24-14
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 24 Managing Site-to-Site VPNs: The Basics
Understanding IPsec Technologies and Policies
Creating or Editing Object Overrides for Multiple Devices At A Time, page6-19
Understanding VRF-Aware IPsec
One obstacle to successfully deploying peer-to-peer VPNs is the separation of routing tables, and the use
of overlapping addresses, which usually results from using private IP addresses in customer networks.
The VRF-Aware IPsec feature, which introduces IPsec tunnel mapping to Multiprotocol Label Switching
(MPLS) VPNs, solves this problem.
The VRF-Aware IPsec feature enables you to map IPsec tunnels to Virtual Routing Forwarding (VRF)
instances, using a single public-facing address. A VRF instance defines the VPN membership of a
customer site attached to the Provider Edge (PE) router. A VRF comprises an IP routing table, a derived
Cisco Express Forwarding (CEF) table, a set of interfaces that use the forwarding table, and a set of rules
and routing protocol parameters that control the information that is included in the routing table. A set
of routing and CEF tables is maintained for each VPN customer across the MPLS/VPN network.
Since each VPN has its own routing and forwarding table in the router, any customer or site that belongs
to a VPN is provided access only to the set of routes contained within that table. Any PE router maintains
a number of routing tables and a global routing table per VPN, which can be used to reach other routers
in the provider network. Effectively, a number of virtual routers are created in a single physical router.
Across the MPLS core to the other PE routers, this routing separation is maintained by adding unique
VPN identifiers, such as the route distinguisher (RD).
Note VRF-Aware IPsec can also be configured on devices in a remote access VPN. For more information, see
Configuring Dynamic VTI/VRF Aware IPsec in Remote Access VPNs (IOS Devices), page 32-7.
In Security Manager, you can configure VRF-Aware IPsec in your hub-and spoke VPN topology, with
either a single device providing all functionality (“one-box” solution) or with multiple devices, each
providing a part of the functionality (“two-box” solution). The solution of one device providing all the
functionality can affect performance by overloading the system, whereas separating the functionality in
a two-box solution provides better scaling for each function.
The following topics describe:
VRF-Aware IPsec One-Box Solution, page24-14
VRF-Aware IPsec Two-Box Solution, page 24-15
Enabling and Disabling VRF on Catalyst Switches and 7600 Devices, page 24-17
For information on configuring VRF-aware IPsec, see Configuring VRF Aware IPsec Settings,
page 24-46.

VRF-Aware IPsec One-Box Solution

In the one-box solution, IPsec tunnels terminate on a Cisco IOS router, which serves as the Provider
Edge (PE) device. The PE device maps these tunnels to the appropriate MPLS/VPN network and serves
as the IPsec Aggregator, by performing IPsec encryption and decryption from the Customer Edge (CE)
devices.
Note The configuration of routing between the PE device and the MPLS cloud is done by Cisco IP Solution
Center. See the Cisco IP Solution Center MPLS VPN User Guide.