Introduction Of MPLS

Introduction Of MPLS
MPLS defines protocol that make different paradigm for a way routers forward packets. rather than forwarding packets based on the packets destination IP address, MPLS defines how router can forward packets based on MPLS label.

What Is OSPF Sham Links? How To Configure OSPF Sham Links?

What Is OSPF Sham Links? How To Configure OSPF Sham Links?
OSPF Sham links is a logical inter-area link carried by the super backbone. A Sham links is required only between two VPN sites that belong to the same area and have a backdoor link for backup purposes. OSPF adjacency is established across the sham link.

How To Configure MPLS L3 With BGP AS OVERRIDE?

How To Configure MPLS L3 With BGP AS OVERRIDE?
BGP has a simple loop prevention mechanism for external BGP. When you see your own Autonomous system number in the AS path, we do not accept the prefix. This mechanism is fine for Internet routing but there are some other scenarios where this might be an issue

What Is MPLS L3 VPN ? How To Configure?

What Is MPLS L3 VPN ? How To Configure?
In MPLS Layer 3 the service provider will participate in routing with the customers. The customers will run static, OSPF, EIGRP, BGP or any other routing protocol with the service provider; these routes can be shared with other sites of the customers. In VPN routing information from one customer is completely separated from other customers and tunneled over the service provider MPLS network.

Latest Posts

How to configure Overlapping VPN?

Internetworks
 










  1. Configure the topology as per the diagram
  2. Configure the IP addresses as per the topology
  3. Configure OSPF inside the core of MPLS network 
  4. Configure MPLS LDP peering inside MPLS core network
  5. Configure VRF site-a and site-c on router 1 
  6. Configure VRF site-b and site-d on router 3
  7. configure route-distinguisher and route-target 500:1 for site-a, site-b, and for site-c and site-d 500:2
  8. Configure fa0/0 and fa2/0 under VRF site-a and site-c on router 1
  9. Configure fa0/0 and fa2/0 under VRF site-b and site-d on router 3
  10. Configure EBGP between router 1 and router 6
  11. Configure EBGP between router 3 and router 7
  12. Both routers 6 and 7 are under AS-600
  13. Configure connectivity between router 1 and router 3 with VPNv4
  14. Configure the as-override feature on router 1 and router 3 
  15. Make sure router 6 and router 7 have installed their routes 
  16. configure connectivity between router 1 and router 4  with ospf under VRF site-c
  17. configure redistribution between OSPF and BGP under VRF site-c
  18. Configure connectivity between router 3 and router 4 under VRF site-d with EIGRP 100
  19. Configure redistribution between EIGRP and BGP
  20. Make sure router 3 is installed, and router 4 routes
  21. configure connectivity between all sites-a, b, c,d 
  22. Ultimately, ensure all the routes are exchanged to all sites and all the sites can reach any network.

Configure the IP addresses as per the topology


R1(config)#interface serial 5/0
R1(config-if)#ip address 12.1.1.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface serial 5/2
R1(config-if)#ip address 31.1.1.2 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface FastEthernet 0/0
R1(config-if)#ip address 16.1.1.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface fastethernet 2/0
R1(config-if)#ip address 15.1.1.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface loopback 1
R1(config-if)#ip address 192.168.1.1 255.255.255.255
R1(config-if)#no shutdown
R1(config-if)#exit
 
 
R2(config)#interface serial 5/1
R2(config-if)#ip address 23.1.1.1 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface serial 5/0
R2(config-if)#ip address 12.1.1.2 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#exit
 
R2(config)#interface loopback 1
R2(config-if)#ip address 122.1.1.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
 
 
R3(config)#interface serial 5/1
R3(config-if)#ip address 23.1.1.2 255.0.0.0
R3(config-if)#no shutdown
R3(config-if)#exit
R3(config)#interface serial 5/2
R3(config-if)#ip address 31.1.1.1 255.0.0.0
R3(config-if)#no shutdown
R3(config-if)#exit
R3(config)#interface FastEthernet 0/0
R3(config-if)#ip address 17.1.1.1 255.0.0.0
R3(config-if)#no shutdown
R3(config-if)#exit
R3(config)#interface fastethernet 2/0
R3(config-if)#ip address 14.1.1.1 255.0.0.0
R3(config-if)#no shutdown
R3(config-if)#exit

R3(config)#interface loopback 1
R3(config-if)#ip address 192.168.3.1 255.255.255.255
R3(config-if)#no shutdown
R3(config-if)#exit
 
 
R4(config)#interface fastethernet 2/0
R4(config-if)#ip address 14.1.1.2 255.0.0.0
R4(config-if)#no shutdown
R4(config-if)#exit
R4(config)#interface loopback 1
R4(config-if)#ip address 44.1.1.1 255.255.255.0
R4(config-if)#no shutdown
R4(config-if)#exit
 
 
R5(config)#interface fastethernet 2/0
R5(config-if)#ip address 15.1.1.2 255.0.0.0
R5(config-if)#no shutdown
R5(config-if)#exit
R5(config)#interface loopback 1
R5(config-if)#ip address 55.1.1.1 255.255.255.0
R5(config-if)#no shutdown
R5(config-if)#exit
 
 
R6(config)#interface fastethernet 2/0
R6(config-if)#ip address 16.1.1.2 255.0.0.0
R6(config-if)#no shutdown
R6(config-if)#exit
R6(config)#interface loopback 1
R6(config-if)#ip address 66.1.1.1 255.255.255.255
R6(config-if)#no shutdown
R6(config-if)#exit
 
 
R7(config)#interface fastethernet 0/0
R7(config-if)#ip address 17.1.1.2 255.0.0.0
R7(config-if)#no shutdown
R7(config-if)#exit
R7(config)#interface loopback 1
R7(config-if)#ip address 77.1.1.1 255.255.255.255
R7(config-if)#no shutdown
R7(config-if)#exit

Configure OSPF inside the core of the MPLS network 


R1(config)#router ospf 65100
R1(config-router)#network 12.0.0.0 0.255.255.255 area 0
R1(config-router)#network 31.0.0.0 0.255.255.255 area 0
R1(config-router)#network 192.168.1.0 0.0.0.0 area 0
R1(config-router)#exit
 


 
R2(config)#router ospf 65100
R2(config-router)#network 12.0.0.0 0.255.255.255 area 0
R2(config-router)#network 23.0.0.0 0.255.255.255 area 0
R2(config-router)#network 122.1.1.0 255.0.0.0 area 0
R2(config-router)#exit
 
 


R3(config)#router ospf 65100
R3(config-router)#network 31.0.0.0 0.255.255.255 area 0
R3(config-router)#network 23.0.0.0 0.255.255.255 area 0
R3(config-router)#network 192.168.3.0 0.0.0.0 area 0
R3(config-router)#exit
 



Configure PLS LDP peering inside the MPLS core network



R1(config)#mpls label range 50 149
R1(config)#mpls label protocol ldp
R1(config)#mpls ldp router-id loopback 1

R1(config)#interface serial 5/0
R1(config-if)#mpls ip
R1(config-if)#exit
R1(config)#interface serial 5/2
R1(config-if)#mpls ip
R1(config-if)#exit



R2(config)#mpls label range 150 249
R2(config)#mpls label protocol ldp
R2(config)#mpls ldp router-id loopback 1

R2(config)#interface serial 5/0
R2(config-if)#mpls ip
R2(config-if)#exit
R2(config)#interface serial 5/1
R2(config-if)#mpls ip
R2(config-if)#exit


R3(config)#mpls label range 250 349
R3(config)#mpls label protocol ldp
R3(config)#mpls ldp router-id loopback 1
R3(config)#interface serial 5/2
R3(config-if)#mpls ip
R3(config-if)#exit
R3(config)#interface serial 5/1
R3(config-if)#mpls ip
R3(config-if)#exit


Configure VRF site-a and site-c on router 1, configure route-distinguisher and route-target 500:1 for site-a, site-b, and for site-c and site-d 500:2

 



R1(config)#ip vrf site-a
R1(config-vrf)#rd 500:1
R1(config-vrf)#route-target both 500:1
R1(config-vrf)#exit

R1(config)#ip vrf site-c
R1(config-vrf)#rd 500:2
R1(config-vrf)#route-target both 500:2
R1(config-vrf)#exit




Configure VRF site-b and site-d on router 3


R3(config)#ip vrf site-b
R3(config-vrf)#rd 500:1
R3(config-vrf)#route-target both 500:1
R3(config-vrf)#exit

R3(config)#ip vrf site-d
R3(config-vrf)#rd 500:2
R3(config-vrf)#route-target both 500:2
R3(config-vrf)#exit


Configure fa0/0 and fa2/0 under VRF site-a and site-c on router 1



R1(config)#interface fastethernet 0/0
R1(config-if)#ip vrf forwarding site-a
% Interface FastEthernet0/0 IP address 16.1.1.1 removed due to enabling VRF site-a
R1(config-if)#ip address 16.1.1.1 255.0.0.0
R1(config-if)#exit

R1(config)#interface fastethernet 2/0
R1(config-if)#ip vrf forwarding site-c
R1(config-if)#ip address 15.1.1.1 255.0.0.0
R1(config-if)#exit


Configure fa0/0 and fa2/0 under VRF site-b and site-d on router 3



R3(config)#interface fastethernet 0/0
R3(config-if)#ip vrf forwarding site-b
% Interface FastEthernet0/0 IP address 17.1.1.1 removed due to enabling VRF site-b
R3(config-if)#ip address 17.1.1.1 255.0.0.0
R3(config-if)#exit

R3(config)#interface fastethernet 2/0
R3(config-if)#ip vrf forwarding site-d
% Interface FastEthernet2/0 IP address 14.1.1.1 removed due to enabling VRF site-d
R3(config-if)#ip address 14.1.1.1 255.0.0.0
R3(config-if)#exit





Configure EBGP between router 1 and router 6

R6(config)#router bgp 600
R6(config-router)#neighbor 16.1.1.1 remote-as 123
R6(config-router)#network 66.1.1.1 mask 255.255.255.255
R6(config-router)#network 16.0.0.0 mask 255.0.0.0
R6(config-router)#no auto-summary
R6(config-router)#no synchronization
R6(config-router)#exit

R1(config)#router bgp 123
R1(config-router)#no bgp default ipv4-unicast
R1(config-router)#address-family ipv4 vrf site-a
R1(config-router-af)#neighbor 16.1.1.2 remote-as 600
R1(config-router-af)#neighbor 16.1.1.2 activate
R1(config-router-af)#redistribute connected
R1(config-router-af)#exit

*Apr 15 15:42:59.667: %BGP-5-ADJCHANGE: neighbor 16.1.1.2 vpn vrf site-a Up


Configure EBGP between router 3 and router 7


R7(config)#router bgp 600
R7(config-router)#neighbor 17.1.1.1 remote-as 123
R7(config-router)#network 17.0.0.0 mask 255.0.0.0
R7(config-router)#network 77.1.1.1 mask 255.255.255.255
R7(config-router)#exit

R3(config)#router bgp 123
R3(config-router)#no bgp default ipv4-unicast
R3(config-router)#address-family ipv4 vrf site-b
R3(config-router-af)#neighbor 17.1.1.2 remote-as 600
R3(config-router-af)#neighbor 17.1.1.2 activate
R3(config-router-af)#redistribute connected
R3(config-router-af)#exiT

Configure connectivity between router 1 and router 3 with VPNv4




R1(config)#router bgp 123
R1(config-router)#no bgp default ipv4-unicast
R1(config-router)#neighbor 192.168.3.1 remote-as 123
R1(config-router)#neighbor 192.168.3.1 update-source loopback 1
R1(config-router)#address-family vpnv4 unicast
R1(config-router-af)#neighbor 192.168.3.1 activate
R1(config-router-af)#neighbor 192.168.3.1 send-community extended
R1(config-router-af)#neighbor 192.168.3.1 next-hop-self
R1(config-router-af)#exit

*Apr 15 16:14:33.543: %BGP-5-ADJCHANGE: neighbor 192.168.3.1 Up

R3(config)#router bgp 123
R3(config-router)#no bgp default ipv4-unicast
R3(config-router)#neighbor 192.168.1.1 remote-as 123
R3(config-router)#neighbor 192.168.1.1 update-source loopback 1
R3(config-router)#address-family vpnv4 unicast
R3(config-router-af)#neighbor 192.168.1.1 activate
R3(config-router-af)#neighbor 192.168.1.1 send-community extended
R3(config-router-af)#neighbor 192.168.1.1 next-hop-self
R3(config-router-af)#exit

*Apr 15 16:14:30.075: %BGP-5-ADJCHANGE: neighbor 192.168.1.1 Up


R6#ping 17.1.1.1 source 16.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 17.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 16.1.1.2
.....
Success rate is 0 percent (0/5)

Configure the as-override feature on router 1 and router 3 


R1(config)#router bgp 123
R1(config-router)#address-family ipv4 vrf site-a
R1(config-router-af)#neighbor 16.1.1.2 as-override
R1(config-router-af)#do clear ip bgp *
R1(config-router-af)#exit
R1(config-router)#exit

*Apr 15 16:21:33.103: %BGP-5-ADJCHANGE: neighbor 16.1.1.2 vpn vrf site-a Down AS -override change

R3(config)#router bgp 123
R3(config-router)#address-family ipv4 vrf site-b
R3(config-router-af)#neighbor 17.1.1.2 as-override
R3(config-router-af)#do clear ip bgp *
R3(config-router-af)#exit

*Apr 15 16:24:21.779: %BGP-5-ADJCHANGE: neighbor 17.1.1.2 vpn vrf site-b Down AS -override change
*Apr 15 16:24:22.475: %BGP-5-ADJCHANGE: neighbor 17.1.1.2 vpn vrf site-b Up

R6#ping 17.1.1.1 source 16.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 17.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 16.1.1.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 68/84/112 ms


Configure the connectivity between router 1 and router 5 with OSPF under VRF site-c



R5(config)#router ospf 10
R5(config-router)#network 15.0.0.0 0.255.255.255 area 0
R5(config-router)#network 1.0.0.0 0.255.255.255 area 0
R5(config-router)#network 55.1.1.0 0.0.0.255 area 0
R5(config-router)#exit
*Apr 15 14:28:45.863: %OSPF-5-ADJCHG: Process 10, Nbr 15.1.1.1 on FastEthernet2/0 from LOADING to FULL, Loading Done

R1(config)#router ospf 10 vrf site-c
R1(config-router)#network 15.0.0.0 0.255.255.255 area 0
R1(config-router)#redistribute bgp 123 subnet
R1(config-router)#exit

*Apr 15 17:12:29.647: %OSPF-5-ADJCHG: Process 10, Nbr 55.1.1.1 on FastEthernet2/0 from LOADING to FULL, Loading Done

configure redistribution between OSPF and BGP under VRF site-c



R1(config)#router bgp 123
R1(config-router)#no bgp default ipv4-unicast
R1(config-router)#address-family ipv4 vrf site-c
R1(config-router-af)#redistribute ospf 10 vrf site-c match internal external
R1(config-router-af)#exit
R1(config-router)#exit
R1(config)#exit


R4(config)#router eigrp 100
R4(config-router)#no auto-summary
R4(config-router)#network 14.0.0.0
R4(config-router)#network 44.1.1.0
R4(config-router)#exit
*Apr 15 14:26:06.839: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 14.1.1.1 (FastEthernet2/0) is up: new adjacency


Configure connectivity between router 3 and router 4 under VRF site-d with EIGRP 100


R3(config)#router eigrp 100
R3(config-router)#address-family ipv4 vrf site-d
R3(config-router-af)#autonomous-system 100
R3(config-router-af)#network 14.0.0.0
R3(config-router-af)#redistribute bgp 123 metric 1000 2000 255 100 150
R3(config-router-af)#exit
R3(config-router)#exit

R3(config)#router bgp 123
R3(config-router)#address-family ipv4 vrf site-d
R3(config-router-af)#redistribute eigrp 100
R3(config-router-af)#exit

*Apr 15 17:26:01.687: %DUAL-5-NBRCHANGE: IP-EIGRP(2) 100: Neighbor 14.1.1.2 (Fas        tEthernet2/0) is up: new adjacency

configure connectivity between all sites-a, b, c,d 



R1(config)#ip vrf site-a
R1(config-vrf)#route-target import 500:2
R1(config-vrf)#exit
R1(config)#ip vrf site-c
R1(config-vrf)#route-target import 500:1
R1(config-vrf)#exit
R1(config)#end


R3(config)#ip vrf site-b
R3(config-vrf)#route-target import 500:2
R3(config-vrf)#exit
R3(config)#ip vrf site-d
R3(config-vrf)#route-target import 500:1
R3(config-vrf)#exit
R3(config)#end

R3#show ip bgp vpnv4 all
BGP table version is 38, local router ID is 192.168.3.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 500:1 (default for vrf site-b)
*> 14.0.0.0         0.0.0.0                  0         32768 ?
*>i15.0.0.0         192.168.1.1              0    100      0 ?
*>i16.0.0.0         192.168.1.1              0    100      0 ?
*  17.0.0.0         17.1.1.2                 0             0 600 i
*>                  0.0.0.0                  0         32768 ?
*> 44.1.1.0/24      14.1.1.2            156160         32768 ?
*>i55.1.1.1/32      192.168.1.1              2    100      0 ?
*>i66.1.1.1/32      192.168.1.1              0    100      0 600 i
*> 77.1.1.1/32      17.1.1.2                 0             0 600 i
Route Distinguisher: 500:2 (default for vrf site-d)
*> 14.0.0.0         0.0.0.0                  0         32768 ?
*>i15.0.0.0         192.168.1.1              0    100      0 ?
*>i16.0.0.0         192.168.1.1              0    100      0 ?
*> 17.0.0.0         0.0.0.0                  0         32768 ?
*> 44.1.1.0/24      14.1.1.2            156160         32768 ?
*>i55.1.1.1/32      192.168.1.1              2    100      0 ?
*>i66.1.1.1/32      192.168.1.1              0    100      0 600 i
*> 77.1.1.1/32      17.1.1.2                 0             0 600 i


R1#show ip bgp vpnv4 all summary
BGP router identifier 192.168.1.1, local AS number 123
BGP table version is 26, main routing table version 26
16 network entries using 2192 bytes of memory
17 path entries using 1156 bytes of memory
10/8 BGP path/bestpath attribute entries using 1240 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
4 BGP extended community entries using 184 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 4796 total bytes of memory
BGP activity 27/11 prefixes, 36/19 paths, scan interval 15 secs

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
16.1.1.2        4   600     225     242       26    0    0 01:48:02        2
192.168.3.1     4   123     207     207       26    0    0 01:48:02        4


R1#show ip route vrf site-a

Routing Table: site-a
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

B    17.0.0.0/8 [200/0] via 192.168.3.1, 01:48:24
C    16.0.0.0/8 is directly connected, FastEthernet0/0
     55.0.0.0/32 is subnetted, 1 subnets
B       55.1.1.1 [20/2] via 15.1.1.2 (site-c), 01:35:54, FastEthernet2/0
     66.0.0.0/32 is subnetted, 1 subnets
B       66.1.1.1 [20/0] via 16.1.1.2, 01:48:32
     77.0.0.0/32 is subnetted, 1 subnets
B       77.1.1.1 [200/0] via 192.168.3.1, 01:48:24
     44.0.0.0/24 is subnetted, 1 subnets
B       44.1.1.0 [200/156160] via 192.168.3.1, 01:35:54
B    14.0.0.0/8 [200/0] via 192.168.3.1, 01:35:54
B    15.0.0.0/8 is directly connected, 01:35:55, FastEthernet2/0

R1#show ip route vrf site-c

Routing Table: site-c
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

B    17.0.0.0/8 [200/0] via 192.168.3.1, 01:36:00
B    16.0.0.0/8 is directly connected, 01:36:00, FastEthernet0/0
     55.0.0.0/32 is subnetted, 1 subnets
O       55.1.1.1 [110/2] via 15.1.1.2, 01:45:18, FastEthernet2/0
     66.0.0.0/32 is subnetted, 1 subnets
B       66.1.1.1 [20/0] via 16.1.1.2 (site-a), 01:36:00
     77.0.0.0/32 is subnetted, 1 subnets
B       77.1.1.1 [200/0] via 192.168.3.1, 01:36:00
     44.0.0.0/24 is subnetted, 1 subnets
B       44.1.1.0 [200/156160] via 192.168.3.1, 01:40:15
B    14.0.0.0/8 [200/0] via 192.168.3.1, 01:41:15
C    15.0.0.0/8 is directly connected, FastEthernet2/0

R3#show ip route vrf site-b

Routing Table: site-b
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    17.0.0.0/8 is directly connected, FastEthernet0/0
B    16.0.0.0/8 [200/0] via 192.168.1.1, 01:48:36
     55.0.0.0/32 is subnetted, 1 subnets
B       55.1.1.1 [200/2] via 192.168.1.1, 01:36:20
     66.0.0.0/32 is subnetted, 1 subnets
B       66.1.1.1 [200/0] via 192.168.1.1, 01:49:05
     77.0.0.0/32 is subnetted, 1 subnets
B       77.1.1.1 [20/0] via 17.1.1.2, 02:41:19
     44.0.0.0/24 is subnetted, 1 subnets
B       44.1.1.0 [20/156160] via 14.1.1.2 (site-d), 01:36:20, FastEthernet2/0
B    14.0.0.0/8 is directly connected, 01:36:20, FastEthernet2/0
B    15.0.0.0/8 [200/0] via 192.168.1.1, 01:36:21

R3#show ip route vrf site-d

Routing Table: site-d
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

B    17.0.0.0/8 is directly connected, 01:35:24, FastEthernet0/0
B    16.0.0.0/8 [200/0] via 192.168.1.1, 01:35:24
     55.0.0.0/32 is subnetted, 1 subnets
B       55.1.1.1 [200/2] via 192.168.1.1, 01:45:54
     66.0.0.0/32 is subnetted, 1 subnets
B       66.1.1.1 [200/0] via 192.168.1.1, 01:35:24
     77.0.0.0/32 is subnetted, 1 subnets
B       77.1.1.1 [20/0] via 17.1.1.2 (site-b), 01:35:24
     44.0.0.0/24 is subnetted, 1 subnets
D       44.1.1.0 [90/156160] via 14.1.1.2, 01:41:11, FastEthernet2/0
C    14.0.0.0/8 is directly connected, FastEthernet2/0
B    15.0.0.0/8 [200/0] via 192.168.1.1, 01:48:41

R6#show ip bgp
BGP table version is 19, local router ID is 66.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 14.0.0.0         16.1.1.1                               0 123 ?
*> 15.0.0.0         16.1.1.1                               0 123 ?
*  16.0.0.0         16.1.1.1                 0             0 123 ?
*>                  0.0.0.0                  0         32768 i
*> 17.0.0.0         16.1.1.1                               0 123 ?
*> 44.1.1.0/24      16.1.1.1                               0 123 ?
*> 55.1.1.1/32      16.1.1.1                               0 123 ?
*> 66.1.1.1/32      0.0.0.0                  0         32768 i
*> 77.1.1.1/32      16.1.1.1                               0 123 123 i

R7#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    17.0.0.0/8 is directly connected, FastEthernet0/0
B    16.0.0.0/8 [20/0] via 17.1.1.1, 01:49:37
     55.0.0.0/32 is subnetted, 1 subnets
B       55.1.1.1 [20/0] via 17.1.1.1, 01:37:12
     66.0.0.0/32 is subnetted, 1 subnets
B       66.1.1.1 [20/0] via 17.1.1.1, 01:49:37
     77.0.0.0/32 is subnetted, 1 subnets
C       77.1.1.1 is directly connected, Loopback1
     44.0.0.0/24 is subnetted, 1 subnets
B       44.1.1.0 [20/0] via 17.1.1.1, 01:37:12
B    14.0.0.0/8 [20/0] via 17.1.1.1, 01:37:12
B    15.0.0.0/8 [20/0] via 17.1.1.1, 01:37:12

R4#show ip route eigrp
D EX 17.0.0.0/8 [170/3074560] via 14.1.1.1, 00:02:26, FastEthernet2/0
D EX 16.0.0.0/8 [170/3074560] via 14.1.1.1, 00:02:26, FastEthernet2/0
     55.0.0.0/32 is subnetted, 1 subnets
D EX    55.1.1.1 [170/3074560] via 14.1.1.1, 00:08:23, FastEthernet2/0
     66.0.0.0/32 is subnetted, 1 subnets
D EX    66.1.1.1 [170/3074560] via 14.1.1.1, 00:02:26, FastEthernet2/0
     77.0.0.0/32 is subnetted, 1 subnets
D EX    77.1.1.1 [170/3074560] via 14.1.1.1, 00:02:26, FastEthernet2/0
D EX 15.0.0.0/8 [170/3074560] via 14.1.1.1, 00:08:23, FastEthernet2/0

R1#show run | section vrf
ip vrf site-a
 rd 500:1
 route-target export 500:1
 route-target import 500:1
 route-target import 500:2
ip vrf site-c
 rd 500:2
 route-target export 500:2
 route-target import 500:2
 route-target import 500:1
 ip vrf forwarding site-a
 ip vrf forwarding site-c
router ospf 10 vrf site-c
 log-adjacency-changes
 redistribute bgp 123 subnets
 network 15.0.0.0 0.255.255.255 area 0
 address-family ipv4 vrf site-c
 redistribute ospf 10 vrf site-c match internal external 1 external 2
 address-family ipv4 vrf site-a


R6#ping 44.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 44.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 96/113/136 ms
R6#ping 77.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 77.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 96/114/132 ms
R6#ping 55.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 55.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/76/92 ms


R7#traceroute 44.1.1.1

Type escape sequence to abort.
Tracing the route to 44.1.1.1

  1 17.1.1.1 48 msec 28 msec 32 msec
  2 14.1.1.2 [AS 123] 60 msec 64 msec 76 msec
R7#traceroute 55.1.1.1

Type escape sequence to abort.
Tracing the route to 55.1.1.1

  1 17.1.1.1 44 msec 64 msec 28 msec
  2 15.1.1.1 [AS 123] [MPLS: Label 59 Exp 0] 108 msec 80 msec 76 msec
  3 15.1.1.2 [AS 123] 108 msec 108 msec 124 msec
R7#traceroute 66.1.1.1

Type escape sequence to abort.
Tracing the route to 66.1.1.1

  1 17.1.1.1 28 msec 36 msec 36 msec
  2 16.1.1.1 [AS 123] [MPLS: Label 56 Exp 0] 60 msec 72 msec 60 msec
  3 16.1.1.2 [AS 123] 120 msec 140 msec 92 msec


What is VRF (virtual routing and forwarding)? What is RD (Route-Distinguisher) and Route Target (RT) ?

Internetworks

  VRF (virtual routing and forwarding)

 

Virtual Routing and Forwarding (VRF) is a technology that allows multiple instances of a routing table to coexist within the same router simultaneously. This enables network paths to be segmented without using multiple devices. VRF keeps customer traffic and routing separate and utilizes the same hardware. Without VRF, we need to use ACL filtering to keep traffic segregated. 

 




Each VRF has three main components, as follows:

  • an IP routing table (RIB)
  • A CEF FIB, populated based on that VRF's RIB
  • A separate instance or process of the routing protocol used to exchange routes with the CEs that need to be supported by the VRF

Key Concepts of VRF

  • Routing Isolation: Each VRF maintains its own separate routing table
  • Forwarding Isolation: Traffic from one VRF cannot leak into another VRF
  • Interface Assignment: Network interfaces are assigned to specific VRFs

 

RD (Route-Distinguisher)

A Route Distinguisher (RD) is a BGP attribute used in MPLS VPNs (RFC 4364) to make overlapping IPv4 addresses unique across different VPNs. It prepends a unique identifier to customer routes, allowing them to be distinguished in the provider's backbone.

RD is a 64-bit (8-bytes) prepended prefix, used to convert a client's non-unique 32-bit IPv4 address into a unique 96-bit VPNv4 address, to enable transport between PE routers. RD uniquely identifies a route (IP prefix), it does NOT identify a VPN. RD is locally significant to a router Without an RD, MPLS VPNs cannot distinguish between duplicate customer routes.





  •  A VRF is not operational unless you configure an RD.
  • You can see the ASN:nm or ABC:nn format for RD
  • Each VRF in a PE router must have a unique RD.

 

A Route Target (RT) is a BGP extended community attribute used in MPLS VPNs to control how routes are imported and exported between VRFs (Virtual Routing and Forwarding instances). RT is a 64-bit extended BGP community that is attached to be VPNv4 BGP route to indicate its VPN membership. Any number of RTs can be attached to a single route.

 


How Does It Work?

Export RTs

  • Identifies the VPN membership, to which the associated VRF belongs.
  • Export RTs attached to a client's routes, when it is converted into a VPNv4 route.

 

Import RTs

  • Import RTs used to select which VPNv4 routes are to be inserted into which VRF tables.
  • On the receiving PE router, a route is imported into a VRF only if at least one RT attached to the route matches at least one import RT configured in that VRF. 

 

Routing Instance:

  • Each VRF instance acts as a virtual router, with its own routing table and forwarding mechanism.

Interface Isolation:

  • VRF interfaces are isolated, meaning they can have the same IP address or other configurations without conflict, says PyNet Labs and Cisco. 

 

 ---------configuation------- please visit----https://mpls.internetworks.in/2025/04/what-mpls-l3-vpn-mpls-vpnv4-peering.html

 

 

 

 

 

 

 

 

 

 

 

 

 

 

What MPLS L3 VPN? | MPLS VPNv4 peering | MPLS LDP peering | How to configure MPLS L3 VPN Static?

Internetworks

 MPLS Layer 3 VPN (L3VPN) is a technology that enables service providers to offer secure and scalable IP-based VPN services to customers. It uses Multiprotocol Label Switching (MPLS) to route traffic efficiently while maintaining separation between different customer networks.

A static MPLS L3VPN typically refers to a setup where static routes are used instead of dynamic routing protocols like BGP or OSPF. This approach can be simpler to configure but may lack flexibility compared to dynamic routing.

Here are some key components of MPLS L3VPN:

  • VRF (Virtual Routing and Forwarding): Allows multiple routing tables on a single router.
  • MP-BGP (Multiprotocol BGP): Used to exchange VPN routes between provider edge (PE) routers.
  • Route Distinguisher (RD): Helps differentiate overlapping IP addresses between customers.
  • Route Target (RT): Defines which VPN routes should be imported/exported.
let's see the configuration:

Topology:-


  1. Configure the topology as per the diagram 
  2. Configure the IP addresses as per the topology
  3. Configure EIGRP AS 65100 inside the MPLS CORE network
  4. Ensure the connectivity inside MPLS CORE
  5. Configure MPLS LDP Peering 
  6. Create VRF A-1 for site 1 and VRF A-2 for site 2 (R1&R3)
  7. Create route distinguisher value 500:1
  8. Create route-target for both import and export value 500:1
  9. Apply this on both sites
  10. Configure route 1 fa0/0 under VRF A-1
  11. Configure route 2 fa0/0 under VRF A-2
  12. Configure default route on routers 5 and 4
  13. Configure routing between PE and CE routers
  14. Configure BGP VPNv4 peering
  15. verify with show commands 


What is FLEXVPN? How to configure FLEXVPN?

Internetworks

 

FlexVPN is a versatile VPN framework by Cisco that simplifies the configuration and deployment of various types of VPNs because Cisco supports various types of VPNs and many of them require different configurations to show verification commands. FlexVPN is designed to support site-to-site, hub-and-spoke, remote access, and other VPN configurations but The only VPN type that FlexVPN doesn’t cover is GETVPN.

 


Here are some key points about FlexVPN:

Based on IKEv2: FlexVPN utilizes the Internet Key Exchange version 2 (IKEv2) protocol for all its VPN types, which offers improved security and features over IKEv1.

Smart Defaults: It employs smart defaults based on best practices, minimizing the required configuration efforts.

Unified Solution: FlexVPN is a unified solution that covers all VPN types except Group Encrypted Transport VPN (GETVPN), making it easier to manage and operate.

Supports Various Authentication Methods: It supports certificates, pre-shared keys (PSKs), and Extensible Authentication Protocol (EAP) authentication methods.

Deployment Flexibility: FlexVPN can be deployed over public internet or private MPLS VPN networks and is designed for both site-to-site and remote access VPNs.

Failover Redundancy: It offers different redundancy models, including dynamic routing protocols over VPN tunnels and IKEv2-based server clustering.

 

Smart default is a pre-defined value this feature helps us to minimize the configuration and make it easy to configure VPN. For example, when we  configure IPsec VPN with IKEv2, we have to configure the following items

  • IKEv2 proposal
  • IKEv2 policy
  • IKEv2 profile
  • IKEv2 keyring
  • IPsec transform-set
  • IPsec profile

These items we have to configure for IPsec VPN with IKEv2. But with smart default, we use pre-defined values and we have to configure only two items:

  • IKEv2 profile 
  • IKEv2 policy 





We do not have to configure the proposal, policy, transform-set, and IPsec profile.

Let’s see the configuration for a better understanding: 

Topology: In this topology, we have a head office router-1 and branch sites a,b,c,d, and e routers. head office router is a hub router and the rest of the routers are spokes and router 2 acts as an internet. our task is to configure the IPsec VPN tunnel and all the data will be encrypted.



Goal:
  • configure the topology as per the diagram 
  • configure the IP addresses as per the topology
  • configure a default route on routers 1,3,4,5,6, and 7
  • configure static routes on the internet router
  • configure crypto keyring
  • configure crypto IPsec profile
  • configure virtual template on router 1 (head office)
  • configure tunnel on spokes routers
  • configure EIGRP and advertise LAN and Loopback interfaces on hub and spokes routers
  • verify the configuration with show commands






Head-office#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        192.168.10.1    YES NVRAM  up                    up
Serial3/0                   192.168.12.1    YES NVRAM  up                    up
Loopback0              192.168.111.1   YES NVRAM  up                    up


INTERNET#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
Serial3/0              192.168.12.2    YES NVRAM  up                    up
Serial3/1              192.168.23.2    YES NVRAM  up                    up
Serial3/2              192.168.24.2    YES NVRAM  up                    up
Serial3/3              192.168.25.2    YES NVRAM  up                    up
Serial3/4              192.168.26.2    YES NVRAM  up                    up
Serial3/5              192.168.27.2    YES NVRAM  up                    up

Branch-A#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        192.168.30.1    YES NVRAM  up                    up
Serial3/1                  192.168.23.1    YES NVRAM  up                    up
Loopback0              192.168.133.1   YES NVRAM  up                    up


Branch-B#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        192.168.40.1    YES NVRAM  up                    up
Serial3/2                  192.168.24.1    YES NVRAM  up                    up
Loopback0              192.168.144.1   YES NVRAM  up                    up

Branch-C#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        192.168.50.1    YES NVRAM  up                    up
Serial3/3                   192.168.25.1    YES NVRAM  up                    up
Loopback0              192.168.155.1   YES NVRAM  up                    up


Branch-D#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        192.168.60.1    YES NVRAM  up                    up
Serial3/4              192.168.26.1    YES NVRAM  up                    up
Loopback0              192.168.166.1   YES NVRAM  up                    up

Branch-E#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        192.168.70.1    YES NVRAM  up                    up
Serial3/5                  192.168.27.1    YES NVRAM  up                    up
Loopback0              192.168.177.1   YES NVRAM  up                    up


Head-office#show ip route static
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S*    0.0.0.0/0 is directly connected, Serial3/0

INTERNET#show ip route static
Gateway of last resort is not set
S     192.168.10.0/24 is directly connected, Serial3/0
S     192.168.30.0/24 is directly connected, Serial3/1
S     192.168.40.0/24 is directly connected, Serial3/2
S     192.168.50.0/24 is directly connected, Serial3/3
S     192.168.60.0/24 is directly connected, Serial3/4
S     192.168.70.0/24 is directly connected, Serial3/
5

Branch-A#show ip route static
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S*    0.0.0.0/0 is directly connected, Serial3/1

Branch-B#show ip route static
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S*    0.0.0.0/0 is directly connected, Serial3/2


Branch-C#show ip route static
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S*    0.0.0.0/0 is directly connected, Serial3/3

Branch-D#show ip route static
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S*    0.0.0.0/0 is directly connected, Serial3/4


Branch-E#show ip route static
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S*    0.0.0.0/0 is directly connected, Serial3/5




Head-office(config)#crypto ikev2 keyring IKEV2-KEYRING
Head-office(config-ikev2-keyring)#Peer Branch-A
Head-office(config-ikev2-keyring-peer)#address 192.168.23.1
Head-office(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Head-office(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Head-office(config-ikev2-keyring-peer)#exit
Head-office(config-ikev2-keyring)#Peer Branch-B
Head-office(config-ikev2-keyring-peer)#address 192.168.24.1
Head-office(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Head-office(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Head-office(config-ikev2-keyring-peer)#exit
Head-office(config-ikev2-keyring)#Peer Branch-C
Head-office(config-ikev2-keyring-peer)#address 192.168.25.1
Head-office(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Head-office(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Head-office(config-ikev2-keyring-peer)#exit
Head-office(config-ikev2-keyring)#Peer Branch-D
Head-office(config-ikev2-keyring-peer)#address 192.168.26.1
Head-office(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Head-office(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Head-office(config-ikev2-keyring-peer)#exit
Head-office(config-ikev2-keyring)#Peer Branch-E
Head-office(config-ikev2-keyring-peer)#address 192.168.27.1
Head-office(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Head-office(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Head-office(config-ikev2-keyring-peer)#exit
Head-office(config-ikev2-keyring)#exit


Head-office(config)#crypto ikev2 profile IKEV2-PROFILE
IKEv2 profile MUST have:
   1. A local and a remote authentication method.
   2. A match identity or a match certificate statement.
Head-office(config-ikev2-profile)#match identity remote  address 192.168.23.1 255.255.255.0
Head-office(config-ikev2-profile)#match identity remote  address 192.168.24.1 255.255.255.0
Head-office(config-ikev2-profile)#match identity remote address 192.168.25.1 255.255.255.0
Head-office(config-ikev2-profile)#match identity remote address 192.168.26.1 255.255.255.0
Head-office(config-ikev2-profile)#match identity remote  address 192.168.27.1 255.255.255.0
Head-office(config-ikev2-profile)#authentication remote pre-share
Head-office(config-ikev2-profile)#authentication local pre-share
Head-office(config-ikev2-profile)#keyring local IKEV2-KEYRING
Head-office(config-ikev2-profile)#virtual-template 1
Head-office(config-ikev2-profile)#exit
Head-office(config)#exit

Head-office(config)#crypto ipsec profile IPSEC-PROFILE
Head-office(ipsec-profile)#set ikev2-profile IKEV2-PROFILE
Head-office(ipsec-profile)#exit

Head-office#show crypto ikev2 profile
IKEv2 profile: IKEV2-PROFILE
 Ref Count: 13
 Match criteria:
  Fvrf: global
  Local address/interface: none
  Identities:
   address 192.168.23.1 255.255.255.0
   address 192.168.24.1 255.255.255.0
   address 192.168.25.1 255.255.255.0
   address 192.168.26.1 255.255.255.0
   address 192.168.27.1 255.255.255.0

  Certificate maps: none
 Local identity: none
 Remote identity: none
 Local authentication method: pre-share
 Remote authentication method(s): pre-share

 EAP options: none
 Keyring: IKEV2-KEYRING
 Trustpoint(s): none
 Lifetime: 86400 seconds
 DPD: disabled
 NAT-keepalive: disabled
 Ivrf: none
 Virtual-template: 1
 AAA EAP authentication mlist: none
 AAA Accounting: none
 AAA group authorization: none
 AAA user authorization: none

Head-office#show crypto ipsec profile
IPSEC profile IPSEC-PROFILE
        IKEV2 profile IKEV2-PROFILE
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                default:  { esp-aes esp-sha-hmac  } ,

        }
IPSEC profile default
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                default:  { esp-aes esp-sha-hmac  } ,
        }

Branch-A(config)#crypto ikev2 keyring IKEV2-KEYRING
Branch-A(config-ikev2-keyring)#Peer Head-office
Branch-A(config-ikev2-keyring-peer)#address 192.168.12.1
Branch-A(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Branch-A(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Branch-A(config-ikev2-keyring-peer)#exit
Branch-A(config-ikev2-keyring)#exit

Branch-A(config)#crypto ikev2 profile IKEV2-PROFILE
IKEv2 profile MUST have:
   1. A local and a remote authentication method.
   2. A match identity or a match certificate statement.
Branch-A(config-ikev2-profile)#match identity remote address 192.168.12.1 255.255.255.255
Branch-A(config-ikev2-profile)#authentication remote pre-share
Branch-A(config-ikev2-profile)#authentication local pre-share
Branch-A(config-ikev2-profile)#keyring local IKEV2-KEYRING
Branch-A(config-ikev2-profile)#exit

Branch-A(config)#crypto ipsec profile IPSEC-PROFILE
Branch-A(ipsec-profile)#set ikev2-profile IKEV2-PROFILE
Branch-A(ipsec-profile)#exit




Branch-A#show crypto ikev2 profile
IKEv2 profile: IKEV2-PROFILE
 Ref Count: 4
 Match criteria:
  Fvrf: global
  Local address/interface: none
  Identities:
   address 192.168.12.1 255.255.255.255
  Certificate maps: none
 Local identity: none
 Remote identity: none
 Local authentication method: pre-share
 Remote authentication method(s): pre-share
 EAP options: none
 Keyring: IKEV2-KEYRING
 Trustpoint(s): none
 Lifetime: 86400 seconds
 DPD: disabled
 NAT-keepalive: disabled
 Ivrf: none
 Virtual-template: none
 AAA EAP authentication mlist: none
 AAA Accounting: none
 AAA group authorization: none
 AAA user authorization: none
Branch-A#
Branch-A#show crypto ipsec profile
IPSEC profile IPSEC-PROFILE
        IKEV2 profile IKEV2-PROFILE
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                default:  { esp-aes esp-sha-hmac  } ,
        }
IPSEC profile default
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                default:  { esp-aes esp-sha-hmac  } ,
        }


Branch-B(config)#crypto ikev2 keyring IKEV2-KEYRING
Branch-B(config-ikev2-keyring)#Peer Head-office
Branch-B(config-ikev2-keyring-peer)#address 192.168.12.1
Branch-B(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Branch-B(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Branch-B(config-ikev2-keyring-peer)#exit
Branch-B(config-ikev2-keyring)#exit

Branch-B(config)#crypto ikev2 profile IKEV2-PROFILE
IKEv2 profile MUST have:
   1. A local and a remote authentication method.
   2. A match identity or a match certificate statement.
Branch-B(config-ikev2-profile)#match identity remote address 192.168.12.1 255.255.255.255
Branch-B(config-ikev2-profile)#authentication remote pre-share
Branch-B(config-ikev2-profile)#authentication local pre-share
Branch-B(config-ikev2-profile)#keyring local IKEV2-KEYRING
Branch-B(config-ikev2-profile)#exit

Branch-B(config)#crypto ipsec profile IPSEC-PROFILE
Branch-B(ipsec-profile)#set ikev2-profile IKEV2-PROFILE
Branch-B(ipsec-profile)#exit


Branch-B#show crypto ikev2 profile

IKEv2 profile: IKEV2-PROFILE
 Ref Count: 4
 Match criteria:
  Fvrf: global
  Local address/interface: none
  Identities:
   address 192.168.12.1 255.255.255.255
  Certificate maps: none
 Local identity: none
 Remote identity: none
 Local authentication method: pre-share
 Remote authentication method(s): pre-share
 EAP options: none
 Keyring: IKEV2-KEYRING
 Trustpoint(s): none
 Lifetime: 86400 seconds
 DPD: disabled
 NAT-keepalive: disabled
 Ivrf: none
 Virtual-template: none
 AAA EAP authentication mlist: none
 AAA Accounting: none
 AAA group authorization: none
 AAA user authorization: none
Branch-B#show crypto ipsec profile
IPSEC profile IPSEC-PROFILE
        IKEV2 profile IKEV2-PROFILE
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                default:  { esp-aes esp-sha-hmac  } ,
        }

IPSEC profile default
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                default:  { esp-aes esp-sha-hmac  } ,
        }


Branch-C(config)#crypto ikev2 keyring IKEV2-KEYRING
Branch-C(config-ikev2-keyring)#Peer Head-office
Branch-C(config-ikev2-keyring-peer)#address 192.168.12.1
Branch-C(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Branch-C(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Branch-C(config-ikev2-keyring-peer)#exit
Branch-C(config-ikev2-keyring)#exit

Branch-C(config)#crypto ikev2 profile IKEV2-PROFILE
Branch-C(config-ikev2-profile)#match identity remote address 192.168.12.1 255.255.255.255
Branch-C(config-ikev2-profile)#authentication remote pre-share
Branch-C(config-ikev2-profile)#authentication local pre-share
Branch-C(config-ikev2-profile)#keyring local IKEV2-KEYRING
Branch-C(config-ikev2-profile)#exit

Branch-C(config)#crypto ipsec profile IPSEC-PROFILE
Branch-C(ipsec-profile)#set ikev2-profile IKEV2-PROFILE
Branch-C(ipsec-profile)#exit

Branch-C#show crypto ikev2 profile

IKEv2 profile: IKEV2-PROFILE
 Ref Count: 4
 Match criteria:
  Fvrf: global
  Local address/interface: none
  Identities:
   address 192.168.12.1 255.255.255.255
  Certificate maps: none
 Local identity: none
 Remote identity: none
 Local authentication method: pre-share
 Remote authentication method(s): pre-share
 EAP options: none
 Keyring: IKEV2-KEYRING
 Trustpoint(s): none
 Lifetime: 86400 seconds
 DPD: disabled
 NAT-keepalive: disabled
 Ivrf: none
 Virtual-template: none
 AAA EAP authentication mlist: none
 AAA Accounting: none
 AAA group authorization: none
 AAA user authorization: none

Branch-C#show crypto ipsec profile
IPSEC profile IPSEC-PROFILE
        IKEV2 profile IKEV2-PROFILE
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                default:  { esp-aes esp-sha-hmac  } ,
        }

IPSEC profile default
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                default:  { esp-aes esp-sha-hmac  } ,
        }

Branch-D(config)#crypto ikev2 keyring IKEV2-KEYRING
Branch-D(config-ikev2-keyring)#Peer Head-office
Branch-D(config-ikev2-keyring-peer)#address 192.168.12.1
Branch-D(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Branch-D(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Branch-D(config-ikev2-keyring-peer)#exit
Branch-D(config-ikev2-keyring)#exit

Branch-D(config)#crypto ikev2 profile IKEV2-PROFILE
IKEv2 profile MUST have:
   1. A local and a remote authentication method.
   2. A match identity or a match certificate statement.
Branch-D(config-ikev2-profile)#match identity remote address 192.168.12.1 
Branch-D(config-ikev2-profile)#authentication remote pre-share
Branch-D(config-ikev2-profile)#authentication local pre-share
Branch-D(config-ikev2-profile)#keyring local IKEV2-KEYRING
Branch-D(config-ikev2-profile)#exit

Branch-D(config)#crypto ipsec profile IPSEC-PROFILE
Branch-D(ipsec-profile)#set ikev2-profile IKEV2-PROFILE
Branch-D(ipsec-profile)#exit



Branch-D#show crypto ikev2 profile

IKEv2 profile: IKEV2-PROFILE
 Ref Count: 4
 Match criteria:
  Fvrf: global
  Local address/interface: none
  Identities:
   address 192.168.12.1 255.255.255.255
  Certificate maps: none
 Local identity: none
 Remote identity: none
 Local authentication method: pre-share
 Remote authentication method(s): pre-share
 EAP options: none
 Keyring: IKEV2-KEYRING
 Trustpoint(s): none
 Lifetime: 86400 seconds
 DPD: disabled
 NAT-keepalive: disabled
 Ivrf: none
 Virtual-template: none
 AAA EAP authentication mlist: none
 AAA Accounting: none
 AAA group authorization: none
 AAA user authorization: none
Branch-D#show crypto ipsec profile
IPSEC profile IPSEC-PROFILE
        IKEV2 profile IKEV2-PROFILE
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                default:  { esp-aes esp-sha-hmac  } ,
        }

IPSEC profile default
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                default:  { esp-aes esp-sha-hmac  } ,
        }

Branch-E(config)#crypto ikev2 keyring IKEV2-KEYRING
Branch-E(config-ikev2-keyring)#Peer Head-office
Branch-E(config-ikev2-keyring-peer)#address 192.168.12.1
Branch-E(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Branch-E(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Branch-E(config-ikev2-keyring-peer)#exit
Branch-E(config-ikev2-keyring)#exit
Branch-E(config)#
Branch-E(config)#
Branch-E(config)#
Branch-E(config)#
Branch-E(config)#
Branch-E(config)#crypto ikev2 profile IKEV2-PROFILE
IKEv2 profile MUST have:
   1. A local and a remote authentication method.
   2. A match identity or a match certificate statement.
Branch-E(config-ikev2-profile)#match identity remote address 192.168.12.1 255.255.255.255
Branch-E(config-ikev2-profile)#authentication remote pre-share
Branch-E(config-ikev2-profile)#authentication local pre-share
Branch-E(config-ikev2-profile)#keyring local IKEV2-KEYRING
Branch-E(config-ikev2-profile)#exit

Branch-E(config)#crypto ipsec profile IPSEC-PROFILE
Branch-E(ipsec-profile)#set ikev2-profile IKEV2-PROFILE
Branch-E(ipsec-profile)#exit


Branch-E#show crypto ikev2 profile

IKEv2 profile: IKEV2-PROFILE
 Ref Count: 4
 Match criteria:
  Fvrf: global
  Local address/interface: none
  Identities:
   address 192.168.12.1 255.255.255.255
  Certificate maps: none
 Local identity: none
 Remote identity: none
 Local authentication method: pre-share
 Remote authentication method(s): pre-share
 EAP options: none
 Keyring: IKEV2-KEYRING
 Trustpoint(s): none
 Lifetime: 86400 seconds
 DPD: disabled
 NAT-keepalive: disabled
 Ivrf: none
 Virtual-template: none
 AAA EAP authentication mlist: none
 AAA Accounting: none
 AAA group authorization: none
 AAA user authorization: none
Branch-E#show crypto ipsec profile
IPSEC profile IPSEC-PROFILE
        IKEV2 profile IKEV2-PROFILE
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                default:  { esp-aes esp-sha-hmac  } ,
        }

IPSEC profile default
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                default:  { esp-aes esp-sha-hmac  } ,
        }




Head-office(config)#interface virtual-template 1 type tunnel
Head-office(config-if)#tunnel source 192.168.12.1
Head-office(config-if)#tunnel destination dynamic
Head-office(config-if)#ip unnumbered loopback 0
Head-office(config-if)#tunnel protection ipsec profile IPSEC-PROFILE
Head-office(config-if)#exit
Head-office(config)#exit
 
Head-office(config)#router eigrp 100
Head-office(config-router)#network 192.168.10.0
Head-office(config-router)#network 192.168.111.0
Head-office(config-router)#no auto-summary
Head-office(config-router)#exit

*Apr 10 14:57:22.103: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
*Apr 10 14:57:31.867: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.133.1 (Virtual-Access1) is up: new adjacency
*Apr 10 14:58:56.463: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
*Apr 10 14:59:36.675: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.144.1 (Virtual-Access2) is up: new adjacency
*Apr 10 15:02:28.595: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
*Apr 10 15:05:55.379: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.155.1 (Virtual-Access5) is up: new adjacency
*Apr 10 15:05:54.847: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access5, changed state to up
*Apr 10 15:02:31.851: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.166.1 (Virtual-Access3) is up: new adjacency
*Apr 10 15:03:40.187: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access4, changed state to up
*Apr 10 15:03:43.507: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.177.1 (Virtual-Access4) is up: new adjacency



Branch-A(config)#interface tunnel 0
Branch-A(config-if)#tunnel source 192.168.23.1
Branch-A(config-if)#tunnel destination 192.168.12.1
Branch-A(config-if)#ip unnumbered loopback 0
Branch-A(config-if)#tunnel protection ipsec profile IPSEC-PROFILE
Branch-A(config-if)#exit

Branch-A(config)#router eigrp 100
Branch-A(config-router)#network 192.168.30.0
Branch-A(config-router)#network 192.168.133.0
Branch-A(config-router)#no auto-summary
Branch-A(config-router)#exit

*Apr 10 14:57:20.287: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Apr 10 14:57:20.723: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Apr 10 14:57:31.571: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.111.1 (Tunnel0) is up: new adjacency


Branch-B(config)#interface tunnel 0
Branch-B(config-if)#tunnel source 192.168.24.1
Branch-B(config-if)#tunnel destination 192.168.12.1
Branch-B(config-if)#ip unnumbered loopback 0
Branch-B(config-if)#tunnel protection ipsec profile IPSEC-PROFILE
Branch-B(config-if)#exit

Branch-B(config)#router eigrp 100
Branch-B(config-router)#network 192.168.40.1
Branch-B(config-router)#network 192.168.144.1
Branch-B(config-router)#no auto-summary
Branch-B(config-router)#exit

*Apr 10 14:58:55.003: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Apr 10 14:58:55.435: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Apr 10 14:59:36.727: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.111.1 (Tunnel0) is up: new adjacency



Branch-C(config)#interface tunnel 0
Branch-C(config-if)#tunnel source 192.168.25.1
Branch-C(config-if)#tunnel destination 192.168.12.1
Branch-C(config-if)#ip unnumbered loopback 0
Branch-C(config-if)#tunnel protection ipsec profile IPSEC-PROFILE
Branch-C(config-if)#exit

Branch-C(config)#router eigrp 100
Branch-C(config-router)#network 192.168.50.1
Branch-C(config-router)#network 192.168.155.1
Branch-C(config-router)#no auto-summary
Branch-C(config-router)#exit

*Apr 10 15:05:55.467: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.111.1 (Tunnel0) is up: new adjacency

Branch-D(config)#interface tunnel 0
Branch-D(config-if)#tunnel source 192.168.26.1
Branch-D(config-if)#tunnel destination 192.168.12.1
Branch-D(config-if)#ip unnumbered loopback 0
Branch-D(config-if)#tunnel protection ipsec profile IPSEC-PROFILE
Branch-D(config-if)#exit

Branch-D(config)#router eigrp 100
Branch-D(config-router)#network 192.168.60.1
Branch-D(config-router)#network 192.168.166.1
Branch-D(config-router)#no auto-summary
Branch-D(config-router)#exit

*Apr 10 15:02:26.987: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Apr 10 15:02:27.447: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Apr 10 15:02:31.799: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.111.1 (Tunnel0) is up: new adjacency



Branch-E(config)#interface tunnel 0
Branch-E(config-if)#tunnel source 192.168.27.1
Branch-E(config-if)#tunnel destination 192.168.12.1
Branch-E(config-if)#ip unnumbered loopback 0
Branch-E(config-if)#tunnel protection ipsec profile IPSEC-PROFILE
Branch-E(config-if)#exit

Branch-E(config)#router eigrp 100
Branch-E(config-router)#network 192.168.70.1
Branch-E(config-router)#network 192.168.177.1
Branch-E(config-router)#no auto-summary
Branch-E(config-router)#exit

*Apr 10 15:03:38.223: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Apr 10 15:03:38.635: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up



Head-office#traceroute 192.168.70.1
Type escape sequence to abort.
Tracing the route to 192.168.70.1
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.177.1 120 msec 68 msec 68 msec

Head-office#traceroute 192.168.60.1
Type escape sequence to abort.
Tracing the route to 192.168.60.1
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.166.1 64 msec 72 msec 64 msec

Head-office#traceroute 192.168.40.1
Type escape sequence to abort.
Tracing the route to 192.168.40.1
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.144.1 56 msec 68 msec 56 msec

Head-office#traceroute 192.168.30.1
Type escape sequence to abort.
Tracing the route to 192.168.30.1
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.133.1 80 msec 64 msec 56 msec

 


Head-office#show crypto ipsec sa
interface: Virtual-Access1
    Crypto map tag: Virtual-Access1-head-0, local addr 192.168.12.1
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.12.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (192.168.23.1/255.255.255.255/47/0)
   current_peer 192.168.23.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 981, #pkts encrypt: 981, #pkts digest: 981
    #pkts decaps: 979, #pkts decrypt: 979, #pkts verify: 979

    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 192.168.12.1, remote crypto endpt.: 192.168.23.1
     path mtu 1500, ip mtu 1500, ip mtu idb Serial3/0
     current outbound spi: 0xC7D9A838(3352930360)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
      spi: 0x91CBD49D(2446054557)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 12, flow_id: 12, sibling_flags 80000000, crypto map: Virtual-Access1-head-0
        sa timing: remaining key lifetime (k/sec): (4224607/2559)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0xC7D9A838(3352930360)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 11, flow_id: 11, sibling_flags 80000000, crypto map: Virtual-Access1-head-0
        sa timing: remaining key lifetime (k/sec): (4224608/2559)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
     outbound ah sas:
     outbound pcp sas:
interface: Virtual-Access2
    Crypto map tag: Virtual-Access2-head-0, local addr 192.168.12.1
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.12.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (192.168.24.1/255.255.255.255/47/0)
   current_peer 192.168.24.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 957, #pkts encrypt: 957, #pkts digest: 957
    #pkts decaps: 953, #pkts decrypt: 953, #pkts verify: 953

    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 192.168.12.1, remote crypto endpt.: 192.168.24.1
     path mtu 1500, ip mtu 1500, ip mtu idb Serial3/0
     current outbound spi: 0x2D7CE225(763159077)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
      spi: 0x90E4AB46(2430905158)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 14, flow_id: 14, sibling_flags 80000000, crypto map: Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4328889/2658)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0x2D7CE225(763159077)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 13, flow_id: 13, sibling_flags 80000000, crypto map: Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4328889/2658)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
     outbound ah sas:
     outbound pcp sas:
interface: Virtual-Access3
    Crypto map tag: Virtual-Access3-head-0, local addr 192.168.12.1
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.12.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (192.168.26.1/255.255.255.255/47/0)
   current_peer 192.168.26.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 910, #pkts encrypt: 910, #pkts digest: 910
    #pkts decaps: 912, #pkts decrypt: 912, #pkts verify: 912

    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 192.168.12.1, remote crypto endpt.: 192.168.26.1
     path mtu 1500, ip mtu 1500, ip mtu idb Serial3/0
     current outbound spi: 0xC59185C3(3314648515)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
      spi: 0x6584E4BE(1703208126)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 15, flow_id: 15, sibling_flags 80000000, crypto map: Virtual-Access3-head-0
        sa timing: remaining key lifetime (k/sec): (4330964/2932)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0xC59185C3(3314648515)

 


Head-office#show crypto ikev2 stats
--------------------------------------------------------------------------------
                          Crypto IKEv2 SA Statistics
--------------------------------------------------------------------------------
System Resource Limit:   0        Max IKEv2 SAs: 0        Max in nego: 40
Total IKEv2 SA Count:    5        active:        5        negotiating: 0
Incoming IKEv2 Requests: 5        accepted:      5        rejected:    0
Outgoing IKEv2 Requests: 0        accepted:      0        rejected:    0
Rejected IKEv2 Requests: 0        rsrc low:      0        SA limit:    0
IKEv2 packets dropped at dispatch: 0
Incoming IKEV2 Cookie Challenged Requests: 0
    accepted: 0        rejected: 0        rejected no cookie: 0





Head-office#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol

Loopback0              192.168.111.1   YES NVRAM  up                    up
Virtual-Access1        192.168.111.1   YES unset  up                    up
Virtual-Access2        192.168.111.1   YES unset  up                    up
Virtual-Access3        192.168.111.1   YES unset  up                    up
Virtual-Access4        192.168.111.1   YES unset  up                    up
Virtual-Access5        192.168.111.1   YES unset  up                    up

Virtual-Template1      192.168.111.1   YES unset  up                    down




Head-office#show interface virtual-access 1
Virtual-A 192.168.111.1) ccess1 is up, line protocol is up
  Hardware is Virtual Access interface
  Interface is unnumbered. Using address of Loopback0 (192.168.111.1)
  MTU 17874 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL
  Tunnel vaccess, cloned from Virtual-Template1
  Vaccess status 0x0, loopback not set
  Keepalive not set
  Tunnel source 192.168.12.1, destination 192.168.23.1
  Tunnel protocol/transport GRE/IP
    Key disabled, sequencing disabled
    Checksumming of packets disabled
  Tunnel TTL 255, Fast tunneling enabled
  Tunnel transport MTU 1434 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "IPSEC-PROFILE")
  Last input 00:00:03, output never, output hang never
  Last clearing of "show interface" counters 01:17:48
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     1029 packets input, 86718 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     1031 packets output, 86614 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out





Head-office#show crypto ikev2 sa
 IPv4 Crypto IKEv2  SA
Tunnel-id Local                 Remote                fvrf/ivrf            Status
4         192.168.12.1/500      192.168.27.1/500      none/none            READY
      Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/4043 sec
Tunnel-id Local                 Remote                fvrf/ivrf            Status
2         192.168.12.1/500      192.168.24.1/500      none/none            READY
      Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/4327 sec
Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         192.168.12.1/500      192.168.23.1/500      none/none            READY
      Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/4421 sec
Tunnel-id Local                 Remote                fvrf/ivrf            Status
3         192.168.12.1/500      192.168.26.1/500      none/none            READY
      Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/4115 sec
Tunnel-id Local                 Remote                fvrf/ivrf            Status
5         192.168.12.1/500      192.168.25.1/500      none/none            READY
      Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/3908 sec
 IPv6 Crypto IKEv2  SA




Our Team

  • R.J AnthonyPython programmer / Instructor
  • Edgar C FrancisCCIE Technical Instructor/Network consultant
  • Noel AnthonyNetwork Automation / Instructor
  • J N AnthonyCCNA,CCNP / Instructor
  • Vikram ThakurComputer Hardware and Network Engineer