Configure routing for multiple hubs in a route-based VPN

Configure dynamic routing using BGP on both hub and spoke devices, and implement Policy Based Routing on spokes to enable proper traffic routing in a route-based VPN topology with multiple hubs.

Before you begin

Configure topology 1 and 2 as explained in Configure multiple hubs in a route-based VPN.

Procedure

Step 1

Configure dynamic routing for the hub using BGP.

  1. Choose Devices > Device Management, and click Edit (edit icon) then click the Routing tab.

  2. In the left pane, choose General Settings > BGP.

  3. Check the Enable BGP check box and enter the AS number.

    You can configure the other fields AS per your requirement.

  4. Click Save.

  5. On the left pane, choose BGP > IPv4.

  6. Check the Enable IPv4 check box.

  7. Click the Neighbor tab, click Add and configure these parameters.

    1. IP Address: Enter the tunnel interface IP address of Spoke 1.

    2. Remote AS: AS number of Spoke 1.

    3. Check the Enabled Address check box.

    4. Click OK.

    Repeat the above steps to add Spoke 2 as a neighbor.

  8. Click Save.

  9. Click the Networks tab and click Add to advertise the network behind the hub to the peers.

Step 2

Configure dynamic routing for the spokes using BGP.

The BGP configuration for the spokes is similar to that of the hub except for these differences:

  • Configure Hub 1 and Hub 2 AS the neighbors for both the spokes and use the tunnel interface IP address of the hubs.

  • When you configure networks, use the network behind each spoke.

Step 3

Configure Policy Based Routing on the spokes.

  1. In the left pane, choose Policy Based Routing and click Add.

  2. Choose the Ingress Interface from the drop-down list.

  3. Click Add to configure a Match ACL.

    For example, for spoke 1, source network is 192.168.20.0/24 and destination network is 192.168.10.0/24.

  4. Choose Egress Interfaces from the Send to drop-down list.

  5. Choose Order from the Interface Ordering drop-down list.

  6. Select the SVTI-1 and SVTI-2 interfaces AS the egress interfaces.

  7. Click Save.

If you want to use the hubs as a load-balancing pair, you must configure ECMP.

Step 4

Deploy the configurations on the hub and spokes.

What to do next

Verify the configurations and tunnel statuses. For more information, see Verify multiple hubs configuration in a route-based VPN.