There are other benefits of this design and it s quite commonly used in the sp enterprise world.
Front door vrf.
Crypto map based with ivrf cust1 vrf and fvrf internet vrf.
This step is only required when configuring a front door vrf fvrf.
Figure 1 0 shows a typical scenario below this scenario is common amongst service providers and geographic separation is normally sold as part of the solution.
Under the geographic separation scenario eompls would normally be used to link the two ip networks.
The crypto isakmp key command doesn t support vrfs.
If you don t use a keyring you won t be able to apply the key to the isakmp profile so the ipsec configuration won t have access to a.
When you are using a front door vrf you can t define the key using the old crypto isakmp key command.
Vrf name name assigned to the vrf.
All we did is stitch them together.
Router ospf 100 vrf pipe router id 13 13 13 13 4.
Front door vrf or outside vrf the vrf that contain the encrypted traffic.
The ivrf of these tunnels can be different and.
Configuring physical interface on r1 and r4 to be vrf aware.
Router config if tunnel destination ip address.
Sets the destination address of a tunnel.
As you can see we did not move the tunnel11 interface from the global routing table to the routing table for vrf pipe.
Optional associates a vpn routing and forwarding instance vrf with a specific tunnel destination interface or subinterface.
One or more ipsec tunnels can terminate on a single interface.
The concept is called fvrf ipsec or in english front door vrf ipsec.
The routing instance that is used if no specific vrf is defined.
Create front door vrf named fvrf on r1 and r4.
If no vrf aware config is used everything is done in the global vrf and all interfaces are in the global vrf.
The fvrf of all these tunnels is the same and is set to the vrf that is confi gured on that interface.
Modify the tunnel interface to stitch the tunnel to the front door vrf.
The key must be defined in a keyring.