02-01-2024 10:08 AM
Hi,
I'm unable to ping from the R2 router IP address 172.16.0.1 similarly from the R5 router as well. I configured the OSPF and static route in the R12 router and redistributed it.
R12 ROUER
interface Ethernet0/0
ip address 172.16.1.104 255.255.255.0
duplex auto
!
interface Ethernet0/1
ip address 172.16.10.105 255.255.255.0
duplex auto
!
interface Ethernet0/2
ip address 172.16.0.2 255.255.255.0
duplex auto
!
interface Ethernet0/3
no ip address
shutdown
duplex auto
!
router ospf 1
redistribute static subnets
network 172.16.0.0 0.0.255.255 area 0
default-information originate always
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 Ethernet0/0
ip route 0.0.0.0 0.0.0.0 Ethernet0/1
ip route 0.0.0.0 0.0.0.0 172.16.0.1
R2 Router
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3-Spoke1
!
boot-start-marker
boot-end-marker
!
!
vrf definition cust1
rd 1:1
route-target export 1:1
route-target import 1:1
!
address-family ipv4
exit-address-family
!
vrf definition cust2
rd 2:2
route-target export 2:2
route-target import 2:2
!
address-family ipv4
exit-address-family
!
!
no aaa new-model
!
!
!
clock timezone CET 1 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
no ip domain lookup
ip domain name cisco.com
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
mpls ldp loop-detection
!
!
!
!
!
!
!
!
crypto pki trustpoint CA
enrollment url http://172.16.1.1:80
password
fingerprint E0AFEFD7F08070BAB33C8297C97E6457
subject-name cn=R3-spoke.cisco.com,OU=FLEX,O=Cisco
revocation-check crl none
!
!
!
crypto pki certificate map mymap 10
subject-name co ou = flex
!
crypto pki certificate chain CA
!
redundancy
!
!
!
crypto ikev2 authorization policy default
route set interface
!
!
!
!
crypto ikev2 profile default
match certificate mymap
identity local fqdn R3-Spoke.cisco.com
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint CA
dpd 60 2 on-demand
aaa authorization group cert list default default
!
!
!
!
crypto ipsec profile default
set ikev2-profile default
!
!
!
!
!
!
interface Tunnel0
ip address negotiated
mpls bgp forwarding
tunnel source Ethernet0/0
tunnel destination 172.16.0.1
tunnel protection ipsec profile default
!
interface Ethernet0/0
description WAN
ip address 172.16.1.103 255.255.255.0
duplex auto
!
interface Ethernet0/1
description LAN
no ip address
no ip unreachables
duplex auto
!
interface Ethernet0/1.10
encapsulation dot1Q 10
vrf forwarding cust1
ip address 192.168.113.1 255.255.255.0
!
interface Ethernet0/1.20
encapsulation dot1Q 20
vrf forwarding cust2
ip address 192.168.123.1 255.255.255.0
!
interface Ethernet0/2
no ip address
shutdown
duplex auto
!
interface Ethernet0/3
no ip address
shutdown
duplex auto
!
router bgp 100
bgp log-neighbor-changes
neighbor 10.0.0.1 remote-as 10
neighbor 10.0.0.1 ebgp-multihop 255
neighbor 10.0.0.1 update-source Tunnel0
!
address-family ipv4
neighbor 10.0.0.1 activate
exit-address-family
!
address-family vpnv4
neighbor 10.0.0.1 activate
neighbor 10.0.0.1 send-community both
exit-address-family
!
address-family ipv4 vrf cust1
redistribute connected
exit-address-family
!
address-family ipv4 vrf cust2
redistribute connected
exit-address-family
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 172.16.1.104
ip route 10.0.0.1 255.255.255.255 Tunnel0 name workaround
ip route 172.16.0.1 255.255.255.255 172.16.1.1 name FlexHUB
R5 Router
vrf definition cust1
rd 1:1
route-target export 1:1
route-target import 1:1
!
address-family ipv4
exit-address-family
!
vrf definition cust2
rd 2:2
route-target export 2:2
route-target import 2:2
!
address-family ipv4
exit-address-family
!
!
no aaa new-model
!
!
!
clock timezone CET 1 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
no ip domain lookup
ip domain name cisco.com
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
crypto pki trustpoint CA
enrollment url http://172.16.1.1:80
password
fingerprint E0AFEFD7F08070BAB33C8297C97E6457
subject-name cn=R4-Spoke.cisco.com,OU=Flex,O=Cisco
revocation-check crl none
!
!
!
crypto pki certificate map mymap 10
subject-name co ou = flex
!
crypto pki certificate chain CA
!
redundancy
!
!
!
crypto ikev2 authorization policy default
route set interface
!
!
!
!
crypto ikev2 profile default
match certificate mymap
identity local fqdn R4.cisco.com
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint CA
dpd 60 2 on-demand
aaa authorization group cert list default default
virtual-template 1
!
!
!
!
crypto ipsec profile default
set ikev2-profile default
!
!
!
!
!
!
interface Loopback100
vrf forwarding cust1
ip address 192.168.114.1 255.255.255.0
!
interface Loopback101
vrf forwarding cust2
ip address 192.168.124.1 255.255.255.0
!
interface Tunnel0
ip address negotiated
mpls bgp forwarding
tunnel source Ethernet0/0
tunnel destination 172.16.0.1
tunnel protection ipsec profile default
!
interface Ethernet0/0
description WAN
ip address 172.16.10.104 255.255.255.0
duplex auto
!
interface Ethernet0/1
description LAN
ip address 192.168.104.1 255.255.255.0
duplex auto
!
interface Ethernet0/2
no ip address
shutdown
duplex auto
!
interface Ethernet0/3
no ip address
shutdown
duplex auto
!
router bgp 100
bgp log-neighbor-changes
neighbor 10.0.0.1 remote-as 10
neighbor 10.0.0.1 ebgp-multihop 255
neighbor 10.0.0.1 update-source Tunnel0
!
address-family ipv4
neighbor 10.0.0.1 activate
exit-address-family
!
address-family vpnv4
neighbor 10.0.0.1 activate
neighbor 10.0.0.1 send-community both
exit-address-family
!
address-family ipv4 vrf cust1
redistribute connected
exit-address-family
!
address-family ipv4 vrf cust2
redistribute connected
exit-address-family
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 10.0.0.1 255.255.255.255 Tunnel0
ip route 172.16.0.1 255.255.255.255 172.16.1.1 name FlexHUB
!
ipv6 ioam timestamp
R1 ROUTER
hostname R1-HUB
!
boot-start-marker
boot-end-marker
!
!
vrf definition cust1
rd 1:1
route-target export 1:1
route-target import 1:1
!
vrf definition cust2
rd 2:2
route-target export 2:2
route-target import 2:2
!
!
aaa new-model
!
!
aaa authorization network default local
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone CET 1 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
no ip domain lookup
ip domain name cisco.com
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
mpls ldp loop-detection
!
!
!
!
!
!
!
!
crypto pki trustpoint CA
enrollment url http://172.16.0.2:80
password
fingerprint E0AFEFD7F08070BAB33C8297C97E6457
subject-name CN=R1-HUB.cisco.com,OU=FLEX,OU=VPN,O=Cisco Systems,C=US,L=Linux
revocation-check crl none
rsakeypair R1-HUB.cisco.com 2048
auto-enroll 95
!
!
crypto pki certificate chain CA
!
redundancy
!
!
!
crypto ikev2 authorization policy default
pool mypool
banner ^CC Welcome ^C
def-domain cisco.com
route set interface
!
!
!
!
crypto ikev2 profile default
match identity remote fqdn domain cisco.com
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint CA
dpd 60 2 on-demand
aaa authorization group cert list default default
virtual-template 1
!
!
!
!
crypto ipsec profile default
set ikev2-profile default
!
!
!
!
!
!
interface Loopback0
description VT source interface
ip address 10.0.0.1 255.255.255.255
!
interface Ethernet0/0
description WAN
ip address 172.16.0.1 255.255.255.0
duplex auto
!
interface Ethernet0/1
description LAN
ip address 192.168.100.1 255.255.255.0
duplex auto
!
interface Ethernet0/2
ip address 192.168.110.1 255.255.255.0
duplex auto
!
interface Ethernet0/3
ip address 192.168.111.1 255.255.255.0
duplex auto
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
ip nhrp network-id 1
ip nhrp redirect
mpls bgp forwarding
tunnel protection ipsec profile default
!
router bgp 10
bgp log-neighbor-changes
bgp listen range 0.0.0.0/0 peer-group mpls
bgp listen limit 5000
neighbor mpls peer-group
neighbor mpls remote-as 100
neighbor mpls transport connection-mode passive
neighbor mpls update-source Loopback0
!
address-family ipv4
redistribute connected
redistribute static route-map cust2
neighbor mpls activate
neighbor mpls next-hop-self
default-information originate
exit-address-family
!
address-family vpnv4
neighbor mpls activate
neighbor mpls send-community both
exit-address-family
!
ip local pool mypool 10.1.1.1 10.1.1.254
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 172.16.0.2 name route_to_internet
02-01-2024 12:46 PM
Hello,
Not exactly sure what you're trying to accomplish and looks like a lot going on. A couple things I notice:
R5 doesn't have a route to R2<->R12s P2P network
R12 has several default routes
Putting routes into OSPF wont accomplish anything towards the solution as I don't see OSPF configured on R2 or R5 (or R1) so its unaffected by OSPF.
Can you put a static route on R5 towards R12 pointing to wards the R12<->R2 P2P segment and show your routing table on R2 and R5?
-David
02-01-2024 01:55 PM
Hello,
hard to figure out. Post the full running configs of all 10 routers, so we can lab this up...
02-01-2024 02:02 PM
02-01-2024 11:55 PM
Hi,
There was a routing issue, and that has been resolved after configuring the static IP address, and now interface tunnel 0 is showing down. I can ping the WAN link from spokes to hub.
This is the mpls over flex VPN configuration, which was referred to in the Cisco documentation as shown below the link.
Cisco Content Hub - Configuring MPLS over FlexVPN
R3-Spoke1#sh ip int b
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 172.16.1.103 YES NVRAM up up
Ethernet0/1 unassigned YES NVRAM up up
Ethernet0/1.10 192.168.113.1 YES NVRAM up up
Ethernet0/1.20 192.168.123.1 YES NVRAM up up
Ethernet0/2 unassigned YES NVRAM administratively down down
Ethernet0/3 unassigned YES NVRAM administratively down down
Tunnel0 unassigned YES NVRAM up down
R3-Spoke1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
R3-Spoke1#sh crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 172.16.1.103
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.1.103/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.16.0.1/255.255.255.255/47/0)
current_peer 172.16.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.1.103, remote crypto endpt.: 172.16.0.1
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
configuration :-
R3-Spoke1#sh run
Building configuration...
Current configuration : 3043 bytes
!
! Last configuration change at 08:07:17 CET Fri Feb 2 2024
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3-Spoke1
!
boot-start-marker
boot-end-marker
!
!
vrf definition cust1
rd 1:1
route-target export 1:1
route-target import 1:1
!
address-family ipv4
exit-address-family
!
vrf definition cust2
rd 2:2
route-target export 2:2
route-target import 2:2
!
address-family ipv4
exit-address-family
!
!
no aaa new-model
!
!
!
clock timezone CET 1 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
no ip domain lookup
ip domain name cisco.com
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
mpls ldp loop-detection
!
!
!
!
!
!
!
!
crypto pki trustpoint CA
enrollment url http://172.16.1.1:80
password
fingerprint E0AFEFD7F08070BAB33C8297C97E6457
subject-name cn=R3-spoke.cisco.com,OU=FLEX,O=Cisco
revocation-check crl none
!
!
!
crypto pki certificate map mymap 10
subject-name co ou = flex
!
crypto pki certificate chain CA
!
redundancy
!
!
!
crypto ikev2 authorization policy default
route set interface
!
!
!
!
crypto ikev2 profile default
match certificate mymap
identity local fqdn R3-Spoke.cisco.com
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint CA
dpd 60 2 on-demand
aaa authorization group cert list default default
!
!
!
!
crypto ipsec profile default
set ikev2-profile default
!
!
interface Tunnel0
ip address negotiated
mpls bgp forwarding
tunnel source Ethernet0/0
tunnel destination 172.16.0.1
tunnel protection ipsec profile default
!
interface Ethernet0/0
description WAN
ip address 172.16.1.103 255.255.255.0
duplex auto
!
interface Ethernet0/1
description LAN
no ip address
no ip unreachables
duplex auto
!
interface Ethernet0/1.10
encapsulation dot1Q 10
vrf forwarding cust1
ip address 192.168.113.1 255.255.255.0
!
interface Ethernet0/1.20
encapsulation dot1Q 20
vrf forwarding cust2
ip address 192.168.123.1 255.255.255.0
!
interface Ethernet0/2
no ip address
shutdown
duplex auto
!
interface Ethernet0/3
no ip address
shutdown
duplex auto
!
router bgp 100
bgp log-neighbor-changes
neighbor 10.0.0.1 remote-as 10
neighbor 10.0.0.1 ebgp-multihop 255
neighbor 10.0.0.1 update-source Tunnel0
!
address-family ipv4
neighbor 10.0.0.1 activate
exit-address-family
!
address-family vpnv4
neighbor 10.0.0.1 activate
neighbor 10.0.0.1 send-community both
exit-address-family
!
address-family ipv4 vrf cust1
redistribute connected
exit-address-family
!
address-family ipv4 vrf cust2
redistribute connected
exit-address-family
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 10.0.0.1 255.255.255.255 Ethernet0/0
ip route 172.16.0.1 255.255.255.255 172.16.1.104 name FlexHUB
R4-Spoke#sh run
Building configuration...
Current configuration : 2985 bytes
!
! Last configuration change at 07:20:34 CET Fri Feb 2 2024
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4-Spoke
!
boot-start-marker
boot-end-marker
!
!
vrf definition cust1
rd 1:1
route-target export 1:1
route-target import 1:1
!
address-family ipv4
exit-address-family
!
vrf definition cust2
rd 2:2
route-target export 2:2
route-target import 2:2
!
address-family ipv4
exit-address-family
!
!
no aaa new-model
!
!
!
clock timezone CET 1 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
no ip domain lookup
ip domain name cisco.com
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
crypto pki trustpoint CA
enrollment url http://172.16.1.1:80
password
fingerprint E0AFEFD7F08070BAB33C8297C97E6457
subject-name cn=R4-Spoke.cisco.com,OU=Flex,O=Cisco
revocation-check crl none
!
!
!
crypto pki certificate map mymap 10
subject-name co ou = flex
!
crypto pki certificate chain CA
!
redundancy
!
!
!
crypto ikev2 authorization policy default
route set interface
!
!
!
!
crypto ikev2 profile default
match certificate mymap
identity local fqdn R4.cisco.com
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint CA
dpd 60 2 on-demand
aaa authorization group cert list default default
virtual-template 1
!
!
!
!
crypto ipsec profile default
set ikev2-profile default
!
!
!
!
!
!
interface Loopback100
vrf forwarding cust1
ip address 192.168.114.1 255.255.255.0
!
interface Loopback101
vrf forwarding cust2
ip address 192.168.124.1 255.255.255.0
!
interface Tunnel0
ip address negotiated
mpls bgp forwarding
tunnel source Ethernet0/0
tunnel destination 172.16.0.1
tunnel protection ipsec profile default
!
interface Ethernet0/0
description WAN
ip address 172.16.10.104 255.255.255.0
duplex auto
!
interface Ethernet0/1
description LAN
ip address 192.168.104.1 255.255.255.0
duplex auto
!
interface Ethernet0/2
no ip address
shutdown
duplex auto
!
interface Ethernet0/3
no ip address
shutdown
duplex auto
!
router bgp 100
bgp log-neighbor-changes
neighbor 10.0.0.1 remote-as 10
neighbor 10.0.0.1 ebgp-multihop 255
neighbor 10.0.0.1 update-source Tunnel0
!
address-family ipv4
neighbor 10.0.0.1 activate
exit-address-family
!
address-family vpnv4
neighbor 10.0.0.1 activate
neighbor 10.0.0.1 send-community both
exit-address-family
!
address-family ipv4 vrf cust1
redistribute connected
exit-address-family
!
address-family ipv4 vrf cust2
redistribute connected
exit-address-family
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 10.0.0.1 255.255.255.255 Ethernet0/0
ip route 172.16.0.1 255.255.255.255 172.16.10.105 name FlexHUB
!
ipv6 ioam timestamp
!
!
!
control-plane
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
transport input none
!
R1-HUB#sh run
Building configuration...
Current configuration : 3141 bytes
!
! Last configuration change at 07:17:27 CET Fri Feb 2 2024
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1-HUB
!
boot-start-marker
boot-end-marker
!
!
vrf definition cust1
rd 1:1
route-target export 1:1
route-target import 1:1
!
vrf definition cust2
rd 2:2
route-target export 2:2
route-target import 2:2
!
!
aaa new-model
!
!
aaa authorization network default local
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone CET 1 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
no ip domain lookup
ip domain name cisco.com
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
mpls ldp loop-detection
!
!
!
!
!
!
!
!
crypto pki trustpoint CA
enrollment url http://172.16.0.2:80
password
fingerprint E0AFEFD7F08070BAB33C8297C97E6457
subject-name CN=R1-HUB.cisco.com,OU=FLEX,OU=VPN,O=Cisco Systems,C=US,L=Linux
revocation-check crl none
rsakeypair R1-HUB.cisco.com 2048
auto-enroll 95
!
!
crypto pki certificate chain CA
!
redundancy
!
!
!
crypto ikev2 authorization policy default
pool mypool
banner ^CC Welcome ^C
def-domain cisco.com
route set interface
!
!
!
!
crypto ikev2 profile default
match identity remote fqdn domain cisco.com
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint CA
dpd 60 2 on-demand
aaa authorization group cert list default default
virtual-template 1
!
!
!
!
crypto ipsec profile default
set ikev2-profile default
!
!
!
!
!
!
interface Loopback0
description VT source interface
ip address 10.0.0.1 255.255.255.255
!
interface Ethernet0/0
description WAN
ip address 172.16.0.1 255.255.255.0
duplex auto
!
interface Ethernet0/1
description LAN
ip address 192.168.100.1 255.255.255.0
duplex auto
!
interface Ethernet0/2
ip address 192.168.110.1 255.255.255.0
duplex auto
!
interface Ethernet0/3
ip address 192.168.111.1 255.255.255.0
duplex auto
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
ip nhrp network-id 1
ip nhrp redirect
mpls bgp forwarding
tunnel protection ipsec profile default
!
router bgp 10
bgp log-neighbor-changes
bgp listen range 0.0.0.0/0 peer-group mpls
bgp listen limit 5000
neighbor mpls peer-group
neighbor mpls remote-as 100
neighbor mpls transport connection-mode passive
neighbor mpls update-source Loopback0
!
address-family ipv4
redistribute connected
redistribute static route-map cust2
neighbor mpls activate
neighbor mpls next-hop-self
default-information originate
exit-address-family
!
address-family vpnv4
neighbor mpls activate
neighbor mpls send-community both
exit-address-family
!
ip local pool mypool 10.1.1.1 10.1.1.254
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 172.16.0.2 name route_to_internet
!
ipv6 ioam timestamp
!
route-map cust1 permit 10
match tag 666
!
route-map cust2 permit 10
match tag 667
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
transport input none
!
!
end
R1-HUB#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide