06-13-2024 02:30 AM
I have two hub routers, R1 and R2. R1 is the primary router for the office, and R2 is the backup. R1 is connected to 8000 offices through Flex VPN. My requirement is to share the load between the two hub routers, R1 and R2. Currently, I am using the BGP attribute MED to route all the traffic primarily to R1
R1
Rrouter 65020
bgp router id 10.10.10.10
bgp listing range 192.168.20.0/24 peer-group office
bgp listen limit 10000
address-family ipv4 vrf office
neighbor office peer group
neighbor office remote-as 65010
Neighbour office route-map office_BGP_OUT out
route-map office_BGP_OUT permit 10
set metric 100
R2
Rrouter 65020
bgp router id 20.20.20.20
bgp listing range 192.168.20.0/24 peer-group office
bgp listen limit 10000
address-family ipv4 vrf office
neighbor office peer group
neighbor office remote-as 65010
Neighbour office route-map office_BGP_OUT out
route-map office_BGP_OUT permit 10
set metric 110
Solved! Go to Solution.
06-20-2024 10:35 AM
Hub1#show run
Hub1#show running-config
Building configuration...
Current configuration : 3287 bytes
!
! Last configuration change at 20:30:36 UTC Thu Jun 20 2024
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname Hub1
!
boot-start-marker
boot-end-marker
!
!
enable password hub1
!
aaa new-model
!
!
aaa authorization network default local
!
!
!
!
!
aaa session-id common
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
username hub1 password 0 hub1
!
!
ip tcp synwait-time 5
!
crypto ikev2 authorization policy default
pool IKEv2
route set interface
!
crypto ikev2 proposal prop
encryption des
integrity md5
group 5
!
crypto ikev2 policy poli
proposal prop
!
crypto ikev2 keyring key
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key cisco
!
!
!
crypto ikev2 profile prof
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local key
aaa authorization group psk list default default
virtual-template 1
!
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
mode tunnel
!
!
crypto ipsec profile prof
set transform-set trans
set ikev2-profile prof
!
!
!
!
!
!
interface FastEthernet0/0
ip address 100.0.0.1 255.255.255.0
duplex full
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/0
ip address 10.0.0.1 255.255.255.0
speed auto
duplex auto
!
interface FastEthernet3/1
ip address 20.0.0.1 255.255.255.0
speed auto
duplex auto
!
interface Virtual-Template1 type tunnel
ip address 5.0.0.1 255.255.255.0
ip nhrp network-id 5
ip nhrp redirect
tunnel source FastEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile prof
!
router bgp 100
bgp log-neighbor-changes
bgp listen range 5.0.0.4/32 peer-group PEERS-B
bgp listen range 5.0.0.3/32 peer-group PEERS-A
network 10.0.0.0 mask 255.255.255.0
network 20.0.0.0 mask 255.255.255.0
neighbor PEERS-A peer-group
neighbor PEERS-A remote-as 100
neighbor PEERS-A route-reflector-client
neighbor PEERS-A next-hop-self
neighbor PEERS-A route-map A out
neighbor PEERS-B peer-group
neighbor PEERS-B remote-as 100
neighbor PEERS-B route-reflector-client
neighbor PEERS-B next-hop-self
neighbor PEERS-B route-map B out
!
ip local pool IKEv2 5.0.0.3 5.0.0.254
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 100.0.0.10
!
!
ip prefix-list 10.0.0.0 seq 5 permit 10.0.0.0/24
!
ip prefix-list 20.0.0.0 seq 5 permit 20.0.0.0/24
!
route-map A permit 10
match ip address prefix-list 10.0.0.0
set metric 100
!
route-map A permit 20
match ip address prefix-list 20.0.0.0
set metric 200
!
route-map B permit 10
match ip address prefix-list 20.0.0.0
set metric 200
!
route-map B permit 20
match ip address prefix-list 10.0.0.0
set metric 100
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
!
!
end
Hub2#show ru
Hub2#show running-config
Building configuration...
Current configuration : 3293 bytes
!
! Last configuration change at 20:30:46 UTC Thu Jun 20 2024
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname Hub2
!
boot-start-marker
boot-end-marker
!
!
enable password Hub2
!
aaa new-model
!
!
aaa authorization network default local
!
!
!
!
!
aaa session-id common
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
username Hub2 password 0 Hub2
!
!
ip tcp synwait-time 5
!
crypto ikev2 authorization policy default
pool IKEv2
route set interface
!
crypto ikev2 proposal prop
encryption des
integrity md5
group 5
!
crypto ikev2 policy poli
proposal prop
!
crypto ikev2 keyring key
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key cisco
!
!
!
crypto ikev2 profile prof
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local key
aaa authorization group psk list default default
virtual-template 1
!
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
mode tunnel
!
!
crypto ipsec profile prof
set transform-set trans
set ikev2-profile prof
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex full
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
ip address 110.0.0.2 255.255.255.0
speed auto
duplex auto
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/0
ip address 10.0.0.2 255.255.255.0
speed auto
duplex auto
!
interface FastEthernet3/1
ip address 20.0.0.2 255.255.255.0
speed auto
duplex auto
!
interface Virtual-Template1 type tunnel
ip address 15.0.0.1 255.255.255.0
ip nhrp network-id 15
ip nhrp redirect
tunnel source FastEthernet1/1
tunnel mode ipsec ipv4
tunnel protection ipsec profile prof
!
router bgp 100
bgp log-neighbor-changes
bgp listen range 15.0.0.4/32 peer-group PEERS-B
bgp listen range 15.0.0.3/32 peer-group PEERS-A
network 10.0.0.0 mask 255.255.255.0
network 20.0.0.0 mask 255.255.255.0
neighbor PEERS-A peer-group
neighbor PEERS-A remote-as 100
neighbor PEERS-A route-reflector-client
neighbor PEERS-A next-hop-self
neighbor PEERS-A route-map A out
neighbor PEERS-B peer-group
neighbor PEERS-B remote-as 100
neighbor PEERS-B route-reflector-client
neighbor PEERS-B next-hop-self
neighbor PEERS-B route-map B out
!
ip local pool IKEv2 15.0.0.3 15.0.0.254
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 110.0.0.10
!
!
ip prefix-list 10.0.0.0 seq 5 permit 10.0.0.0/24
!
ip prefix-list 20.0.0.0 seq 5 permit 20.0.0.0/24
!
route-map A permit 10
match ip address prefix-list 10.0.0.0
set metric 200
!
route-map A permit 20
match ip address prefix-list 20.0.0.0
set metric 100
!
route-map B permit 10
match ip address prefix-list 20.0.0.0
set metric 100
!
route-map B permit 20
match ip address prefix-list 10.0.0.0
set metric 200
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
!
!
end
Spoke1#show run
Building configuration...
Current configuration : 2505 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname Spoke1
!
boot-start-marker
boot-end-marker
!
!
enable password spoke1
!
aaa new-model
!
!
aaa authorization network default local
!
!
!
!
!
aaa session-id common
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
username spoke1 password 0 spoke1
!
!
ip tcp synwait-time 5
!
crypto ikev2 authorization policy default
route set interface
!
crypto ikev2 proposal prop
encryption des
integrity md5
group 5
!
crypto ikev2 policy poli
proposal prop
!
crypto ikev2 keyring key
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key cisco
!
!
!
crypto ikev2 profile prof
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local key
aaa authorization group psk list default default
!
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
mode tunnel
!
!
crypto ipsec profile prof
set transform-set trans
set ikev2-profile prof
!
!
!
!
!
!
interface Tunnel0
ip address negotiated
ip nhrp network-id 5
ip nhrp shortcut
tunnel source FastEthernet1/0
tunnel mode ipsec ipv4
tunnel destination 100.0.0.1
tunnel protection ipsec profile prof shared
!
interface Tunnel10
ip address negotiated
ip nhrp network-id 15
ip nhrp shortcut
tunnel source FastEthernet1/0
tunnel mode ipsec ipv4
tunnel destination 110.0.0.2
tunnel protection ipsec profile prof shared
!
interface FastEthernet0/0
no ip address
shutdown
duplex full
!
interface FastEthernet1/0
ip address 120.0.0.100 255.255.255.0
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/1
no ip address
shutdown
speed auto
duplex auto
!
router bgp 100
bgp log-neighbor-changes
neighbor 5.0.0.1 remote-as 100
neighbor 15.0.0.1 remote-as 100
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 120.0.0.10
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
!
!
end
Spoke2#show run
Spoke2#show running-config
Building configuration...
Current configuration : 2506 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname Spoke2
!
boot-start-marker
boot-end-marker
!
!
enable password spoke2
!
aaa new-model
!
!
aaa authorization network default local
!
!
!
!
!
aaa session-id common
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
username spoke2 password 0 spoke2
!
!
ip tcp synwait-time 5
!
crypto ikev2 authorization policy default
route set interface
!
crypto ikev2 proposal prop
encryption des
integrity md5
group 5
!
crypto ikev2 policy poli
proposal prop
!
crypto ikev2 keyring key
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key cisco
!
!
!
crypto ikev2 profile prof
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local key
aaa authorization group psk list default default
!
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
mode tunnel
!
!
crypto ipsec profile prof
set transform-set trans
set ikev2-profile prof
!
!
!
!
!
!
interface Tunnel0
ip address negotiated
ip nhrp network-id 5
ip nhrp shortcut
tunnel source FastEthernet2/0
tunnel mode ipsec ipv4
tunnel destination 100.0.0.1
tunnel protection ipsec profile prof shared
!
interface Tunnel10
ip address negotiated
ip nhrp network-id 15
ip nhrp shortcut
tunnel source FastEthernet2/0
tunnel mode ipsec ipv4
tunnel destination 110.0.0.2
tunnel protection ipsec profile prof shared
!
interface FastEthernet0/0
no ip address
shutdown
duplex full
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/0
ip address 130.0.0.100 255.255.255.0
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/1
no ip address
shutdown
speed auto
duplex auto
!
router bgp 100
bgp log-neighbor-changes
neighbor 5.0.0.1 remote-as 100
neighbor 15.0.0.1 remote-as 100
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 130.0.0.10
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
!
!
end
06-13-2024 02:36 AM
FlexVPN you meaning IKEv2 ?
MHM
06-13-2024 03:03 AM
yes
06-13-2024 03:22 AM
same config as you share in your post except
under the route-map match ip address prefix <>
this make Hub not use MED for all prefix but use MED only for specific prefix specify by match
MHM
06-13-2024 04:15 AM
Hi
Could you please provide the sample configuration of how to send traffic to 4000 office to R1 and 4000 office to R2
06-13-2024 04:20 AM
The load not 4000 to 4000
But it 8000 prefer R1 for specific prefix
Other 8000 perfer R2 for specific prefix
This how MED work.
I will draw topology to you today with some info.
MHM
06-13-2024 05:09 AM
06-14-2024 12:15 PM
Hi,
Thank you for the update
could you please provide the sample configuration for this diagram?
Regards,
06-15-2024 07:51 AM
sure tomorrow I will share lab
MHM
06-15-2024 11:12 PM
Thank you
06-16-2024 08:42 AM
Hub1#show running-config
Building configuration...
Current configuration : 2124 bytes
!
! Last configuration change at 18:40:51 UTC Sun Jun 16 2024
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname Hub1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
interface Tunnel0
ip address 5.0.0.1 255.255.255.0
no ip redirects
ip nhrp network-id 5
tunnel source FastEthernet3/1
tunnel mode gre multipoint
tunnel key 5
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
standby 10 ip 10.0.0.10
duplex full
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/0
ip address 20.0.0.1 255.255.255.0
standby 20 ip 20.0.0.20
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/1
ip address 100.0.0.1 255.255.255.0
speed auto
duplex auto
!
router bgp 100
bgp log-neighbor-changes
bgp listen range 5.0.0.0/8 peer-group PEERS
network 10.0.0.0 mask 255.255.255.0
network 20.0.0.0 mask 255.255.255.0
neighbor PEERS peer-group
neighbor PEERS remote-as 100
neighbor PEERS route-reflector-client
neighbor PEERS next-hop-self
neighbor PEERS route-map MEDHub1 out
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 100.0.0.10
!
!
ip prefix-list 10.0.0.0 seq 5 permit 10.0.0.0/24
!
ip prefix-list 20.0.0.0 seq 5 permit 20.0.0.0/24
!
route-map MEDHub1 permit 10
match ip address prefix-list 10.0.0.0
set metric 1000
!
route-map MEDHub1 permit 20
match ip address prefix-list 20.0.0.0
set metric 2000
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end
Hub2#show running-config
Building configuration...
Current configuration : 2124 bytes
!
! Last configuration change at 18:27:43 UTC Sun Jun 16 2024
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname Hub2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
interface Tunnel0
ip address 5.0.0.2 255.255.255.0
no ip redirects
ip nhrp network-id 5
tunnel source FastEthernet3/1
tunnel mode gre multipoint
tunnel key 5
!
interface FastEthernet0/0
ip address 10.0.0.2 255.255.255.0
standby 10 ip 10.0.0.10
duplex full
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/0
ip address 20.0.0.2 255.255.255.0
standby 20 ip 20.0.0.20
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/1
ip address 110.0.0.2 255.255.255.0
speed auto
duplex auto
!
router bgp 100
bgp log-neighbor-changes
bgp listen range 5.0.0.0/8 peer-group PEERS
network 10.0.0.0 mask 255.255.255.0
network 20.0.0.0 mask 255.255.255.0
neighbor PEERS peer-group
neighbor PEERS remote-as 100
neighbor PEERS route-reflector-client
neighbor PEERS next-hop-self
neighbor PEERS route-map MEDHub2 out
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 110.0.0.10
!
!
ip prefix-list 10.0.0.0 seq 5 permit 10.0.0.0/24
!
ip prefix-list 20.0.0.0 seq 5 permit 20.0.0.0/24
!
route-map MEDHub2 permit 10
match ip address prefix-list 10.0.0.0
set metric 2000
!
route-map MEDHub2 permit 20
match ip address prefix-list 20.0.0.0
set metric 1000
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end