How to configure VPN Client connections to the Catalyst 6500 Switch with a VPN module in VRF mode

Document

Thu, 02/13/2014 - 22:40
Jun 18th, 2009

Table of Contents 

Introduction:

This document shows how to configure VPN client on Catalyst 6500 using VRF.


What is VRF?

Virtual routing and forwarding (VRF) can be defined as a process in IP network where routers are capable to read multiple instances of routing table to be stored in router and keep working simultaneously. This increases functionality by enabling network paths to be divided in differente segments without utilizing any other multiple device. Due to this feature of VRF traffic is segregated on it's own without any external input from user.It provides new height to network security.VRF is able to eradicate the need of encryption and authentication.VRF is a boon for  Internet service providers (ISPs) as they implement VRF to create multiple seperate virtual private networks (VPNs) for customers.This technology is also allude to as VPN routing and forwarding.

VRF enacts as a logical router and router can store many routing tables. In VRF a single VPN will create a single routing table. In addition to this VRF needs a forwarding table whch points to the designated next hop. A list of devices may be called upon to forward the packet.A set of pre-defined rules and routing protocol are responsible for the effective execution of packet forwarding.The tables present ensures that traffic is not forwarded outside a designated VRF path and ensures that every VRF instance should remain independent so that traffic reach to it's designated destination.

Core issue

The Virtual Routing and Forwarding (VRF)-Aware IPsec feature introduces IPsec tunnel mapping to Multiprotocol Label Switching (MPLS) VPNs. Using the VRF-Aware IPsec feature, you can map IPsec tunnels to VRF instances using a single public-facing address.

Resolution

This configuration example shows how to configure VPN Clients for the VRF-Aware feature:
          
Hostname(config)#ip vrf < VRFA >
Hostname(config)#rd 65000:10

Hostname(config)#crypto isakmp policy 5
    
                encr 3des
                authentication pre-share
                group

Hostname(config)#crypto isakmp client configuration group
                key group-key
                pool VRFA-IP-POOL

Hostname(config)#crypto isakmp profile
vrf
                match identity group
            
                client authentication list
            
                isakmp authorization list
            
                client configuration address respond

Hostname(config)#crypto ipsec transform-set esp-3des esp-sha-hmac

        
    
Hostname(config)#crypto dynamic-map 10
                
       set transform-set
    
       set isakmp-profile
    
       reverse-route
        
Hostname(config)#crypto map CRYPTO-MAP-VRFA local-address interface x/y
Hostname(config)#crypto map CRYPTO-MAP-VRFA 65000 ipsec-isakmp dynamic CRYPTO-DYNMAP-VRFA
       
Hostname(config)#interface Vlan11
                  ip vrf forwarding VRFA

                  ip address X.X.X.X  Netwok Mask

                  crypto map CRYPTO-MAP-VRFA
                  crypto engine subslot 3/0

Hostname(config)#ip local pool VRFA-IP-POOL group GROUP-VRFA
For additional information, refer to the Remote Access Configuration update section of VRF-Aware IPSec.
Loading.

Actions

This Document