Re: IPSEC VPN Overlapping subnets with VRF-lite - Brians from

From: Petr Lapukhov (petr@internetworkexpert.com)
Date: Wed Aug 27 2008 - 14:01:30 ART

Hi,
First of all, you should clearly understand that IPsec essentially emulates
a tunnel. Just as with any regular tunnel, you may associate encapsulated
traffic to a VRF, and isolate it inside a separate address space (thereby
allowing overlapping address spaces to co-exist smoothly). This became a
possibility since 12.2(15)T, thanks to VRF-aware IPsec feature:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/ft_vrfip.htm

This feature introduced the concepts of FVRF and IVRF (front-door and inside
VRFs). The VRF-aware IPsec continued its growth and eventually they combined
it with more intuitive stuff known as VTI - Virtual Tunnel Interface.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html

With this feature, you can simply assign a VRF to a VTI instance. This makes
configuration even more simple.

More recently, they added support for BGP VPN over DMVPN (2547oDMVPN) which
made traffic segregation feature more scalable. However, the restriction is
that you cannot run spoke-to-spoke traffic directly.

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/ngwanempls.pdf

This is probably the most complicated combination of VRF and IPsec VPN
features :)

Hope this small overview helps a bit. 

-- 
Petr Lapukhov, CCIE #16379 (R&S/Security/SP/Voice)
petr@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Outside US: 775-826-4344

2008/8/27 Muhammad Ahmed <faisal3541@hotmail.com>

> Petr Lapukhov from Internetworkexpert.com wrote a very interesting and good
> blog on EzVPN and VRF-Lite but in his write-up he is using EzVPN client
> mode
> which essentially takes care of the remote overlapping subnets anyway. As I
> have no knowledge of VRF(s) I must be missing something as I know Petr is
> an
> expert just by reading his postings in the IE Blog.
>
>
> http://blog.internetworkexpert.com/2008/06/15/easy-vpn-combined-with-vrf-lite
> -2/#more-127<http://blog.internetworkexpert.com/2008/06/15/easy-vpn-combined-with-vrf-lite-2/#more-127>
>
> Essentially I am trying to "do the Brains from IE", though I am beginning
> to
> realize it might be impossible to "do the Brian Dennis or Brian McGahan
> from
> IE". This should be a new phrase in the english dictionary. I attended his
> 12-Day R&S bootcamp and was impressed to find out some of the ways
> individual
> technologies can be combined and used to devise a solution even though the
> architects of the technologies did not intend to use it for that purpose.
>
> Yes I am brown nosing and hoping one of the Brains would be amused enough
> and
> reply to this post with some thoughts about solving overlapping subnets
> issue
> on IPSEC tunnels without NAT.
>
> Best regards,
> Muhammad
>
>
>
> > Subject: RE: IPSEC VPN Overlapping subnets with VRF-lite> Date: Wed, 27
> Aug
> 2008 15:07:57 +0200> From: Shaughn.Smith@za.verizonbusiness.com> To:
> faisal3541@hotmail.com; joe@affirmedsystems.com; ccielab@groupstudy.com> >
> First of all VRF lite will not work without this > > MPLS backbone or MPLS
> VPN(s) shall not be used. > > You options are limited then to IPSEC
> tunnels.
> Not sure how you are> going to get around the duplicate subnet issues > >
> -----Original Message-----> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf Of> Muhammad Ahmed> Sent:
> Wednesday,
> August 27, 2008 3:01 PM> To: Joseph Brunner; ccielab@groupstudy.com>
> Subject:
> RE: IPSEC VPN Overlapping subnets with VRF-lite> > Thanks Joe. I forgot to
> mention the restriction is not to use NAT at> either> Hub or Spokes. That's
> why I am hoping to find a solution using VRF-Lite.> As I> do not understand
> VRF(s) at all, I do not know if VRF-Lite can solve the> issue.> > I am not
> looking for a solution on a plate, I wish, only a validation of> a>
> possibility using VRF-Lite. If the experts on this list say yes, it can>
> be>
> done and hopefully point to some links, I would take it to the LAB, test>
> it>
> and validate the POC.> > The requirements are as follows:> NAT cannot be
> configured on the Hub or the Spokes.> MPLS backbone or MPLS VPN(s) shall
> not
> be used.> GRE Tunnels cannot be used.> All IPSEC VPN(s) terminate on a
> single
> interface on a Cisco router.> Multiple logical interfaces on this router
> provide connectivity to> multiple> unique internal subnet(s)/VLAN(s).>
> Multiple remote overlapping subnet(s) shall be reachable from the unique>
> internal subnet(s) over the encrypted tunnel(s).> > Any help would be
> greatly
> appreciated.> > Best Regards,> Muhammad> > > > > > Date: Wed, 27 Aug 2008
> 00:04:03 -0400> From: joe@affirmedsystems.com>> Subject: RE: IPSEC VPN
> Overlapping subnets with VRF-lite> To:> faisal3541@hotmail.com;
> ccielab@groupstudy.com> > You don't need the> complexity of VRF to do
> this...>
> > You can create multiple gre/ipsec> tunnels> nat between the branch
> offices
> and> the hub (and thereby each other)> >> The> nat can actually be done at
> the
> spoke site. This way the hub will only>> be> presented with the "after nat"
> or
> inside global addresses for the> branch>> offices... ugly but it works...>
> >
> The only interesting traffic on the> vpn> tunnels is the GRE traffic which
> is>
> sourced from public ip address> (ipsec> source) to public ip address
> (ipsec>
> destination). You will not need to> play> around with adding private ip
> (which> are being natted to ipsec acl's)>> > Of> course you will need
> plenty
> of modified dns records internally for AD> (if> you> use Microsoft), etc.
> to
> make sure replication works and other internal>> hosts> see the "after nat"
> address.> > -Joe> > > > -----Original Message----->> From:>
> nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of>>
> Muhammad>
> Ahmed> Sent: Tuesday, August 26, 2008 11:53 PM> To:>
> ccielab@groupstudy.com>>
> Subject: IPSEC VPN Overlapping subnets with VRF-lite> > Good evening> all,>
> >
> I> am trying to come up with a solution so that multiple overlapping>
> subnets>
> can> create IPSEC tunnel on a single hub router (central site) interface.>>
> Google> returns some references of using VRF-Lite and IPSEC but I cannot
> find>> any> detailed explanation or configuration example listed anywhere.>
> >
> If> someone> knows how it can be done, please let me know.> > Best
> regards,>>
> Muhammad> > >>
> _________________________________________________________________> Be> the>
> filmmaker you always wanted to be learn how to burn a DVD with>>
> Windows..>>
> http://clk.atdmt.com/MRT/go/108588797/direct/01/> > > Blogs and organic>
> groups> at http://www.ccie.net> >>
> _______________________________________________________________________>>
> Subscription information may be found at: >>
> http://www.groupstudy.com/list/CCIELab.html> > > Blogs and organic> groups
> at>
> http://www.ccie.net> >>
> _______________________________________________________________________>>
> Subscription information may be found at: >>
> http://www.groupstudy.com/list/CCIELab.html> > > > > > >>
> _________________________________________________________________> Get
> thousands of games on your PC, your mobile phone, and the web with>
> Windows..>
> http://clk.atdmt.com/MRT/go/108588800/direct/01/> > > Blogs and organic
> groups
> at http://www.ccie.net> >
> _______________________________________________________________________>
> Subscription information may be found at: >
> http://www.groupstudy.com/list/CCIELab.html> > > Blogs and organic groups
> at
> http://www.ccie.net> >
> _______________________________________________________________________>
> Subscription information may be found at: >
> http://www.groupstudy.com/list/CCIELab.html> > > > > > >
> _________________________________________________________________
> See what people are saying about Windows Live.  Check out featured posts.
> http://www.windowslive.com/connect?ocid=TXT_TAGLM_WL_connect2_082008
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

This archive was generated by hypermail 2.1.4 : Mon Sep 01 2008 - 08:15:32 ART