User Tools
cisco:bgp:ios-xe_labs:lab14
! Configure directly connected neighbors with iBGP, Tunnels, and IKEv1
hostname hub
!
ip access-list extended 110
20 permit ip 172.16.0.4 0.0.0.3 172.16.0.4 0.0.0.3
!
crypto isakmp policy 10
encryption aes
authentication pre-share
group 14
crypto isakmp key cisco address 172.16.0.6
!
crypto ipsec transform-set esp-aes256-sha esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile ikev1-profile
!
crypto map tst 10 ipsec-isakmp
set peer 172.16.0.6
set transform-set esp-aes256-sha
match address 110
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel1
ip address 10.0.0.1 255.255.255.252
no ip redirects
ip nhrp authentication cisco
ip nhrp map 10.0.0.2 172.16.0.6
ip nhrp network-id 1
tunnel source GigabitEthernet4
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile ikev1-profile
!
interface GigabitEthernet4
ip address 172.16.0.5 255.255.255.252
!
router bgp 65000
bgp router-id 1.1.1.1
bgp log-neighbor-changes
bgp listen range 10.0.0.0/24 peer-group tst
no bgp default ipv4-unicast
neighbor tst peer-group
neighbor tst remote-as 65000
!
address-family ipv4
network 1.1.1.1 mask 255.255.255.255
neighbor tst activate
neighbor tst route-reflector-client
exit-address-family
!
hub#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
172.16.0.5 172.16.0.6 QM_IDLE 1009 ACTIVE
!
hub#show crypto ipsec sa
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 172.16.0.5
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.0.5/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.16.0.6/255.255.255.255/47/0)
current_peer 172.16.0.6 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 155, #pkts encrypt: 155, #pkts digest: 155
#pkts decaps: 137, #pkts decrypt: 137, #pkts verify: 137
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.0.5, remote crypto endpt.: 172.16.0.6
plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet4
current outbound spi: 0x4653287E(1179854974)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x35F947CD(905529293)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2001, flow_id: CSR:1, sibling_flags FFFFFFFF80000008, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4607981/1593)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x4653287E(1179854974)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2002, flow_id: CSR:2, sibling_flags FFFFFFFF80000008, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4607985/1593)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
!
hub#show ip bgp summary
BGP router identifier 1.1.1.1, local AS number 65000
BGP table version is 7, main routing table version 7
2 network entries using 496 bytes of memory
2 path entries using 272 bytes of memory
2/2 BGP path/bestpath attribute entries using 576 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1344 total bytes of memory
BGP activity 4/2 prefixes, 4/2 paths, scan interval 60 secs
2 networks peaked at 16:20:39 Aug 25 2025 UTC (02:38:05.558 ago)
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
*10.0.0.2 4 65000 12 12 7 0 0 00:06:57 1
* Dynamically created based on a listen range command
Dynamically created neighbors: 1, Subnet ranges: 1
BGP peergroup tst listen range group members:
10.0.0.0/24
Total dynamically created neighbors: 1/(100 max), Subnet ranges: 1
!
hub#show ip bgp | b Network
Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.1/32 0.0.0.0 0 32768 i
*>i 3.3.3.3/32 10.0.0.2 0 100 0 i
!
hub#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
# Note: packets will be ESP in Wireshark now. See screenshot 2025-08-25-1359.
-----------------------
hostname spoke1
!
ip access-list extended 110
20 permit ip 172.16.0.4 0.0.0.3 172.16.0.4 0.0.0.3
!
crypto isakmp policy 10
encryption aes 256
authentication pre-share
group 14
!
crypto isakmp policy 20
encryption aes 256
authentication pre-share
group 14
crypto isakmp key cisco address 172.16.0.5
!
crypto ipsec transform-set esp-aes256-sha esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile ikev1-profile
!
crypto map tst 10 ipsec-isakmp
set peer 172.16.0.5
set transform-set esp-aes256-sha
match address 110
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Tunnel1
ip address 10.0.0.2 255.255.255.252
ip nhrp authentication cisco
ip nhrp map 10.0.0.1 172.16.0.5
ip nhrp network-id 1
ip nhrp nhs 10.0.0.1
tunnel source GigabitEthernet4
tunnel destination 172.16.0.5
tunnel key 1
tunnel protection ipsec profile ikev1-profile
!
interface GigabitEthernet4
ip address 172.16.0.6 255.255.255.252
!
router bgp 65000
bgp router-id 3.3.3.3
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 10.0.0.1 remote-as 65000
!
address-family ipv4
network 3.3.3.3 mask 255.255.255.255
neighbor 10.0.0.1 activate
exit-address-family
!
spoke1# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
172.16.0.5 172.16.0.6 QM_IDLE 1009 ACTIVE
!
spoke1# show crypto ipsec sa
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 172.16.0.6
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.0.6/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.16.0.5/255.255.255.255/47/0)
current_peer 172.16.0.5 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 281, #pkts encrypt: 281, #pkts digest: 281
#pkts decaps: 147, #pkts decrypt: 147, #pkts verify: 147
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.0.6, remote crypto endpt.: 172.16.0.5
plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet4
current outbound spi: 0x35F947CD(905529293)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x4653287E(1179854974)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2001, flow_id: CSR:1, sibling_flags FFFFFFFF80004008, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4607980/1381)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x35F947CD(905529293)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2002, flow_id: CSR:2, sibling_flags FFFFFFFF80004008, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4607978/1381)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
!
spoke1#show ip bgp summary
BGP router identifier 3.3.3.3, local AS number 65000
BGP table version is 11, main routing table version 11
2 network entries using 496 bytes of memory
2 path entries using 272 bytes of memory
2/2 BGP path/bestpath attribute entries using 576 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1344 total bytes of memory
BGP activity 7/5 prefixes, 8/6 paths, scan interval 60 secs
2 networks peaked at 13:29:00 Aug 25 2025 UTC (05:32:36.132 ago)
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.0.0.1 4 65000 15 15 11 0 0 00:09:48 1
!
spoke1# show ip bgp | b Network
Network Next Hop Metric LocPrf Weight Path
*>i 1.1.1.1/32 10.0.0.1 0 100 0 i
*> 3.3.3.3/32 0.0.0.0 0 32768 i
!
spoke1# ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
cisco/bgp/ios-xe_labs/lab14.txt · Last modified: by Name
