DMVPN with Front Door VRF

Tuesday. June 23, 2020

CCIE

Continuing with the DMVPN posts, I will explain a term used in this technology that is the Front Door VRF, also called F-VRF.

As we know Virtual Route Forwarding (VRF) is a technology used in networks that allows multiple instances of a routing table to co-exist within the same router at the same time. Because the routing instances are independent, it is possible to use the same or overlapping IP Addresses without conflicting with each other. Often in an L3VPN context, VRF is also defined as VPN Route Forwarding.

Typically VRFs are deployed in one of the following two configurations:

Inside VRF a.k.a. I-VRF: GRE tunnel and LAN interface are configured in a VRF and public interface (carrying GRE traffic) is in global table. With that IPSec packets are forwarded using global routing table, and GRE decapsulated packets are forwarded using associated VRF.

Topology

Thinking in terms of configuration, the idea here is as follows:

!
vrf definition INET
 !
 address-family ipv4
 exit-address-family
!
interface Tunnel100
 vrf forwarding INET
 tunnel source GigabitEthernet 0/0/1
!
interface GigabitEthernet 0/0/1
 description *** Interface on Global Routing Table ***
!
interface GigabitEthernet 0/0/0
 description *** LAN Interface ***
 vrf forwarding INET
!

Front Door VRF a.k.a. F-VRF: GRE tunnel and LAN interface stay in the global routing table but public interface (carrying GRE traffic) is configured in a VRF. With that IPSec packets are forwarded using VRF routing table, and GRE decapsulated packets are forwarded using global table.

Topology

The idea here is to have underlay network running in a VRF isolating the transport network usually Internet or MPLS facing. This allows us to configure default route that won’t interfere with routing in our global table. In terms of configuration, is as follows:

!
vrf definition INET
 !
 address-family ipv4
 exit-address-family
!
interface Tunnel100
 tunnel source GigabitEthernet 0/0/1
 tunnel vrf INET
!
interface GigabitEthernet 0/0/1
 vrf forwarding INET
!
interface GigabitEthernet 0/0/0
 description *** Interface on Global Routing Table ***
!

So, using a separate VRF for the underlay appear the following command on our tunnels tunnel vrf <FVRF> where is used to specify that tunnel source and destination will be located in a VRF. It means that overlay IP addresses will be located in the default VRF as tunnels themselves are not part of this VRF.

If we are using IPSec profiles with DMVPN will be necessary specify the parameter match fvrf any on the IKEv2 Policy and Profile as well, that will be used to establish IPSec sessions, as follows:

!
crypto ikev2 proposal AES/GCM/256
 encryption aes-gcm-256
 prf sha512
 group 19
!
crypto ikev2 policy AES/GCM/256
 ! The following line
 match fvrf any
 proposal AES/GCM/256
!
crypto ikev2 keyring DMVPN-KEYRING
 peer ANY
  address 0.0.0.0 0.0.0.0
  pre-shared-key c15c0123
 !
crypto ikev2 profile DMVPN-IKEv2-PROFILE
 description PSK Profile
 ! The following line
 match fvrf any
 match identity remote address 0.0.0.0
 identity local address 192.168.255.1
 authentication local pre-share
 authentication remote pre-share
 keyring local DMVPN-KEYRING
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set AES256/GCM/TRANSFORM esp-gcm 256
 mode transport
!
crypto ipsec profile PROTECT-TUN100
 set transform-set AES256/GCM/TRANSFORM
 set ikev2-profile DMVPN-IKEv2-PROFILE
!
interface Tunnel100
 .
 .
 .
 tunnel source GigabitEthernet 0/0/1
 tunnel vrf INET
 tunnel protection ipsec profile PROTECT-TUN100
!

In general terms, IPSec is protecting DMVPN tunnels with underlay network located in a separate VRF.