DMVPN Configuration – How to Pass Traffic from VLANs Through DMVPN [GNS3]

ciscogns3routingvlanvpn

I have the following setup in GNS3:

There are other devices to the right, but they are not needed right now. I have a DMVPN configured with Router1 as hub an Routers 2, 3 and 4 as spokes.
On the switches I have user VLANs configured as follows:

Switch1 – VLAN10;

Switch2 – VLAN20;

Switch3 – VLAN30.

Everything works fine. Now I want to add a configuration so that traffic from one VLAN, say VLAN10, always passes through the tunnel, but traffic from other VLANs (VLAN20 and VLAN30) does not. I searched extensively, but couldn't find exactly what I was looking for.
Can someone tell me the commands needed for that or point me to a guide that describes it?

Thank you in advance.

P.S. Configuration of Router1:

Current configuration : 4080 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
clock timezone EET 2 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no ip icmp rate-limit unreachable
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
!
!
!
ip dhcp excluded-address 192.168.10.1
ip dhcp excluded-address 192.168.20.1
ip dhcp excluded-address 192.168.30.1
ip dhcp excluded-address 192.168.60.2
!
ip dhcp pool NEWPOOL1
 network 192.168.10.0 255.255.255.0
 default-router 192.168.10.1
 dns-server 8.8.8.8
!
ip dhcp pool NEWPOOL2
 network 192.168.20.0 255.255.255.0
 default-router 192.168.20.1
 dns-server 8.8.8.8
!
ip dhcp pool NEWPOOL3
 network 192.168.30.0 255.255.255.0
 default-router 192.168.30.1
 dns-server 8.8.8.8
!
!
no ip domain lookup
ip domain name Router1.net
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
username admin privilege 15 secret 5 $1$0HIq$mwZCmYYlKzNxi1qnQ6Hiq0
!
redundancy
!
!
ip tcp synwait-time 5
ip ssh version 2
!
!
!
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key freeride address 0.0.0.0
!
!
crypto ipsec transform-set NEW esp-3des esp-sha-hmac
!
crypto ipsec profile PROTECT-DMVPN
 set transform-set NEW
!
!
!
!
!
!
!
interface Tunnel0
 ip address 10.0.0.1 255.255.255.0
 no ip redirects
 ip mtu 1440
 no ip next-hop-self eigrp 10
 no ip split-horizon eigrp 10
 ip nhrp authentication NHRPkey
 ip nhrp map multicast dynamic
 ip nhrp network-id 100
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 100
 tunnel protection ipsec profile PROTECT-DMVPN
!
interface Ethernet0/0
 ip address 20.20.20.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
!
interface Ethernet0/1
 no ip address
 ip nat inside
 ip virtual-reassembly in
!
interface Ethernet0/1.10
 encapsulation dot1Q 10
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Ethernet0/1.20
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Ethernet0/1.30
 encapsulation dot1Q 30
 ip address 192.168.30.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Ethernet0/1.60
 encapsulation dot1Q 60
 ip address 192.168.60.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Ethernet0/2
 no ip address
 shutdown
!
interface Ethernet0/3
 no ip address
 shutdown
!
interface Ethernet1/0
 no ip address
 shutdown
!
interface Ethernet1/1
 no ip address
 shutdown
!
interface Ethernet1/2
 no ip address
 shutdown
!
interface Ethernet1/3
 no ip address
 shutdown
!
interface Serial2/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/3
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/3
 no ip address
 shutdown
 serial restart-delay 0
!
!
router eigrp 10
 network 10.0.0.0 0.0.0.255
 network 20.20.20.0 0.0.0.255
 network 192.168.10.0
 network 192.168.20.0
 network 192.168.30.0
 network 192.168.60.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface Ethernet0/0 overload
!
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 100 permit ip 192.168.20.0 0.0.0.255 any
access-list 100 permit ip 192.168.30.0 0.0.0.255 any
access-list 100 permit ip 192.168.60.0 0.0.0.255 any
!
!
!
control-plane
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login local
 transport input ssh
!
!
end

Best Answer

One simple way to do this is to use PBR to change the route traffic.

This should redirect pings from the VLAN interfaces to the interface you want:

ip access-list extended VLAN10_TO_T0
 permit icmp 192.168.10.0 0.0.0.255 host 50.50.50.2 echo
 permit icmp 192.168.10.0 0.0.0.255 host 60.60.60.2 echo
 permit icmp 192.168.10.0 0.0.0.255 host 61.61.61.2 echo

ip access-list extended VLAN20_AND_30_TO_E0
 permit icmp 192.168.20.0 0.0.0.255 host 50.50.50.2 echo
 permit icmp 192.168.20.0 0.0.0.255 host 60.60.60.2 echo
 permit icmp 192.168.20.0 0.0.0.255 host 61.61.61.2 echo
 permit icmp 192.168.30.0 0.0.0.255 host 50.50.50.2 echo
 permit icmp 192.168.30.0 0.0.0.255 host 60.60.60.2 echo
 permit icmp 192.168.30.0 0.0.0.255 host 61.61.61.2 echo

route-map VLAN10_TO_T0 permit 10
 match ip address VLAN10_TO_T0
 set interface Tunnel0

route-map VLAN20_AND_30_TO_E0 permit 10
 match ip address VLAN20_AND_30_TO_E0
 set interface Ethernet0

interface Ethernet0/1.10
 ip policy route-map VLAN10_TO_T0

interface Ethernet0/1.20
 ip policy route-map VLAN20_AND_30_TO_E0

interface Ethernet0/1.30
 ip policy route-map VLAN20_AND_30_TO_E0

Disclaimer: This is not tested; I just created it from memory.

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10

Router – GNS3: Configuring/Emulating a Juniper Router on GNS3

This can be configured using VirtualBox or using Qemu. These are the steps required to setup JunOS on GNS3 using Qemu:

Acquire an image of JUNOS. The image file should be with the extension .img
Open GNS3 and go to Edit -> Preferences -> Qemu
Make sure the settings in the General Settings section are correct. Below is a screenshot of what the Qemu settings should look like:
Click on Test Settings to check if your settings are correct
Click on the JunOS tab on the same Preferences window
- Enter any name for the identifier name
- For the binary image, select the image you acquired in step 1
- Select a value for the RAM. The minimum I have seen for this is 256MB. You may also leave this blank and GNS3 will assign this for you.
- Enter the number of NICs that you want on the Juniper Router (default is 6)
- Select the model of the NICs you want on the Juniper Router (default is e1000)
Sample Settings for JunOS settings section:
Click Save to save the JunOS image. Close the Preferences window by clicking Apply.
Now you are able drag the Juniper Router from the left panel and drop them to the topology.

Note: If you want ta add multiple Juniper routers to your topology, you have to make multiple copies of the image acquired in step 1. Then from the GNS3 program right click on every Juniper router -> Configure -> In the JunOS Image: setting, specify the path of a different image file for each instance.

Best Answer

Related Solutions

Cisco ASA Routing Issue

Your ASA configuration:

ASA static routing example:

Your Cisco Router's configuration:

Router static routing example:

Router – GNS3: Configuring/Emulating a Juniper Router on GNS3

Helpful Links:

Related Topic