VRF AWARE NAT

hi, i want to implement vrf aware nat and i want to create a single pool for all vrfs. when the traffic returns is there a way the ios identify which vrf the IP belongs to so i dont have to specify the pool for each vpn whit static routes? Thanks ahead- asanes

Hi,
As I understand you want to integrate NAT with MPLS based VPNs.
Follwing Cisco link should help:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftnatvpn.htm#wp1035671
Cheers,
Sultan.

Similar Messages

  • 6500 VRF aware NAT

    Hi
    In an Enterprise Network we are using CAT6500 SUP720/MSFC3B with VRF Lite.
    According to the Software Advisor VRF aware NAT is not supported on the 6k. But I think with the MPLS image it should be supported.
    My question: Is it supported and if yes whats the recommended image if i just want to have vrf-lite with vrf aware NAT - no MPLS
    cheers
    patrick

    IF you have a FWSM then you should be good to go for the VRF-Aware NAT. I am not aware of NAT being performed natively on the SUP.
    HTH-Cheers,
    Swaroop

  • 2800s, AIM-VPN-SSL2, vrf aware IPSEC, high CPU low throughput

    We have a couple of new 2821s deployed across a fibre link and they were originally running 12.4 (non T) versions using software encryption. We would get around 8Mb/s throughput. Upgrading to T to use the installed AIM cards we now see the AIM cards in use (show cry isakmp sa det shows then engine as aim vpn), but we still get the same throughput and high CPU. allowing CEF on the interface doubles throughput but with the same high CPU. The only process I can see going high is IP Input. Is this because of vrf aware ipsec - or any other suggestions?

    Hi Nick,
    I am having the same issue. We have a 2851 as a IPSEC VPN headend with an AIM VPN module but we are seeing high CPU usage(80%) with just 4-5mbps worth of traffic. I have an idea that I might have a NAT issue.
    We are currently running, NAT, ZFW, and IPSEC site 2 site VPN on the router.
    When I look at my ZONE firewall policy-map output it is showing all of my VPN traffic as process switched.
    Inspect
    Packet inspection statistics [process switch:fast switch]
    tcp packets: [14809800:0]
    udp packets: [145107:0]
    icmp packets: [20937:12]
    I have disabled the ZFW and still see high cpu although it is a little lower.
    Packets are not fragmented, CEF and fast switching looks to be enabled. I am using a route-map for my nonats. That is the only thing I can think of now.
    I have tried IOS 12.4(20)T3,4 and 12.4(15)T9. Same results.
    Anyone have some ideas?

  • VRF Aware DVTI and PKI

    Hi,
    i´ve try to get an dynamic VTI with VRF Aware on the HUB Router and PKI for Authentication.
    My Problem is, that Phase1 works fine, but Phase2 doesn´t came up.
    debug crypto isakmp
    Feb  7 09:46:09.439: ISAKMP:(20175): IPSec policy invalidated proposal with error 32
    Feb  7 09:46:09.439: ISAKMP:(20175): phase 2 SA policy not acceptable! (local a.b.c.d remote e.f.g.h)
    The proposals are OK.
    Here are the config parts.
    crypto isakmp profile P1
       ca trust-point VPN
       match certificate CERMAP1
       virtual-template 11
    crypto ipsec profile P1
    set transform-set AES256
    set isakmp-profile P1
    interface Virtual-Template11 type tunnel
    vrf forwarding <VRF Name>
    ip unnumbered Loopback0
    ip virtual-reassembly in
    tunnel mode ipsec ipv4
    tunnel vrf OUTSIDE_VTI
    tunnel protection ipsec profile P1
    Have any one of you a working configuration with this parameters or an idea, what i can do ?
    The Virtual-Template Interface ist up/down and no interface virtual-acces was created.
    Many Thanks !!!

    This is the output from debug crypto isakmp....
    Feb 7 18:41:37.048: ISAKMP (0): received packet from a.b.c.d dport 500 sport 500 OUTSIDE_VTI (N) NEW SA
    Feb 7 18:41:37.048: ISAKMP: Created a peer struct for a.b.c.d, peer port 500
    Feb 7 18:41:37.048: ISAKMP: New peer created peer = 0x3D83A580 peer_handle = 0x8000025B
    Feb 7 18:41:37.048: ISAKMP: Locking peer struct 0x3D83A580, refcount 1 for crypto_isakmp_process_block
    Feb 7 18:41:37.048: ISAKMP: local port 500, remote port 500
    Feb 7 18:41:37.048: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 2107EC78
    Feb 7 18:41:37.048: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Feb 7 18:41:37.048: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
    Feb 7 18:41:37.048: ISAKMP:(0): processing SA payload. message ID = 0
    Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
    Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
    Feb 7 18:41:37.048: ISAKMP (0): vendor ID is NAT-T RFC 3947
    Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
    Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
    Feb 7 18:41:37.048: ISAKMP (0): vendor ID is NAT-T v7
    Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
    Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
    Feb 7 18:41:37.048: ISAKMP:(0): vendor ID is NAT-T v3
    Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
    Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
    Feb 7 18:41:37.048: ISAKMP:(0): vendor ID is NAT-T v2
    Feb 7 18:41:37.048: ISAKMP : Scanning profiles for xauth ... RTR2
    Feb 7 18:41:37.048: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (R) MM_NO_STATE (peer a.b.c.d)
    Feb 7 18:41:37.048: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (R) MM_NO_STATE (peer a.b.c.d)
    Feb 7 18:41:37.048: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
    Feb 7 18:41:37.048: ISAKMP: encryption AES-CBC
    Feb 7 18:41:37.048: ISAKMP: keylength of 256
    Feb 7 18:41:37.048: ISAKMP: hash SHA
    Feb 7 18:41:37.048: ISAKMP: default group 2
    Feb 7 18:41:37.048: ISAKMP: auth RSA sig
    Feb 7 18:41:37.048: ISAKMP: life type in seconds
    Feb 7 18:41:37.048: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
    Feb 7 18:41:37.048: ISAKMP:(0):atts are acceptable. Next payload is 0
    Feb 7 18:41:37.048: ISAKMP:(0):Acceptable atts:actual life: 0
    Feb 7 18:41:37.048: ISAKMP:(0):Acceptable atts:life: 0
    Feb 7 18:41:37.048: ISAKMP:(0):Fill atts in sa vpi_length:4
    Feb 7 18:41:37.048: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
    Feb 7 18:41:37.048: ISAKMP:(0): IKE->PKI Start PKI Session state (R) MM_NO_STATE (peer a.b.c.d)
    Feb 7 18:41:37.048: ISAKMP:(0): PKI->IKE Started PKI Session state (R) MM_NO_STATE (peer a.b.c.d)
    Feb 7 18:41:37.048: ISAKMP:(0):Returning Actual lifetime: 86400
    Feb 7 18:41:37.048: ISAKMP:(0)::Started lifetime timer: 86400.
    Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
    Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
    Feb 7 18:41:37.048: ISAKMP (0): vendor ID is NAT-T RFC 3947
    Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
    Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
    Feb 7 18:41:37.048: ISAKMP (0): vendor ID is NAT-T v7
    Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
    Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
    Feb 7 18:41:37.048: ISAKMP:(0): vendor ID is NAT-T v3
    Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
    Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
    Feb 7 18:41:37.048: ISAKMP:(0): vendor ID is NAT-T v2
    Feb 7 18:41:37.048: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Feb 7 18:41:37.048: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
    Feb 7 18:41:37.048: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
    Feb 7 18:41:37.048: ISAKMP:(0): sending packet to a.b.c.d my_port 500 peer_port 500 (R) MM_SA_SETUP
    Feb 7 18:41:37.048: ISAKMP:(0):Sending an IKE IPv4 Packet.
    Feb 7 18:41:37.048: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Feb 7 18:41:37.048: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
    Feb 7 18:41:37.088: ISAKMP (0): received packet from a.b.c.d dport 500 sport 500 OUTSIDE_VTI (R) MM_SA_SETUP
    Feb 7 18:41:37.092: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Feb 7 18:41:37.092: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
    Feb 7 18:41:37.092: ISAKMP:(0): processing KE payload. message ID = 0
    Feb 7 18:41:37.092: ISAKMP:(0): processing NONCE payload. message ID = 0
    Feb 7 18:41:37.092: ISAKMP:(20308): processing CERT_REQ payload. message ID = 0
    Feb 7 18:41:37.092: ISAKMP:(20308): peer wants a CT_X509_SIGNATURE cert
    Feb 7 18:41:37.092: ISAKMP:(20308): peer wants cert issued by cn=RTR1,o=company,c=de
    Feb 7 18:41:37.092: Choosing trustpoint VPN as issuer
    Feb 7 18:41:37.092: ISAKMP:(20308): processing vendor id payload
    Feb 7 18:41:37.092: ISAKMP:(20308): vendor ID is DPD
    Feb 7 18:41:37.092: ISAKMP:(20308): processing vendor id payload
    Feb 7 18:41:37.092: ISAKMP:(20308): speaking to another IOS box!
    Feb 7 18:41:37.092: ISAKMP:(20308): processing vendor id payload
    Feb 7 18:41:37.092: ISAKMP:(20308): vendor ID seems Unity/DPD but major 28 mismatch
    Feb 7 18:41:37.092: ISAKMP:(20308): vendor ID is XAUTH
    Feb 7 18:41:37.092: ISAKMP:received payload type 20
    Feb 7 18:41:37.092: ISAKMP (20308): His hash no match - this node outside NAT
    Feb 7 18:41:37.092: ISAKMP:received payload type 20
    Feb 7 18:41:37.092: ISAKMP (20308): His hash no match - this node outside NAT
    Feb 7 18:41:37.092: ISAKMP:(20308):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Feb 7 18:41:37.092: ISAKMP:(20308):Old State = IKE_R_MM3 New State = IKE_R_MM3
    Feb 7 18:41:37.092: ISAKMP:(20308): IKE->PKI Get configured TrustPoints state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.092: ISAKMP:(20308): PKI->IKE Got configured TrustPoints state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.092: ISAKMP:(20308): IKE->PKI Get IssuerNames state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.092: ISAKMP:(20308): PKI->IKE Got IssuerNames state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.092: ISAKMP (20308): constructing CERT_REQ for issuer cn=RTR1,o=company,c=de
    Feb 7 18:41:37.092: ISAKMP:(20308): sending packet to a.b.c.d my_port 500 peer_port 500 (R) MM_KEY_EXCH
    Feb 7 18:41:37.092: ISAKMP:(20308):Sending an IKE IPv4 Packet.
    Feb 7 18:41:37.092: ISAKMP:(20308):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Feb 7 18:41:37.092: ISAKMP:(20308):Old State = IKE_R_MM3 New State = IKE_R_MM4
    Feb 7 18:41:37.164: ISAKMP (20308): received packet from a.b.c.d dport 4500 sport 20962 OUTSIDE_VTI (R) MM_KEY_EXCH
    Feb 7 18:41:37.164: ISAKMP:(20308):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Feb 7 18:41:37.164: ISAKMP:(20308):Old State = IKE_R_MM4 New State = IKE_R_MM5
    Feb 7 18:41:37.164: ISAKMP:(20308): processing ID payload. message ID = 0
    Feb 7 18:41:37.164: ISAKMP (20308): ID payload
    next-payload : 6
    type : 2
    FQDN name : RTR2.customer.de
    protocol : 17
    port : 0
    length : 30
    Feb 7 18:41:37.164: ISAKMP:(0):: peer matches *none* of the profiles
    Feb 7 18:41:37.164: ISAKMP:(20308): processing CERT payload. message ID = 0
    Feb 7 18:41:37.164: ISAKMP:(20308): processing a CT_X509_SIGNATURE cert
    Feb 7 18:41:37.164: ISAKMP:(20308): IKE->PKI Add peer's certificate state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.164: ISAKMP:(20308): PKI->IKE Added peer's certificate state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.164: ISAKMP:(20308): IKE->PKI Get PeerCertificateChain state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.164: ISAKMP:(20308): PKI->IKE Got PeerCertificateChain state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.164: ISAKMP:(20308): peer's pubkey is cached
    Feb 7 18:41:37.164: ISAKMP:(0):: peer matches *none* of the profiles
    Feb 7 18:41:37.164: ISAKMP:(20308): IKE->PKI Validate certificate chain state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.168: ISAKMP:(20308): PKI->IKE Validate certificate chain state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.168: ISAKMP:(20308): Unable to get DN from certificate!
    Feb 7 18:41:37.168: ISAKMP:(20308): processing SIG payload. message ID = 0
    Feb 7 18:41:37.168: ISAKMP:(20308): processing NOTIFY INITIAL_CONTACT protocol 1
    spi 0, message ID = 0, sa = 0x2107EC78
    Feb 7 18:41:37.168: ISAKMP:(20308):SA authentication status:
    authenticated
    Feb 7 18:41:37.168: ISAKMP:(20308):SA has been authenticated with a.b.c.d
    Feb 7 18:41:37.168: ISAKMP:(20308):Detected port floating to port = 20962
    Feb 7 18:41:37.168: ISAKMP: Trying to find existing peer e.f.g.h/a.b.c.d/20962/OUTSIDE_VTI
    Feb 7 18:41:37.168: ISAKMP:(20308):SA authentication status:
    authenticated
    Feb 7 18:41:37.168: ISAKMP:(20308): Process initial contact,
    bring down existing phase 1 and 2 SA's with local e.f.g.h remote a.b.c.d remote port 20962
    Feb 7 18:41:37.168: ISAKMP: Trying to insert a peer e.f.g.h/a.b.c.d/20962/OUTSIDE_VTI, and inserted successfully 3D83A580.
    Feb 7 18:41:37.168: ISAKMP:(20308):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Feb 7 18:41:37.168: ISAKMP:(20308):Old State = IKE_R_MM5 New State = IKE_R_MM5
    Feb 7 18:41:37.168: ISAKMP:(20308): IKE->PKI Get self CertificateChain state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.168: ISAKMP:(20308): PKI->IKE Got self CertificateChain state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.168: ISAKMP:(20308): IKE->PKI Get SubjectName state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.168: ISAKMP:(20308): PKI->IKE Got SubjectName state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.168: ISAKMP:(20308):My ID configured as IPv4 Addr, but Addr not in Cert!
    Feb 7 18:41:37.168: ISAKMP:(20308):Using FQDN as My ID
    Feb 7 18:41:37.168: ISAKMP:(20308):SA is doing RSA signature authentication using id type ID_FQDN
    Feb 7 18:41:37.168: ISAKMP (20308): ID payload
    next-payload : 6
    type : 2
    FQDN name : RTR1.company.de
    protocol : 17
    port : 0
    length : 26
    Feb 7 18:41:37.168: ISAKMP:(20308):Total payload length: 26
    Feb 7 18:41:37.168: ISAKMP:(20308): IKE->PKI Get CertificateChain to be sent to peer state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.172: ISAKMP:(20308): PKI->IKE Got CertificateChain to be sent to peer state (R) MM_KEY_EXCH (peer a.b.c.d)
    Feb 7 18:41:37.172: ISAKMP (20308): constructing CERT payload for hostname=RTR1.company.de,cn=RTR1,o=company,c=DE
    Feb 7 18:41:37.172: ISAKMP:(20308): using the VPN trustpoint's keypair to sign
    Feb 7 18:41:37.176: ISKAMP: growing send buffer from 1024 to 3072
    Feb 7 18:41:37.176: ISAKMP:(20308): sending packet to a.b.c.d my_port 4500 peer_port 20962 (R) MM_KEY_EXCH
    Feb 7 18:41:37.180: ISAKMP:(20308):Sending an IKE IPv4 Packet.
    Feb 7 18:41:37.180: ISAKMP:(20308):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Feb 7 18:41:37.180: ISAKMP:(20308):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
    Feb 7 18:41:37.180: ISAKMP:(20308): IKE->PKI End PKI Session state (R) QM_IDLE (peer a.b.c.d)
    Feb 7 18:41:37.180: ISAKMP:(20308): PKI->IKE Ended PKI session state (R) QM_IDLE (peer a.b.c.d)
    Feb 7 18:41:37.180: ISAKMP:(20308):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
    Feb 7 18:41:37.180: ISAKMP:(20308):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
    Feb 7 18:41:37.208: ISAKMP (20308): received packet from a.b.c.d dport 4500 sport 20962 OUTSIDE_VTI (R) QM_IDLE
    Feb 7 18:41:37.208: ISAKMP: set new node -1302683506 to QM_IDLE
    Feb 7 18:41:37.212: ISAKMP:(20308): processing HASH payload. message ID = 2992283790
    Feb 7 18:41:37.212: ISAKMP:(20308): processing SA payload. message ID = 2992283790
    Feb 7 18:41:37.212: ISAKMP:(20308):Checking IPSec proposal 1
    Feb 7 18:41:37.212: ISAKMP: transform 1, ESP_AES
    Feb 7 18:41:37.212: ISAKMP: attributes in transform:
    Feb 7 18:41:37.212: ISAKMP: encaps is 3 (Tunnel-UDP)
    Feb 7 18:41:37.212: ISAKMP: SA life type in seconds
    Feb 7 18:41:37.212: ISAKMP: SA life duration (basic) of 3600
    Feb 7 18:41:37.212: ISAKMP: SA life type in kilobytes
    Feb 7 18:41:37.212: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
    Feb 7 18:41:37.212: ISAKMP: authenticator is HMAC-SHA
    Feb 7 18:41:37.212: ISAKMP: key length is 256
    Feb 7 18:41:37.212: ISAKMP:(20308):atts are acceptable.
    Feb 7 18:41:37.212: ISAKMP:(20308): IPSec policy invalidated proposal with error 32
    Feb 7 18:41:37.212: ISAKMP:(20308): phase 2 SA policy not acceptable! (local e.f.g.h remote a.b.c.d)
    Feb 7 18:41:37.212: ISAKMP: set new node -809943149 to QM_IDLE
    Feb 7 18:41:37.212: ISAKMP:(20308):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
    spi 573410632, message ID = 3485024147
    Feb 7 18:41:37.212: ISAKMP:(20308): sending packet to a.b.c.d my_port 4500 peer_port 20962 (R) QM_IDLE
    Feb 7 18:41:37.212: ISAKMP:(20308):Sending an IKE IPv4 Packet.
    Feb 7 18:41:37.212: ISAKMP:(20308):purging node -809943149
    Feb 7 18:41:37.212: ISAKMP:(20308):deleting node -1302683506 error TRUE reason "QM rejected"

  • RADIUS config for VRF-aware VPDN multihop tunnel

    Hi,
    Can't find the LNS config directives those will lead to get complete(!) vpdn profile from radius.
    The configuration is:
    LAC-LNS/PE-LNS/CE
    LNS/PE - provider edge lns that we want to configure using radius profile for vrf-aware multihop vpdn so that incoming tunnel is switched out to LNS/CE in one of the vrfs configured on LNS/PE.
    The "vpdn tunnel authorization " command lets me get the profile for ingress session coming from LAC, but in order to switch the tunnel further to LNS/CE i have to config vpdn-group on LNS/PE. Is it possible to make a RADIUS profile that LNS/PE will use for both ingress and egress tunnels?

    Hello Alex,
    I would like to point you to this forun into another section. There is currently a "Ask The Expert" about MPLS VPNs at http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dda563c
    Maybe it will be more suitable to address your questions there.
    Hope this Helps!
    Regards, Martin

  • DMVPN + VRF-Aware IPSec

    Hi,
    Can we club DMVPN and VRF-Aware IPsec features ?
    Regards
    Mahesh

    Million thanks for this.
    This now works after disabling CEF on the public facing interface.
    Regards,
    Zahid

  • EIGRP authentication in named mode breaks vrf aware DMVPN

    Hi Friends,
    I build a vrf aware DMVPN, and advertise the GRE ip in EIGRP named mode. All works well till I enable authentication in af-interface tunnel 0.
    Once I enable the authentication "hmac-sha256'', it breaks the crypto and DMVPN.
    Any advice on whats the solution to bring the crypto and DMVPN up with EIGRP authentication in named mode ?
    Regards
    rYs

    Hi,
    I attached the config I did, till I apply the authentication in EIGRP,
    once I applied the below config, the dmvpn will break
    ""router eigrp EIGRP
    add ipv4 autonom 45678
    af-interface tu0
    authentication mode hmac-sha256 KEY""
    See any more configs I need to add in the crypto to make the dmvpn  up.
    Thanks

  • Nexus 7000 DNS VRF-aware

    Hi all,
    I want to implement DNS VRF-aware in Nexus 7k running 5.2.X. My goal is to define a domain name and static IP hosts in Nexus per VRF which will serve DNS requests.
    I looked into documentation and mentions only DNS VRF aware as DNS client. The following link describes the functionality Im looking for:
    http://www.cisco.com/c/en/us/td/docs/ios/ios_xe/ipaddr/configuration/guide/xe_3s/iad_xe_3s_book/iad_vrf-aw_dns_xe.html#wp1069798

    Please find network diagram attached  upload with the original post.

  • VRF-Aware WCCP

    I want to put one Cache-Engine at PE router to provide caching services for different VPNs.
    Customer will have Separate VPN to access Internet, Cache-engine is put at common VRF & accesible from Customer sites in different VPNs
    Can't find any related document, & don't have Lab to test. Anyone experience this, please confirm for me.
    Thanks a lot
    Long

    The VRF awareness for 12.4(T) is still probably 8-12 months out. VRF aware WCCP features are definitely in the pipeline, but nothing has been publically published on availability timelines.
    It's now publically available on the forum... but , I've only found it on the 3750 and 3550 documentation.
    at the 3750 you will need to place the redirect statement on each of the VLANs, ip wccp 61 redirect in
    Kindly find here GRE Tunnel with VRF Configuration Example:
    http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a00801e1294.shtml
    I have gotten as far as the WAE registering the router:
    "WCCP configuration for TCP Promiscuous service 61 and 62 succeeded.
    WCCP configuration for TCP Promiscuous succeeded.Please remember to
    configure WCCP service 61 and 62 on the corresponding router."
    wae01#sh wccp router
    Router Information for Service: TCP Promiscuous 61
    Routers Configured and Seeing this Wide Area Engine(1)
    Router Id Sent To Recv ID
    0.0.0.0 209.1.1.1 0000022F
    The router registers the WAE as a WCCP client:
    router04#
    "*Feb 4 18:56:09.892: %WCCP-5-SERVICEFOUND: Service 61 acquired on WCCP
    client 209.1.1.2"
    "*Feb 4 18:56:09.892: %WCCP-5-SERVICEFOUND: Service 62 acquired on WCCP
    client 209.1.1.2"
    The router however cannot figure out what its ID is and does not see
    itself as a WCCP group router.
    router04#sh ip wccp
    Global WCCP information:
    Router information:
    Router Identifier: -not yet determined-
    Protocol Version: 2.0
    Service Identifier: 61
    Number of Service Group Clients: 1
    Number of Service Group Routers: 0
    Total Packets s/w Redirected: 0
    Process: 0
    Fast: 0
    CEF: 0
    Redirect access-list: ACCELERATED-TRAFFIC
    Total Packets Denied Redirect: 0
    Total Packets Unassigned: 25957
    Group access-list: -none-
    Total Messages Denied to Group: 0
    Total Authentication failures: 0
    Total Bypassed Packets Received: 0
    This is a short summary of important commands for working with VRF's.
    View the VRF instances and the associated interfaces.
    ml-mr-c6-gs#show ip vrf
    Name Default RD Interfaces
    blurvrf 100:2 Vlan215
    Vlan326
    tgvrf 100:1 Vlan132
    Vlan325
    TenGigabitEthernet1/1
    ml-mr-c6-gs#
    Show the routing table for a specific VRF.
    ml-mr-c6-gs#show ip route vrf tgvrf
    Routing Table: tgvrf
    Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
    D - EIGRP, EX - EIGRP external,
    ---More--
    Gateway of last resort is 128.117.243.57 to network 0.0.0.0
    O E2 192.52.106.0/24 [110/1] via 128.117.243.57, 1d19h, Vlan325
    O E2 192.168.150.0/24 [110/160] via 128.117.243.57, 1d19h, Vlan325
    172.17.0.0/29 is subnetted, 3 subnets
    O E2 172.17.1.16 [110/0] via 128.117.243.57, 1d19h, Vlan325
    O E2 172.17.1.8 [110/1] via 128.117.243.57, 1d19h, Vlan325
    O E2 172.17.1.0 [110/1] via 128.117.243.57, 1d19h, Vlan325
    --More--
    Debugging should otherwise be similar to a regular switch or router.
    Final Teragrid VRF Design and Diagrams
    http://www.cisl.ucar.edu/nets/devices/routers/cisco/vrf/final.shtml
    Teragrid Testbed Design
    http://www.cisl.ucar.edu/nets/devices/routers/cisco/vrf/testbed.shtml
    Cisco 4500 Series Switch Cisco IOS s/w config guide 12.1(20)EW
    Configuring VRF-Lite
    http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/20ew/configuration/guide/vrf.html
    sachin garg

  • VRF aware syslog

    Hello ,
    Im trying to configure syslog on a CPE which has VRF_A configured on it.  Our requirement is to have this CPE send syslogs to two servers , one in customers own network which is part of global routing table and second is providers syslog server which is part of VRF_A.
    As per my knowledhe I cannot specify any source interface for syslog through vrf and the source IP is picked up automatically by IOS from the interface which is part of the VRF. However when I have multiple interfacec in the same VRF which IP is picked up by IOS ?
    Is there any way to acheive this ? Im attaching a diagram depicting the scenario .
    I have put in below config on the device.
    logging source-interface Loopback100
    logging 3.3.3.3
    logging host 69.26.45.139 vrf A
    logging 2.2.2.2

    Saurabh,
    the box will pick up the best interface according to the 'sh ip ro vrf A' output and send the syslogs off this interface. We currently hasve these two DDTS'es to address that:
    CSCsu22476 Bug Details
    Set source interface for VRF-aware syslog messages
    Symptom:
    customer can not set the source interface for VRF-Aware Syslog messages.
    Conditions:
    Normal config mode.
    Workaround:
    Feature is not implemented.
    and
    CSCtn11379
    Allow vrf syslogging from a specific source interface on routers
    Symptom: VRF syslogging doesn't allow specifying the source interface. Conditions: VRF syslogging must be enabled. Syslogging to global routing table allows specification of the source interface.Workaround: None.
    check them out on CCO for the list of fixed versions, should be working in 15th somewhere.
    HTH,
    Ivan.

  • VRF aware GET-VPN Group-member

    Hi,
    we want to configure following on some of our routers.
    3 VRF-lite (before it has been 3 seperate routers)
    For each VRF we have to use  a seperate GDOI-Group , different PSKs.
    The KS for the different GDOI Groups is the same adresses (central resource reachable from every VRF).
    I know that I can configure per GDOI-Group a "client registartion interface ..." which can be an interface in a VRF.
    to configure the same KS-address for different GDOI-groups seems to be not possible
    crypto gdoi group GROUP-1
    identity number 1111111
    server address ipv4 22.198.255.29
    server address ipv4 22.198.255.33
    crypto gdoi group GROUP-2
    identity number 2222222
    server address ipv4 22.198.255.29
    server address ipv4 22.198.255.33
    As soon as I configure the KS for GROUP-2 I get an error-message that the KS is already configured.
    We can configure different ISAKMP-Profiles (vrf aware), but GDOI-GROUP configuration seems not to be VRF aware.
    Is there a way how to achive to use the same KS-Address for different-Groups in different VRFs.
    Thx
    Hubert

    Hi Naman, I think there is a misunderstanding of my problem.
    On the branch-routers I have two VRFs. In each VRF I have to configure GET-VPN-GM.
    The KS are on central routers in each VRF but they do have the sam IP-address (we use overlapping address-space in both VRFs)
    Configuration is like following
    ip vrf VRF_10
    rd 10:0
    route-target export 10:0
    route-target import 10:0
    maximum routes 1000 warning-only
    ip vrf VRF_12
    rd 12:0
    route-target export 12:0
    route-target import 12:0
    maximum routes 1000 warning-only
    the problem is that we would have to configure to different ISAKMP-PSK for same Server-Address, and thats not possible
    crypto isakmp key !$SECURE-WAN-KEY$!101010 address 22.161.255.33
    crypto isakmp key !$SECURE-WAN-KEY$!101010 address 22.109.255.45
    crypto isakmp key !$SECURE-WAN-KEY$!121212 address 22.161.255.33
    crypto isakmp key !$SECURE-WAN-KEY$!121212 address 22.109.255.45
    crypto isakmp policy 10
    encr aes
    authentication pre-share
    group 2
    lifetime 1200
    crypto gdoi group GROUP-10
    identity number 101010
    server address ipv4 22.161.255.33
    server address ipv4 22.109.255.45
    client registration interface Loopback0
    crypto gdoi group GROUP-12
    identity number 121212
    server address ipv4 22.161.255.33
    server address ipv4 22.109.255.45
    client registration interface Loopback1
    crypto map MAP-10-SECURE-WAN local-address Loopback0
    crypto map MAP-10-SECURE-WAN 10 gdoi
    set group GROUP-10
    crypto map MAP-12-SECURE-WAN local-address Loopback0
    crypto map MAP-12-SECURE-WAN 10 gdoi
    set group GROUP-12
    interface Loopback1
    ip vrf forwarding VRF_10
    ip address 10.10.10.45 255.255.255.252
    interface Loopback1
    ip vrf forwarding VRF_12
    ip address 12.12.12.45 255.255.255.252
    interface gig0/1.10
    ip vrf forwarding VRF_10
    crypto map MAP-10-SECURE-WAN
    interface gig0/1.12
    ip vrf forwarding VRF_12
    crypto map MAP-12-SECURE-WAN
    So my idea was to configure the PSKs per VRF via an ISAKMP-Profile (where i can define VRFs)
    ip vrf VRF_10
    rd 10:0
    route-target export 10:0
    route-target import 10:0
    maximum routes 1000 warning-only
    ip vrf VRF_12
    rd 12:0
    route-target export 12:0
    route-target import 12:0
    maximum routes 1000 warning-only
    crypto isakmp policy 10
    encr aes
    authentication pre-share
    group 2
    lifetime 1200
    crypto keyring ISAKMP_KEY_GETVPN_10
      local-address Loopback0
      pre-shared-key address 22.161.255.33 key !$SECURE-WAN-KEY$!101010
      pre-shared-key address 22.109.255.45 key !$SECURE-WAN-KEY$!101010
    crypto keyring ISAKMP_KEY_GETVPN_12
      local-address Loopback1
      pre-shared-key address 22.161.255.33 key !$SECURE-WAN-KEY$!121212
      pre-shared-key address 22.109.255.45 key !$SECURE-WAN-KEY$!121212
    crypto isakmp profile ISAKMP_PROFILE_GETVPN_10
       vrf VRF_10
       keyring ISAKMP_KEY_GETVPN_10
       self-identity address
       match identity address 22.161.255.33 255.255.255.255
       match identity address 22.109.255.45 255.255.255.255
       keepalive 20 retry 2
       local-address Loopback0
    crypto isakmp profile ISAKMP_PROFILE_GETVPN_12
       vrf VRF_12
       keyring ISAKMP_KEY_GETVPN_12
       self-identity address
       match identity address 22.161.255.33 255.255.255.255
       match identity address 22.109.255.45 255.255.255.255
       keepalive 20 retry 2
       local-address Loopback1
    crypto gdoi group GROUP-10
    identity number 101010
    server address ipv4 22.161.255.33
    server address ipv4 22.109.255.45
    client registration interface Loopback0
    crypto gdoi group GROUP-12
    identity number 121212
    server address ipv4 22.161.255.33
    server address ipv4 22.109.255.45
    client registration interface Loopback1
    crypto map MAP-10-SECURE-WAN local-address Loopback0
    crypto map MAP-10-SECURE-WAN isakmp-profile ISAKMP_PROFILE_GETVPN_10
    crypto map MAP-10-SECURE-WAN 10 gdoi
    set group GROUP-10
    crypto map MAP-12-SECURE-WAN local-address Loopback1
    crypto map MAP-12-SECURE-WAN isakmp-profile ISAKMP_PROFILE_GETVPN_12
    crypto map MAP-12-SECURE-WAN 10 gdoi
    set group GROUP-12
    But it seems it does not work !!!
    Any idea ?
    Thx in Advance
    Hubert

  • VRF Aware WCCP !!!!!! PLEASE!!!!!!

    I am looking for a forcast of when WCCP will have VRF support. Head-End scalability is pretty tough to achieve with out it. ywa I can stack WAE's ( up to 32) in a WCCP service group but if the Edge WAE's are in A VRF, it breaks.
    Any Ideas?

    The VRF awareness for 12.4(T) is still probably 8-12 months out. VRF aware WCCP features are definitely in the pipeline, but nothing has been publically published on availability timelines.
    It's now publically available on the forum... but , I've only found it on the 3750 and 3550 documentation.
    at the 3750 you will need to place the redirect statement on each of the VLANs, ip wccp 61 redirect in
    Kindly find here GRE Tunnel with VRF Configuration Example:
    http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a00801e1294.shtml
    I have gotten as far as the WAE registering the router:
    "WCCP configuration for TCP Promiscuous service 61 and 62 succeeded.
    WCCP configuration for TCP Promiscuous succeeded.Please remember to
    configure WCCP service 61 and 62 on the corresponding router."
    wae01#sh wccp router
    Router Information for Service: TCP Promiscuous 61
    Routers Configured and Seeing this Wide Area Engine(1)
    Router Id Sent To Recv ID
    0.0.0.0 209.1.1.1 0000022F
    The router registers the WAE as a WCCP client:
    router04#
    "*Feb 4 18:56:09.892: %WCCP-5-SERVICEFOUND: Service 61 acquired on WCCP
    client 209.1.1.2"
    "*Feb 4 18:56:09.892: %WCCP-5-SERVICEFOUND: Service 62 acquired on WCCP
    client 209.1.1.2"
    The router however cannot figure out what its ID is and does not see
    itself as a WCCP group router.
    router04#sh ip wccp
    Global WCCP information:
    Router information:
    Router Identifier: -not yet determined-
    Protocol Version: 2.0
    Service Identifier: 61
    Number of Service Group Clients: 1
    Number of Service Group Routers: 0
    Total Packets s/w Redirected: 0
    Process: 0
    Fast: 0
    CEF: 0
    Redirect access-list: ACCELERATED-TRAFFIC
    Total Packets Denied Redirect: 0
    Total Packets Unassigned: 25957
    Group access-list: -none-
    Total Messages Denied to Group: 0
    Total Authentication failures: 0
    Total Bypassed Packets Received: 0
    This is a short summary of important commands for working with VRF's.
    View the VRF instances and the associated interfaces.
    ml-mr-c6-gs#show ip vrf
    Name Default RD Interfaces
    blurvrf 100:2 Vlan215
    Vlan326
    tgvrf 100:1 Vlan132
    Vlan325
    TenGigabitEthernet1/1
    ml-mr-c6-gs#
    Show the routing table for a specific VRF.
    ml-mr-c6-gs#show ip route vrf tgvrf
    Routing Table: tgvrf
    Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
    D - EIGRP, EX - EIGRP external,
    ---More--
    Gateway of last resort is 128.117.243.57 to network 0.0.0.0
    O E2 192.52.106.0/24 [110/1] via 128.117.243.57, 1d19h, Vlan325
    O E2 192.168.150.0/24 [110/160] via 128.117.243.57, 1d19h, Vlan325
    172.17.0.0/29 is subnetted, 3 subnets
    O E2 172.17.1.16 [110/0] via 128.117.243.57, 1d19h, Vlan325
    O E2 172.17.1.8 [110/1] via 128.117.243.57, 1d19h, Vlan325
    O E2 172.17.1.0 [110/1] via 128.117.243.57, 1d19h, Vlan325
    --More--
    Debugging should otherwise be similar to a regular switch or router.
    Final Teragrid VRF Design and Diagrams
    http://www.cisl.ucar.edu/nets/devices/routers/cisco/vrf/final.shtml
    Teragrid Testbed Design
    http://www.cisl.ucar.edu/nets/devices/routers/cisco/vrf/testbed.shtml
    Cisco 4500 Series Switch Cisco IOS s/w config guide 12.1(20)EW
    Configuring VRF-Lite
    http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/20ew/configuration/guide/vrf.html
    sachin garg

  • When will wccp be vrf aware on 6500

    wccp is vrf aware for many plataforms, when will wccp vrf aware on 6500 plataform? Someone knows the roadmap for this feature?

    Zach Seils wrote:VRF-aware WCCP will not be supported on the 6500 platform until the next-generation Supervisor (SUP-2T).
    Hi Zach, is this a limitation of the Sup 720 (as in, the hardware can't support it), or will a future IOS release be able to support VRF aware WCCP on the Sup 720?

  • VRF aware Remote Access on ZBF

    Hello,
    In our environment we have a Zone based firewall on CIsco ASR 1000 XE router, terminating normal IPsec VPN sessions on ZBF. The router has one outgoing physical interface (g0/0/0) connected to ISP as outside Interface and multiple Interfaces on the Inside network on Port channels VLAN/VRF.
    The remote access VPN (Easy VPN) is applied using crypto map configuration on the interface connected to ISP.
    Now, there was also a requirement to provide IPSec termination on the same physical inteface g0/0/0 to a different customer via a VRF aware Remote access. Two configuration templates were implemented with similar results. IPSec Tunnel comes up fine for the VRF profile but tunnel cannot pass traffic. Ping from IPsec client to an IP address on the Inside network times out and trace route shows that this gets dropped somwhere in the ISP cloud.
    Configuration 1 - Crypto Dynamic Map
    crypto isakmp policy 15
    encr aes 256
    authentication pre-share
    group 2
    crypto isakmp client configuration group admin-vpn
    key _____
    pool vpn-pool
    acl VPN-LIST
    crypto isakmp client configuration group centralsTEMP-vpn
    key __________
    pool centrals vpn-pool
    acl VPN-LIST
    crypto isakmp profile softclient
       match identity group admin-vpn
       client authentication list userauth
       isakmp authorization list groupauthor
       client configuration address respond
    crypto isakmp profile centralsoftclient
       vrf Branch
       match identity group branch-vpn
       client authentication list userauth
       isakmp authorization list groupauthor
       client configuration address respond
    crypto ipsec transform-set SECURITYSET esp-aes esp-md5-hmac
    mode tunnel
    crypto ipsec transform-set branchtemp esp-aes esp-md5-hmac
    mode tunnel
    crypto dynamic-map  branchvpn 10
    set transform-set branchtemp
    set isakmp-profile centralsoftclient
    reverse-route
    crypto dynamic-map vpnmap 10
    set transform-set SECURITYSET
    set isakmp-profile softclient
    crypto map vpnmap 10 ipsec-isakmp dynamic vpnmap ---> Normal VPN
    crypto map vpnmap 20 ipsec-isakmp dynamic branchvpn --> IPSec Aware VPN
    crypto map vpnmap
    Configuration 2 - DVTI
    crypto ipsec profile branchclient
    set transform-set branchtemp
    crypto isakmp profile centralsoftclient
       vrf global
       match identity group centralsTEMP-vpn
       client authentication list userauth
       isakmp authorization list groupauthor
       client configuration address respond
       virtual-template 2
    interface Virtual-Template2 type tunnel
    ip vrf forwarding branch
    ip unnumbered GigabitEthernet0/0/0
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile branchclient
    Please advise if there is any VPN related configuration issue or a Zone based firewall issue.

    Hi Marcin,
    Thank you very much for your response and actually, we did open a TAC and the problem was resolved using Crypto Map dynamic configurations for both Standard and IPSec aware VPN's. Some specific policies on ZBF were tweaked (for example echo-reply packet inspection was deleted(configured for Pass) and also some access-lists which had unwanted entries  were cleaned up.
    Thanks again for your help.
    Best Regards,
    Mohan

  • Vrf aware dynamic ipsec

    Hi
    I need to setup a VRF aware IPSec that can take requests from dynamic (unspecified) sources. This is basically like enabling a home user to connect to his MPLS VPN network with a service provider. Please help with the SP network config, not the CPE.
    An appropriate link will also help.

    Each IPSec tunnel is associated with two VRF domains. The outer encapsulated packet belongs to one VRF domain, which we shall call the FVRF, while the inner, protected IP packet belongs to another domain called the IVRF. Another way of stating the same thing is that the local endpoint of the IPSec tunnel belongs to the FVRF while the source and destination addresses of the inside packet belong to the IVRF.
    One or more IPSec tunnels can terminate on a single interface. The FVRF of all these tunnels is the same and is set to the VRF that is configured on that interface. The IVRF of these tunnels can be different and depends on the VRF that is defined in the Internet Security Association and Key Management Protocol (ISAKMP) profile that is attached to a crypto map entry.
    This document helps you configure VRF aware IPSec.
    http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_vrf_aware_ipsec_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1158006

Maybe you are looking for

  • Custom Report on Homepage

    I created a custom report and added it to the homepage. However, you have to click on a link (Generating analysis... Click here to view the results) to see the actual report. Is there a way to see the report immediately? Thanks

  • How do I get all the dynamically related files to show when working with wordpress files in DW?

    I have set up MAMP on my Mac and have set up a user in phpmyadmin. I have downloaded wordpress and put it in the mamp folder. I have defined the site at MAMP/htdocs in Applications. I have started to look at the files through the index.php files near

  • How visualize a Indesign CC.idml in Indesign CS3?

    Hello. I need to view a document that has come to me in the format ".idml" that is created in Adobe Indesign CC.  When I make double click, get me a message that says "are a number of plugins missing". I have no way to open it. Any solution? Is there

  • Error with INSERT INTO statement

    My INSERT statement looks like the following: String insert = "INSERT INTO UserDetails (lockedOut) VALUES (1) where registrationNo = ('"+registrationNo+"')"; stmt.executeUpdate(insert); The error message: Missing semicolon (;) at end of SQL statement

  • Different currency apperance in report

    Hi all, when the currency has to appear different in the report what could be an easy or best way to handle it? The currency in the ERP is for each country available for example for company codes from Hungary, Malaysia, Japan, China is local currency