Monday, April 4, 2011

VRF-aware Multipoint GRE Tunnel

GRE tunnel is especially useful to encapsulate network traffic (including IGP routing) separate from the underlying infrastructure. One useful way is to create a logical Out-of-Band (OOB) management interface for network management on another VRF. The default point-to-point GRE tunnels are easy to setup when you have few remote sites to connect to. It will become less scalable, as the number of sites grow. To overcome it, consider point-to-multipoint tunnel instead. Instead of having multiple tunnels on the Hub router, you can have just one tunnel to connect to all spoke sites. And you don't have to manually map all the spoke destination addresses, as all the spoke routers will register dynamically with the Hub router. Consider the following diagram (click to enlarge):
Assuming that the outer VRF (including the loopback interfaces) is already made routable (e.g. OSPF, BGP etc) within this network. We are setting up another VRF on the inner for network management purposes.

  1. On Hub CE Router A:
  2. interface Tunnel1
  3. ip vrf forwarding inner
  4. ip address 192.168.1.1 255.255.255.0
  5. ip nhrp authentication cisco #ensure matching key for all spokes
  6. ip nhrp map multicast dynamic
  7. ip nhrp network-id 123 #also ensure network-id can match
  8. ip ospf network broadcast
  9. ip ospf priority 10
  10. tunnel source Loopback0 #note that the destination is not defined
  11. tunnel mode gre multipoint
  12. tunnel key 123 # and the tunnel key as well
  13. tunnel vrf outer # create a tunnel on the outer vrf
  14. !
  15. router ospf 120 vrf inner
  16. network 172.16.1.1 0.0.0.0 area 0
  17. network 192.168.1.0 0.0.0.255 area 0


  1. On spoke router B
  2. interface Tunnel1
  3. ip vrf forwarding inner
  4. ip address 192.168.1.2 255.255.255.0
  5. ip nhrp authentication cisco
  6. ip nhrp map 192.168.1.1 10.1.1.1 #map inner vrf to outer vrf on hub router
  7. ip nhrp map multicast 10.1.1.1 #register with nhrp hub using multicast
  8. ip nhrp network-id 123
  9. ip nhrp nhs 192.168.1.1 #define hub router as next hop
  10. ip ospf network broadcast
  11. ip ospf priority 0
  12. tunnel source Loopback0
  13. tunnel mode gre multipoint
  14. tunnel key 123
  15. tunnel vrf outer
  16. !
  17. router ospf 120 vrf inner
  18. network 172.16.1.2 0.0.0.0 area 0
  19. network 192.168.1.0 0.0.0.255 area 0

  1. On spoke router C
  2. interface Tunnel1
  3. ip vrf forwarding inner
  4. ip address 192.168.1.3 255.255.255.0
  5. ip nhrp authentication cisco
  6. ip nhrp map 192.168.1.1 10.1.1.1 #map inner vrf to outer vrf on hub router
  7. ip nhrp map multicast 10.1.1.1 #register with nhrp hub using multicast
  8. ip nhrp network-id 123
  9. ip nhrp nhs 192.168.1.1 #define hub router as next hop
  10. ip ospf network broadcast
  11. ip ospf priority 0
  12. tunnel source Loopback0
  13. tunnel mode gre multipoint
  14. tunnel key 123
  15. tunnel vrf outer
  16. !
  17. router ospf 120 vrf inner
  18. network 172.16.1.3 0.0.0.0 area 0
  19. network 192.168.1.0 0.0.0.255 area 0

If you have a second Hub router on the headend, you can setup another multippoint tunnel for redundancy like the following diagram:
Nevertheless, the newly created overlay VPN remains in plain. You may also wish to protect it using IPSec. Cisco calls this combination of IPSec and Multipoint GRE as "Dynamic Multipoint VPN" or "DMVPN", which I should blog about it in my next post.

1 comment:

  1. I really get great volume of information from your post. Thanks for this valuable input.

    Point to point wifi

    ReplyDelete