Solved: Routing spoke to spoke FlexVPN

sigcerder · ‎04-09-2024

Hi there.

Please clarify the following, I am implementing in my lab this scenario: FlexVPN spoke to spoke, using BGP regarding this link:

https://networklessons.com/vpn/flexvpn-spoke-to-spoke-pool-and-bgp
Now it works fine and from HUB I can see all spokes and ping them. But, from each spoke I can only ping HUB networks and also see HUB networks, I'd like to see network from each spoke to reach network from one spoke to other spokes. What do I need to add to my configuration?

Do I need to use route reflector?

MHM Cisco World · ‎04-10-2024

That perfect

Try ping from spoke to spoke

Ping 192.168.2.x source IP 192.168.1.x

Then share

Show ip bgp

Show ip route

MHM

View solution in original post

MHM Cisco World · ‎04-09-2024

You use ibgp or ebgp

What is your flexvpn config?

MHM

sigcerder · ‎04-09-2024

I use iBGP, my configuration completely copy from this link: https://networklessons.com/vpn/flexvpn-spoke-to-spoke-pool-and-bgp

MHM Cisco World · ‎04-09-2024

Share your config as well

MHM

sigcerder · ‎04-09-2024

sure.

This is my configuration. I configured HUB, Spoke1, Spoke2.

Georg Pauwen · ‎04-09-2024

Hello,

the problem is that the links only provide access to half of the configurations (full access is pay only), so it is impossible to compare what you have configured with what the sample configs look like.

I am not sure about the static default route, is that in the example as well ?

sigcerder · ‎04-10-2024

Hello,

I wanted to draw your attention to the link provided above. It contains the complete configuration. Upon review, you'll notice that the topic concludes at section: 2. Verification. This is where we begin checking the status based on the provided configuration.

"I've also paid for an account on this site. The information provided after section 2. Verification solely pertains to verifications, as the configuration concludes at this point. Therefore, you can be assured that it is fully represented up to this stage."

MHM Cisco World · ‎04-09-2024

The traffic between spokes

1- go to hub use defualt route' then to other spokes

2- config spokes as route reflect and traffic can pass direct to spokes

I check config and I need form you confirm

Spoke have defualt route<- share show ip bgp

Hub have spokes IP <- share show ip bgp

MHM

sigcerder · ‎04-10-2024

Hello,

If I've understood your instructions correctly, I've previously attempted this scenario. In other words, I've used the following configurations:

For Spoke1:
ip route 192.168.2.0 255.255.255.0 172.16.1.254

For Spoke2:
ip route 192.168.1.0 255.255.255.0 172.16.1.254

I must clarify that this approach works effectively. However, I'm seeking a method that would enable the configuration of this scenario in a way that allows all spokes to communicate with each other autonomously, without requiring manual intervention on my part.

MHM Cisco World · ‎04-10-2024

I am not suggest use static route

Just

Share the show ip bgp in hub and both spokes

MHM

sigcerder · ‎04-10-2024

Sure:

Spoiler

HUB#show ip bgp
BGP table version is 5, local router ID is 172.16.1.254
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path
0.0.0.0 0.0.0.0 0 i
*> 192.168.0.0 0.0.0.0 0 32768 i
*>i 192.168.1.0 172.16.1.2 0 100 0 i
*>i 192.168.2.0 172.16.1.1 0 100 0 i

SPOKE1#show ip bgp
BGP table version is 4, local router ID is 1.1.1.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path
r>i 0.0.0.0 172.16.1.254 0 100 0 i
*>i 192.168.0.0 172.16.1.254 0 100 0 i
*> 192.168.1.0 0.0.0.0 0 32768 i

SPOKE2#show ip bgp
BGP table version is 4, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path
r>i 0.0.0.0 172.16.1.254 0 100 0 i
*>i 192.168.0.0 172.16.1.254 0 100 0 i
*> 192.168.2.0 0.0.0.0 0 32768 i

HUB#show ip bgpBGP table version is 5, local router ID is 172.16.1.254Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,x best-external, a additional-path, c RIB-compressed,Origin codes: i - IGP, e - EGP, ? - incompleteRPKI validation codes: V valid, I invalid, N Not foundNetwork Next Hop Metric LocPrf Weight Path0.0.0.0 0.0.0.0 0 i*> 192.168.0.0 0.0.0.0 0 32768 i*>i 192.168.1.0 172.16.1.2 0 100 0 i*>i 192.168.2.0 172.16.1.1 0 100 0 iSPOKE1#show ip bgpBGP table version is 4, local router ID is 1.1.1.2Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,x best-external, a additional-path, c RIB-compressed,Origin codes: i - IGP, e - EGP, ? - incompleteRPKI validation codes: V valid, I invalid, N Not foundNetwork Next Hop Metric LocPrf Weight Pathr>i 0.0.0.0 172.16.1.254 0 100 0 i*>i 192.168.0.0 172.16.1.254 0 100 0 i*> 192.168.1.0 0.0.0.0 0 32768 iSPOKE2#show ip bgpBGP table version is 4, local router ID is 2.2.2.2Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,x best-external, a additional-path, c RIB-compressed,Origin codes: i - IGP, e - EGP, ? - incompleteRPKI validation codes: V valid, I invalid, N Not foundNetwork Next Hop Metric LocPrf Weight Pathr>i 0.0.0.0 172.16.1.254 0 100 0 i*>i 192.168.0.0 172.16.1.254 0 100 0 i*> 192.168.2.0 0.0.0.0 0 32768 i

MHM Cisco World · ‎04-10-2024

That perfect

Try ping from spoke to spoke

Ping 192.168.2.x source IP 192.168.1.x

Then share

Show ip bgp

Show ip route

MHM

sigcerder · ‎04-10-2024

It looks great, I can see route H (NHRP).
Until I forced a route with source substitution, I could not perform icmp from spoke1 side to spoke2 side.
Will this scenario work if it is not forced with source substitution?

SPOKE1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is 1.1.1.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 1.1.1.1
1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 1.1.1.0/30 is directly connected, Ethernet0/0
L 1.1.1.2/32 is directly connected, Ethernet0/0
172.16.0.0/32 is subnetted, 3 subnets
S % 172.16.1.1 is directly connected, Virtual-Access1
C 172.16.1.2 is directly connected, Tunnel0
S 172.16.1.254 is directly connected, Tunnel0
B 192.168.0.0/24 [200/0] via 172.16.1.254, 01:25:08
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Ethernet0/1
L 192.168.1.1/32 is directly connected, Ethernet0/1
H 192.168.2.0/24 [250/1] via 172.16.1.1, 00:25:07, Virtual-Access1

SPOKE2# show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is 2.2.2.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 2.2.2.1
2.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 2.2.2.0/30 is directly connected, Ethernet0/0
L 2.2.2.2/32 is directly connected, Ethernet0/0
172.16.0.0/32 is subnetted, 3 subnets
C 172.16.1.1 is directly connected, Tunnel0
H 172.16.1.2 [250/1] via 172.16.1.2, 01:09:08, Virtual-Access1
S 172.16.1.254 is directly connected, Tunnel0
B 192.168.0.0/24 [200/0] via 172.16.1.254, 01:23:48
H 192.168.1.0/24 [250/1] via 172.16.1.2, 00:23:56, Virtual-Access1
192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.2.0/24 is directly connected, Ethernet0/1
L 192.168.2.1/32 is directly connected, Ethernet0/1

MHM Cisco World · ‎04-10-2024

The spoke to spoke tunnels must trigger by one way' it not up directly after config tunnel.

If you see H and ping success then your Lab is correct and work perfectly.

MHM