[VPN Series 6] comparison of Dmvpn instances in cisco dual-center single cloud and dual-center dual cloud Redundancy Design

 

VPN Series 6: Comparison of Dmvpn instances in cisco dual-center single cloud and dual-center dual cloud Redundancy Design

Prerequisites

Router ios version

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2225H1-0.jpg "/>

The show crypto results are different due to inconsistent versions of the previous version. This time, the same version is used to ensure accurate and consistent results.

 

I, "Dual-center single cloud" Dmvpn instance

 

 

 

 

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2224434-1.jpg "/>

 

 

 

 

Configuration process

1. Configure the network

A. Ensure network connectivity

Ip route 0.0.0.0 0.0.0.0 200.0.10.1

Ip route 0.0.0.0 0.0.0.0 200.0.20.1

Ip route 0.0.0.0 0.0.0.0 200.0.30.1

Ip route 0.0.0.0 0.0.0.0 200.0.40.1

B,After the routes are interconnected, the tunnel configuration can be up. Otherwise, even the dynamic routing protocol configured later cannot be the uptunnel port, which is very important.

2. Configure interface tunnel and mgre

Set the GRE mode to multipoint, so that you can connect multiple points.

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J222KN-2.jpg "/>

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J222C25-3.jpg "/>

3. Configure crypto isakmp policy

You should be familiar with General configurations.

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2222323-4.jpg "/>

4. Configure crypto isakmp key

Because it is a multi-site connection, 0.0.0.0 0.0.0.0 is used to indicate any address

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2225D6-5.jpg "/>

5. Configure crypto ipsec transform-set

Here is the configuration of the conversion set, the focus is to select the ipsec Encryption mode as the transmission mode, because gre technology has been used to create a tunnel.

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2226021-6.jpg "/>

6. Configure crypto ipsec profile

Associated conversion set is also a key link

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2225058-7.jpg "/>

7. configure tunnel protection ipsec profile

Commands that must be enabled on the tunnel port, similar to crypto map, are key commands for enabling vpn.

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2222108-8.jpg "/>

8. Configure ip nhrp

Ip address nhrp configuration information of the hubKey part)

Note: the two hubs are mapped to each other.

Ip ospf network // specify the ospf network type of the tunnel port as broadcast

Ip ospf priority xxxx // specifies the ospf priority of the tunnel. This ensures that the two hubs are DR and BDR, And the other spoken are DROTHER and do not participate in the election. This ensures that the network routing environment is normal.

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2223449-9.jpg "/>

 

Ip nhrp configuration information of spokenKey part)

 The spoken must map two hubs at the same time.

Ip nhrp map multicast x. x // map the Internet port address of the hub.

Ip nhrp map x. x // The Relationship Between the tunnel port address mapped to the hub and the Internet port address

Ip nhrp the DTs x. x // The tunnel port address mapped to the hub.

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2226061-10.jpg "/>

9. Configure dynamic router protocol

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J222N08-11.jpg "/>

10. show result

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2225U3-12.jpg "/>

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2221028-13.jpg "/>

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J222Dc-14.jpg "/>

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2225R7-15.jpg "/>

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2225205-16.jpg "/>

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J222A52-17.jpg "/>

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2226105-18.jpg "/>

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J22262Q-19.jpg "/>

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2221100-20.jpg "/>

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J22262W-21.jpg "/>

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2225453-22.jpg "/>

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2222441-23.jpg "/>

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J222OC-24.jpg "/>

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2221O1-25.jpg "/>

Note:

1. when configuring a dynamic route, you cannot publish the IP address of the Internet port. Otherwise, the route will be tumble, which is a serious response. The route will never pass, in addition, the system resource usage is very high.

2. Create a standard acl to filter the 0.0.0.0 inbound traffic to prevent loops.

Ip access-list sta filter-hub

Deny 0.0.0.0

Permit any

Router ospf 100

Distribute-list filter-hub in tunnel 0

 

Ii. Dual-center dual-cloud Dmvpn instance

 

 

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2221507-26.jpg "/>

 

Configuration process

1. Configure the network

Omitted)

2. Configure crypto isakmp policy

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2222425-27.jpg "/>

3. Configure crypto keyring

 Omitted)

4. Configure crypto isakmp profile

Omitted)

5. Configure crypto ipsec transform-set650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J222CI-28.jpg "/>

 6. Configure crypto ipsec profile650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J22234U-29.jpg "/>

7. Configure interface tunnel and mgre, ip nhrp

 Tunnel port configuration of center1:

Configure different serial numbers for ip nhrp network-id to distinguish different tunnel connections

   650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J222Aa-30.jpg "/>

Center2 tunnel Port Configuration:

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2223O0-31.jpg "/>

Tunnel1 port configuration of spoken1:

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2222H7-32.jpg "/>

Tunnel2 port configuration of spoken1:

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J222G64-33.jpg "/>

 

8. show result

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J22231O-34.jpg "/>

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2226450-35.jpg "/>

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2221442-36.jpg "/>

 

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2223156-37.jpg "/>

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2224S8-38.jpg "/>

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J222DI-39.jpg "/>

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2223a1-40.jpg "/>

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2221F5-41.jpg "/>

. 650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2226454-42.jpg "/>

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2224U2-43.jpg "/>

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2222J7-44.jpg "/>

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J222O25-45.jpg "/>

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2223008-46.jpg "/>

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2225327-47.jpg "/>

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2222500-48.jpg "/>

Iii. Summary

 

DMVPN Topology	Center comparison	Comparison of Spoken
Dual-center single cloud	Similarities:1. in both topology structures, you only need to create one tunnel port on the center. Both use the GRE Multipoint mode. 2. in the two topology structures, the tunnel port on the center uses the nhrp protocol to register the spoken information. 3. in both topology structures, the center can use the dynamic routing protocol. 4. You can use optimization commands to optimize the optimal routes between spoken so that the spoken and spoken can communicate directly without forwarding all traffic to the center to reduce the load on the center.Differences:1. the center tunnel ports in "dual-center single cloud" need to be mapped to each other, and the Centers in "dual-center dual cloud" do not. 2. the nhrp network-id and tunnel key created on the center tunnel port in "dual-center single cloud" are the same, the nhrp network-id and tunnel key of the center tunnel port in "dual-center dual-cloud" are different.	Similarities:1. in both topology structures, spoken uses the nhrp protocol to register information with the center. 2. in both topology structures, the tunnel port must be created for the spoken. 3. in both topology structures, the spoken can use the dynamic routing protocol.Differences:1. the spoken in "dual-center single cloud" only needs to create one tunnel port, but one tunnel port needs to map the tunnel ports of both centers at the same time. The spoken in "dual-center dual cloud" needs to create two tunnel ports, each tunnel port only needs to map the corresponding center tunnel port. 2. The tunnel port created by spoken in "dual-center single cloud" adopts the GRE Multipoint mode, and the tunnel port created by spoken in "dual-center dual cloud" adopts the static mode.
Dual-center dual-cloud

 

All of the above are some of my opinions in my work and experiments. please correct me if you have any shortcomings.

   

 

 

 

 

 

 

 

 

 

 

This article is from the "server & security" blog, please be sure to keep this source http://ciscoart.blog.51cto.com/1066670/856025