VPN Series 6: Comparison of Dmvpn instances in cisco dual-center single cloud and dual-center dual cloud Redundancy Design
Prerequisites
Router ios version
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2225H1-0.jpg "/>
The show crypto results are different due to inconsistent versions of the previous version. This time, the same version is used to ensure accurate and consistent results.
I, "Dual-center single cloud" Dmvpn instance
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2224434-1.jpg "/>
Configuration process
1. Configure the network
A. Ensure network connectivity
Ip route 0.0.0.0 0.0.0.0 200.0.10.1
Ip route 0.0.0.0 0.0.0.0 200.0.20.1
Ip route 0.0.0.0 0.0.0.0 200.0.30.1
Ip route 0.0.0.0 0.0.0.0 200.0.40.1
B,After the routes are interconnected, the tunnel configuration can be up. Otherwise, even the dynamic routing protocol configured later cannot be the uptunnel port, which is very important.
2. Configure interface tunnel and mgre
Set the GRE mode to multipoint, so that you can connect multiple points.
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J222KN-2.jpg "/>
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J222C25-3.jpg "/>
3. Configure crypto isakmp policy
You should be familiar with General configurations.
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2222323-4.jpg "/>
4. Configure crypto isakmp key
Because it is a multi-site connection, 0.0.0.0 0.0.0.0 is used to indicate any address
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2225D6-5.jpg "/>
5. Configure crypto ipsec transform-set
Here is the configuration of the conversion set, the focus is to select the ipsec Encryption mode as the transmission mode, because gre technology has been used to create a tunnel.
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2226021-6.jpg "/>
6. Configure crypto ipsec profile
Associated conversion set is also a key link
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2225058-7.jpg "/>
7. configure tunnel protection ipsec profile
Commands that must be enabled on the tunnel port, similar to crypto map, are key commands for enabling vpn.
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2222108-8.jpg "/>
8. Configure ip nhrp
Ip address nhrp configuration information of the hubKey part)
Note: the two hubs are mapped to each other.
Ip ospf network // specify the ospf network type of the tunnel port as broadcast
Ip ospf priority xxxx // specifies the ospf priority of the tunnel. This ensures that the two hubs are DR and BDR, And the other spoken are DROTHER and do not participate in the election. This ensures that the network routing environment is normal.
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2223449-9.jpg "/>
Ip nhrp configuration information of spokenKey part)
The spoken must map two hubs at the same time.
Ip nhrp map multicast x. x // map the Internet port address of the hub.
Ip nhrp map x. x // The Relationship Between the tunnel port address mapped to the hub and the Internet port address
Ip nhrp the DTs x. x // The tunnel port address mapped to the hub.
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2226061-10.jpg "/>
9. Configure dynamic router protocol
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J222N08-11.jpg "/>
10. show result
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2225U3-12.jpg "/>
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2221028-13.jpg "/>
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J222Dc-14.jpg "/>
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2225R7-15.jpg "/>
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2225205-16.jpg "/>
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J222A52-17.jpg "/>
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2226105-18.jpg "/>
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J22262Q-19.jpg "/>
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2221100-20.jpg "/>
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J22262W-21.jpg "/>
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2225453-22.jpg "/>
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2222441-23.jpg "/>
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J222OC-24.jpg "/>
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2221O1-25.jpg "/>
Note:
1. when configuring a dynamic route, you cannot publish the IP address of the Internet port. Otherwise, the route will be tumble, which is a serious response. The route will never pass, in addition, the system resource usage is very high.
2. Create a standard acl to filter the 0.0.0.0 inbound traffic to prevent loops.
Ip access-list sta filter-hub
Deny 0.0.0.0
Permit any
Router ospf 100
Distribute-list filter-hub in tunnel 0
Ii. Dual-center dual-cloud Dmvpn instance
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2221507-26.jpg "/>
Configuration process
1. Configure the network
Omitted)
2. Configure crypto isakmp policy
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2222425-27.jpg "/>
3. Configure crypto keyring
Omitted)
4. Configure crypto isakmp profile
Omitted)
5. Configure crypto ipsec transform-set650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J222CI-28.jpg "/>
6. Configure crypto ipsec profile650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J22234U-29.jpg "/>
7. Configure interface tunnel and mgre, ip nhrp
Tunnel port configuration of center1:
Configure different serial numbers for ip nhrp network-id to distinguish different tunnel connections
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J222Aa-30.jpg "/>
Center2 tunnel Port Configuration:
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2223O0-31.jpg "/>
Tunnel1 port configuration of spoken1:
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2222H7-32.jpg "/>
Tunnel2 port configuration of spoken1:
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J222G64-33.jpg "/>
8. show result
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J22231O-34.jpg "/>
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2226450-35.jpg "/>
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2221442-36.jpg "/>
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2223156-37.jpg "/>
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2224S8-38.jpg "/>
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J222DI-39.jpg "/>
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2223a1-40.jpg "/>
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2221F5-41.jpg "/>
. 650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2226454-42.jpg "/>
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2224U2-43.jpg "/>
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2222J7-44.jpg "/>
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J222O25-45.jpg "/>
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2223008-46.jpg "/>
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2225327-47.jpg "/>
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J2222500-48.jpg "/>
Iii. Summary
DMVPN Topology |
Center comparison |
Comparison of Spoken |
Dual-center single cloud |
Similarities:1. in both topology structures, you only need to create one tunnel port on the center. Both use the GRE Multipoint mode. 2. in the two topology structures, the tunnel port on the center uses the nhrp protocol to register the spoken information. 3. in both topology structures, the center can use the dynamic routing protocol. 4. You can use optimization commands to optimize the optimal routes between spoken so that the spoken and spoken can communicate directly without forwarding all traffic to the center to reduce the load on the center.Differences:1. the center tunnel ports in "dual-center single cloud" need to be mapped to each other, and the Centers in "dual-center dual cloud" do not. 2. the nhrp network-id and tunnel key created on the center tunnel port in "dual-center single cloud" are the same, the nhrp network-id and tunnel key of the center tunnel port in "dual-center dual-cloud" are different. |
Similarities:1. in both topology structures, spoken uses the nhrp protocol to register information with the center. 2. in both topology structures, the tunnel port must be created for the spoken. 3. in both topology structures, the spoken can use the dynamic routing protocol.Differences:1. the spoken in "dual-center single cloud" only needs to create one tunnel port, but one tunnel port needs to map the tunnel ports of both centers at the same time. The spoken in "dual-center dual cloud" needs to create two tunnel ports, each tunnel port only needs to map the corresponding center tunnel port. 2. The tunnel port created by spoken in "dual-center single cloud" adopts the GRE Multipoint mode, and the tunnel port created by spoken in "dual-center dual cloud" adopts the static mode. |
Dual-center dual-cloud |
All of the above are some of my opinions in my work and experiments. please correct me if you have any shortcomings.
This article is from the "server & security" blog, please be sure to keep this source http://ciscoart.blog.51cto.com/1066670/856025