http://www.networking-forum.com/viewtopic.php?f=35&t=24269
I was looking for a way to connect different data center VRFs. VRF Aware IPSec using VTI was the idea at the time. This solution works but is not very scalable. Each VRF requires a VTI which requires a loopback for termination, an isakamp profile and a /30 network for connecting. If I have 10 VRFs, I have to have 10 VTIs, 10 loopbacks, 10 isakamp profiles and 10 /30 networks. It has been cumbersome.
My objectives are –
- Provide segmented connectivity to different VRFs between multiple sites
Encrypt data for PCI compliance
Reduce the complexity of configuration
I am looking at a new way to do this. I have been learning MPLS for the past month. I think the way to go might be MPLS-over-GRE-over-IPSec. It would still give me the segmentation and encryption I need to be PCI compliant and substantially reduce the complexity because there is only one GRE and one IPSec tunnel. I labbed it up and it all seems to work.
The configs-
- Code: Select all
!
hostname R1
!
!
ip vrf vrfA
rd 1.1.1.1:20
route-target export 65000:20
route-target import 65000:20
!
ip vrf vrfB
rd 1.1.1.1:21
route-target export 65000:21
route-target import 65000:21
!
ip vrf vrfC
rd 1.1.1.1:22
route-target export 65000:22
route-target import 65000:22
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
crypto isakmp key cisco123 address 192.168.1.2
!
!
crypto ipsec transform-set aesset esp-aes 256 esp-sha-hmac
!
crypto map aesmap 10 ipsec-isakmp
set peer 192.168.1.2
set transform-set aesset
match address acl_vpn
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
ip address 192.168.2.1 255.255.255.0
ip tcp adjust-mss 1400
mpls ip
tunnel source FastEthernet0/0
tunnel destination 192.168.1.2
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
mtu 1546
crypto map aesmap
!
interface FastEthernet1/0
switchport access vlan 20
!
interface FastEthernet1/1
switchport access vlan 21
!
interface FastEthernet1/2
switchport access vlan 22
!
interface Vlan20
ip vrf forwarding vrfA
ip address 10.20.1.1 255.255.255.0
no ip proxy-arp
!
interface Vlan21
ip vrf forwarding vrfB
ip address 10.21.1.1 255.255.255.0
no ip proxy-arp
!
interface Vlan22
ip vrf forwarding vrfC
ip address 10.22.1.1 255.255.255.0
no ip proxy-arp
!
router ospf 1
router-id 1.1.1.1
log-adjacency-changes
auto-cost reference-bandwidth 100000
network 1.1.1.1 0.0.0.0 area 0.0.0.0
network 192.168.2.0 0.0.0.255 area 0.0.0.0
!
router bgp 65000
bgp router-id 1.1.1.1
bgp log-neighbor-changes
neighbor 2.2.2.2 remote-as 65000
neighbor 2.2.2.2 ebgp-multihop 4
neighbor 2.2.2.2 update-source Loopback0
!
address-family ipv4
neighbor 2.2.2.2 activate
no auto-summary
no synchronization
exit-address-family
!
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
exit-address-family
!
address-family ipv4 vrf vrfC
no synchronization
network 10.22.1.0 mask 255.255.255.0
exit-address-family
!
address-family ipv4 vrf vrfB
no synchronization
network 10.21.1.0 mask 255.255.255.0
exit-address-family
!
address-family ipv4 vrf vrfA
no synchronization
network 10.20.1.0 mask 255.255.255.0
exit-address-family
!
!
ip access-list extended acl_vpn
permit ip host 192.168.1.1 host 192.168.1.2
!
- Code: Select all
!
hostname R2
!
ip vrf vrfA
rd 2.2.2.2:20
route-target export 65000:20
route-target import 65000:20
!
ip vrf vrfB
rd 2.2.2.2:21
route-target export 65000:21
route-target import 65000:21
!
ip vrf vrfC
rd 2.2.2.2:22
route-target export 65000:22
route-target import 65000:22
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
crypto isakmp key cisco123 address 192.168.1.1
!
!
crypto ipsec transform-set aesset esp-aes 256 esp-sha-hmac
!
crypto map aesmap 10 ipsec-isakmp
set peer 192.168.1.1
set transform-set aesset
match address acl_vpn
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Tunnel0
ip address 192.168.2.2 255.255.255.0
ip tcp adjust-mss 1400
mpls ip
tunnel source FastEthernet0/0
tunnel destination 192.168.1.1
!
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
mtu 1546
crypto map aesmap
!
interface FastEthernet1/0
switchport access vlan 20
!
interface FastEthernet1/1
switchport access vlan 21
!
interface FastEthernet1/2
switchport access vlan 22
!
interface Vlan20
ip vrf forwarding vrfA
ip address 10.20.2.1 255.255.255.0
no ip proxy-arp
!
interface Vlan21
ip vrf forwarding vrfB
ip address 10.21.2.1 255.255.255.0
no ip proxy-arp
!
interface Vlan22
ip vrf forwarding vrfC
ip address 10.22.2.1 255.255.255.0
no ip proxy-arp
!
router ospf 1
router-id 2.2.2.2
log-adjacency-changes
auto-cost reference-bandwidth 100000
network 2.2.2.2 0.0.0.0 area 0.0.0.0
network 192.168.2.0 0.0.0.255 area 0.0.0.0
!
router bgp 65000
bgp router-id 2.2.2.2
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 65000
neighbor 1.1.1.1 ebgp-multihop 4
neighbor 1.1.1.1 update-source Loopback0
!
address-family ipv4
neighbor 1.1.1.1 activate
no auto-summary
no synchronization
exit-address-family
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community extended
exit-address-family
!
address-family ipv4 vrf vrfC
no synchronization
network 10.22.2.0 mask 255.255.255.0
exit-address-family
!
address-family ipv4 vrf vrfB
no synchronization
network 10.21.2.0 mask 255.255.255.0
exit-address-family
!
address-family ipv4 vrf vrfA
no synchronization
network 10.20.2.0 mask 255.255.255.0
exit-address-family
!
ip access-list extended acl_vpn
permit ip host 192.168.1.2 host 192.168.1.1
!
Everything seems to be working on the GNS3 demo. So I am wondering a few things –
MTU - Our service provider can support a maximum MTU of 1546 Bytes on their Ethernet circuits. With MTPS (4 bytes per label?), GRE (24 Bytes) with tcp-mss set to 1400 and IPSec (??? Bytes), will I run into any issues with fragmentation or dropped packets (if the DF bit is set)?
QoS – What are some guidelines for running QoS with MPLS? How do I make one VRFs EF traffic higher priority than another VRF’s AF41, but then make any VRF’s BE traffic low priority lower than another VRFs non-BE traffic?
Router Performance – Does running all the services drastically affect router performance?
Any other info, advice, war stories are welcome as well.