslog | |
ip source-route | |
! | |
! | |
! | |
! | |
! | |
ip vrf mgmt | |
rd 64594:99 | |
route-target export 64594:99 | |
route-target import 64594:99 | |
! | |
ip cef | |
no ip domain lookup | |
no ipv6 cef | |
! | |
multilink bundle-name authenticated | |
! | |
! | |
! | |
license udi pid CISCO1812-J/K9 sn FHK093523LC | |
! | |
! | |
ip tftp source-interface FastEthernet0 | |
! | |
crypto keyring branch1-keyring | |
pre-shared-key address 192.0.2.254 key branch1key | |
! | |
crypto isakmp policy 1 | |
encr aes | |
authentication pre-share | |
group 2 | |
lifetime 28800 | |
crypto isakmp keepalive 10 10 | |
crypto isakmp profile branch1-isakmp-profile | |
keyring branch1-keyring | |
match identity address 192.0.2.254 255.255.255.255 | |
! | |
crypto ipsec security-association replay window-size 128 | |
! | |
crypto ipsec transform-set branch1-vpn-tfset esp-aes esp-sha-hmac | |
crypto ipsec df-bit clear | |
! | |
crypto ipsec profile branch1-ipsec-profile | |
set transform-set branch1-vpn-tfset | |
set pfs group2 | |
! | |
! | |
! | |
! | |
! | |
! | |
interface Tunnel1 | |
ip address 169.254.1.2 255.255.255.252 | |
ip virtual-reassembly in | |
ip tcp adjust-mss 1396 | |
tunnel source Vlan711 | |
tunnel mode ipsec ipv4 | |
tunnel destination 192.0.2.254 | |
tunnel protection ipsec profile branch1-ipsec-profile | |
! | |
interface BRI0 | |
no ip address | |
encapsulation hdlc | |
shutdown | |
! | |
interface FastEthernet0 | |
ip vrf forwarding mgmt | |
ip address 192.168.7.101 255.255.255.0 | |
no ip proxy-arp | |
ip virtual-reassembly in | |
duplex auto | |
speed auto | |
! | |
interface FastEthernet1 | |
no ip address | |
shutdown | |
duplex auto | |
speed auto | |
! | |
interface FastEthernet2 | |
description "for Host Access Interface" | |
switchport mode trunk | |
no ip address | |
! | |
interface FastEthernet3 | |
no ip address | |
! | |
interface FastEthernet4 | |
no ip address | |
! | |
interface FastEthernet5 | |
no ip address | |
! | |
interface FastEthernet6 | |
no ip address | |
! | |
interface FastEthernet7 | |
no ip address | |
! | |
interface FastEthernet8 | |
no ip address | |
! | |
interface FastEthernet9 | |
no ip address | |
! | |
interface Vlan1 | |
no ip address | |
shutdown | |
! | |
interface Vlan711 | |
ip address 198.51.100.254 255.255.255.0 | |
! | |
interface Vlan911 | |
ip address 10.1.1.1 255.255.255.0 | |
! | |
ip forward-protocol nd | |
no ip http server | |
no ip http secure-server | |
! | |
! | |
ip route 0.0.0.0 0.0.0.0 198.51.100.1 | |
ip route 10.1.0.0 255.255.0.0 169.254.1.1 | |
ip route vrf mgmt 0.0.0.0 0.0.0.0 192.168.7.1 | |
! | |
! | |
! | |
! | |
! | |
! | |
! | |
control-plane | |
! | |
! | |
! | |
line con 0 | |
logging synchronous | |
exec prompt timestamp | |
line aux 0 | |
line vty 0 4 | |
exec-timeout 0 0 | |
password 7 0832585C0A18114247 | |
logging synchronous | |
login | |
exec prompt timestamp | |
transport input all | |
line vty 5 15 | |
exec-timeout 15 0 | |
login | |
transport input none | |
transport output none | |
! | |
ntp server vrf mgmt 192.168.7.16 | |
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
! | |
! Last configuration change at 16:48:13 JST Sat Oct 11 2014 | |
! NVRAM config last updated at 16:49:33 JST Sat Oct 11 2014 | |
! NVRAM config last updated at 16:49:33 JST Sat Oct 11 2014 | |
version 15.1 | |
service nagle | |
no service pad | |
service tcp-keepalives-in | |
service tcp-keepalives-out | |
service timestamps debug datetime msec localtime show-timezone | |
service timestamps log datetime msec localtime show-timezone | |
service password-encryption | |
! | |
hostname rtr2 | |
! | |
boot-start-marker | |
boot-end-marker | |
! | |
! | |
logging buffered 16384 | |
logging console informational | |
logging monitor informational | |
enable secret 5 $1$prRv$EiHn4TQwENz9lbLvvZouT/ | |
! | |
no aaa new-model | |
! | |
clock timezone JST 9 0 | |
crypto pki token default removal timeout 0 | |
! | |
! | |
dot11 syslog | |
ip source-route | |
! | |
! | |
! | |
! | |
! | |
ip vrf mgmt | |
rd 64594:99 | |
route-target export 64594:99 | |
route-target import 64594:99 | |
! | |
ip cef | |
no ip domain lookup | |
no ipv6 cef | |
! | |
multilink bundle-name authenticated | |
! | |
! | |
! | |
license udi pid CISCO1812-J/K9 sn FHK120722K6 | |
! | |
! | |
ip tftp source-interface FastEthernet0 | |
! | |
crypto keyring branch2-keyring | |
pre-shared-key address 192.0.2.254 key branch2key | |
! | |
crypto isakmp policy 1 | |
encr aes | |
authentication pre-share | |
group 2 | |
lifetime 28800 | |
crypto isakmp keepalive 10 10 | |
crypto isakmp profile branch2-isakmp-profile | |
keyring branch2-keyring | |
match identity address 192.0.2.254 255.255.255.255 | |
! | |
crypto ipsec security-association replay window-size 128 | |
! | |
crypto ipsec transform-set branch2-vpn-tfset esp-aes esp-sha-hmac | |
crypto ipsec df-bit clear | |
! | |
crypto ipsec profile branch2-ipsec-profile | |
set transform-set branch2-vpn-tfset | |
set pfs group2 | |
! | |
! | |
! | |
! | |
! | |
! | |
interface Tunnel1 | |
ip address 169.254.2.2 255.255.255.252 | |
ip virtual-reassembly in | |
ip tcp adjust-mss 1396 | |
tunnel source Vlan721 | |
tunnel mode ipsec ipv4 | |
tunnel destination 192.0.2.254 | |
tunnel protection ipsec profile branch2-ipsec-profile | |
! | |
interface BRI0 | |
no ip address | |
encapsulation hdlc | |
shutdown | |
! | |
interface FastEthernet0 | |
ip vrf forwarding mgmt | |
ip address 192.168.7.102 255.255.255.0 | |
no ip proxy-arp | |
ip virtual-reassembly in | |
duplex auto | |
speed auto | |
! | |
interface FastEthernet1 | |
no ip address | |
shutdown | |
duplex auto | |
speed auto | |
! | |
interface FastEthernet2 | |
description "for Host Access Interface" | |
switchport mode trunk | |
no ip address | |
! | |
interface FastEthernet3 | |
no ip address | |
! | |
interface FastEthernet4 | |
no ip address | |
! | |
interface FastEthernet5 | |
no ip address | |
! | |
interface FastEthernet6 | |
no ip address | |
! | |
interface FastEthernet7 | |
no ip address | |
! | |
interface FastEthernet8 | |
no ip address | |
! | |
interface FastEthernet9 | |
no ip address | |
! | |
interface Vlan1 | |
no ip address | |
shutdown | |
! | |
interface Vlan711 | |
no ip address | |
! | |
interface Vlan721 | |
ip address 203.0.113.254 255.255.255.0 | |
! | |
interface Vlan921 | |
ip address 10.2.1.1 255.255.255.0 | |
! | |
ip forward-protocol nd | |
no ip http server | |
no ip http secure-server | |
! | |
! | |
ip route 0.0.0.0 0.0.0.0 203.0.113.1 | |
ip route 10.2.0.0 255.255.0.0 169.254.2.1 | |
ip route vrf mgmt 0.0.0.0 0.0.0.0 192.168.7.1 | |
! | |
! | |
! | |
! | |
! | |
! | |
! | |
control-plane | |
! | |
! | |
! | |
line con 0 | |
logging synchronous | |
exec prompt timestamp | |
line aux 0 | |
line vty 0 4 | |
exec-timeout 0 0 | |
password 7 13160300080D107F7E | |
logging synchronous | |
login | |
exec prompt timestamp | |
transport input all | |
line vty 5 15 | |
exec-timeout 15 0 | |
login | |
transport input none | |
transport output none | |
! | |
ntp server vrf mgmt 192.168.7.16 | |
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
! | |
! Last configuration change at 16:48:47 JST Sat Oct 11 2014 | |
! NVRAM config last updated at 16:49:34 JST Sat Oct 11 2014 | |
! | |
version 15.0 | |
service nagle | |
no service pad | |
service tcp-keepalives-in | |
service tcp-keepalives-out | |
service timestamps debug datetime msec localtime show-timezone | |
service timestamps log datetime msec localtime show-timezone | |
service password-encryption | |
! | |
hostname rtr7 | |
! | |
boot-start-marker | |
boot-end-marker | |
! | |
logging buffered 16384 | |
logging console informational | |
logging monitor informational | |
enable secret 5 $1$DQ6.$iLJC0WIOJb6WF9nkE26CX0 | |
! | |
no aaa new-model | |
! | |
! | |
! | |
clock timezone JST 9 | |
! | |
! | |
ip source-route | |
! | |
! | |
ip vrf branch1-vrf | |
rd 1:1 | |
! | |
ip vrf branch2-vrf | |
rd 2:1 | |
! | |
ip vrf fdvrf | |
rd 65535:10 | |
! | |
ip vrf mgmt | |
rd 64594:99 | |
route-target export 64594:99 | |
route-target import 64594:99 | |
! | |
! | |
! | |
ip cef | |
no ip domain lookup | |
no ipv6 cef | |
! | |
! | |
multilink bundle-name authenticated | |
license udi pid CISCO892-K9 sn FGL1544235U | |
! | |
! | |
! | |
! | |
ip tftp source-interface FastEthernet8 | |
! | |
crypto keyring branch1-keyring vrf fdvrf | |
pre-shared-key address 198.51.100.254 key branch1key | |
crypto keyring branch2-keyring vrf fdvrf | |
pre-shared-key address 203.0.113.254 key branch2key | |
! | |
crypto isakmp policy 1 | |
encr aes | |
authentication pre-share | |
group 2 | |
lifetime 28800 | |
crypto isakmp keepalive 10 10 | |
crypto isakmp profile branch1-isakmp-profile | |
keyring branch1-keyring | |
match identity address 198.51.100.254 255.255.255.255 fdvrf | |
crypto isakmp profile branch2-isakmp-profile | |
keyring branch2-keyring | |
match identity address 203.0.113.254 255.255.255.255 fdvrf | |
! | |
crypto ipsec security-association replay window-size 128 | |
! | |
crypto ipsec transform-set branch1-vpn-tfset esp-aes esp-sha-hmac | |
crypto ipsec transform-set branch2-vpn-tfset esp-aes esp-sha-hmac | |
crypto ipsec df-bit clear | |
! | |
crypto ipsec profile branch1-ipsec-profile | |
set transform-set branch1-vpn-tfset | |
set pfs group2 | |
! | |
crypto ipsec profile branch2-ipsec-profile | |
set transform-set branch2-vpn-tfset | |
set pfs group2 | |
! | |
! | |
! | |
! | |
! | |
! | |
interface Tunnel1 | |
ip vrf forwarding branch1-vrf | |
ip address 169.254.1.1 255.255.255.252 | |
ip virtual-reassembly | |
ip tcp adjust-mss 1396 | |
tunnel source Vlan701 | |
tunnel mode ipsec ipv4 | |
tunnel destination 198.51.100.254 | |
tunnel vrf fdvrf | |
tunnel protection ipsec profile branch1-ipsec-profile | |
! | |
! | |
interface Tunnel2 | |
ip vrf forwarding branch2-vrf | |
ip address 169.254.2.1 255.255.255.252 | |
ip virtual-reassembly | |
ip tcp adjust-mss 1396 | |
tunnel source Vlan701 | |
tunnel mode ipsec ipv4 | |
tunnel destination 203.0.113.254 | |
tunnel vrf fdvrf | |
tunnel protection ipsec profile branch2-ipsec-profile | |
! | |
! | |
interface BRI0 | |
no ip address | |
encapsulation hdlc | |
shutdown | |
isdn termination multidrop | |
! | |
! | |
interface FastEthernet0 | |
! | |
! | |
interface FastEthernet1 | |
! | |
! | |
interface FastEthernet2 | |
description "for Host Access Interface" | |
switchport mode trunk | |
! | |
! | |
interface FastEthernet3 | |
! | |
! | |
interface FastEthernet4 | |
! | |
! | |
interface FastEthernet5 | |
! | |
! | |
interface FastEthernet6 | |
! | |
! | |
interface FastEthernet7 | |
! | |
! | |
interface FastEthernet8 | |
ip vrf forwarding mgmt | |
ip address 192.168.7.107 255.255.255.0 | |
no ip proxy-arp | |
ip virtual-reassembly | |
duplex auto | |
speed auto | |
! | |
! | |
interface GigabitEthernet0 | |
no ip address | |
shutdown | |
duplex auto | |
speed auto | |
! | |
! | |
interface Vlan1 | |
no ip address | |
shutdown | |
! | |
! | |
interface Vlan701 | |
ip vrf forwarding fdvrf | |
ip address 192.0.2.254 255.255.255.0 | |
! | |
! | |
interface Vlan901 | |
ip vrf forwarding branch1-vrf | |
ip address 10.1.10.1 255.255.255.0 | |
! | |
! | |
interface Vlan902 | |
ip vrf forwarding branch2-vrf | |
ip address 10.2.10.1 255.255.255.0 | |
! | |
! | |
ip forward-protocol nd | |
no ip http server | |
no ip http secure-server | |
! | |
! | |
ip route vrf mgmt 0.0.0.0 0.0.0.0 192.168.7.1 | |
ip route vrf fdvrf 0.0.0.0 0.0.0.0 192.0.2.1 | |
ip route vrf branch1-vrf 10.1.0.0 255.255.0.0 169.254.1.2 | |
ip route vrf branch2-vrf 10.2.0.0 255.255.0.0 169.254.2.2 | |
! | |
! | |
! | |
! | |
! | |
! | |
! | |
control-plane | |
! | |
! | |
! | |
line con 0 | |
logging synchronous | |
exec prompt timestamp | |
line aux 0 | |
line vty 0 4 | |
exec-timeout 0 0 | |
password 7 0518121D224D5A5C4C | |
logging synchronous | |
login | |
exec prompt timestamp | |
line vty 5 15 | |
exec-timeout 15 0 | |
login | |
transport input none | |
transport output none | |
! | |
scheduler max-task-time 5000 | |
ntp server vrf mgmt 192.168.7.16 | |
end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment