No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR650, AR1600, and AR6100 V300R003

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Basic Concepts

Basic Concepts

Figure 3-3 shows the typical network architecture of the DSVPN solution. An enterprise connects the Hub to Spokes in different geographical locations through the public network. The Hub uses the static public address, and Spokes use dynamic public addresses.

On the network, when the source Spoke sends data packets to the destination Spoke, the source Spoke obtains the public address of the destination Spoke by exchanging NHRP packets over the static mGRE tunnel between itself and the Hub and establishes a dynamic mGRE tunnel with the destination Spoke. After the tunnel is set up, data packets between Spokes are sent to the remote end over the dynamic mGRE tunnel, but are not forwarded by the Hub.

Figure 3-3  Typical enterprise networking

DSVPN Node

DSVPN involves the following entities:

A DSVPN node is a device on which DSVPN is deployed, which can be a Spoke or Hub.
  • Spoke

    A Spoke is the network gateway of a branch. Generally, a Spoke uses a dynamic public network address.

  • Hub

    A Hub is the gateway in the headquarters and receives registration packets from Spokes. On a DSVPN network, the Hub can use a fixed public network address or a domain name.

mGRE, mGRE Tunnel Interface, and mGRE Tunnel

mGRE is a point-to-multipoint GRE technology developed based on GRE. It extends traditional P2P tunnel interfaces to P2MP mGRE tunnel interfaces. One tunnel interface can be used to establish tunnels with multiple remote devices by changing the interface type. Therefore, only one tunnel interface needs to be configured on the Hub or Spoke, reducing the GRE tunnel configuration workload.

The mGRE tunnel interface has the following attributes:
  • Source tunnel address: is the source address of a GRE encapsulated packet, that is, public network address of one end in Figure 3-3.
  • Destination tunnel address: is the destination address of a GRE encapsulated packet, that is, public network address of the other end in Figure 3-3. This address is based on NHRP, which is different from the manually specified destination address of the GRE tunnel interface.
  • Tunnel interface IP address: is the tunnel address in Figure 3-3. Similar to an IP address of a physical interface, a tunnel interface IP address is used for communication between devices, for example, routing information is obtained.
NOTE:

mGRE tunnel interfaces do not support keepalive detection of the GRE interface.

A GRE tunnel established using an mGRE tunnel interface is called an mGRE tunnel. mGRE tunnels fall into static and dynamic mGRE tunnels:
  • A static mGRE tunnel is set up between a Spoke and the Hub and always exists. The Spoke sends registration packets to the Hub periodically. When receiving a registration packet a Spoke, the Hub resets the aging timer of the matching NHRP mapping entry to maintain the tunnel with the Spoke.
  • A dynamic mGRE tunnel is established between Spokes. It is automatically torn down if no packet is forwarded through it within a period.

NHRP and NHRP Mapping Entry

On a DSVPN network, NHRP is used to establish and resolve the mapping between the protocol address (tunnel address in Figure 3-3 or subnet address) and Non-Broadcast Multiple Access (NBMA) address (public address in Figure 3-3). By doing this, the source Spoke can obtain the dynamic public address of the destination Spoke.

The NHRP mapping table contains the entries that are generated based on the mapping between protocol addresses and NBMA addresses. NHRP entries fall into static and dynamic entries based on the entry generation mode:
  • Static NHRP mapping entry: is manually configured by an administrator. When a Spoke needs to establish a static mGRE tunnel with the Hub, the administrator needs to manually configure the tunnel address and public network address of the Hub on the Spoke.
  • Dynamic NHRP mapping entry: is dynamically generated by NHRP. For example, the Hub obtains the tunnel address and public address of each Spoke from an NHRP Registration packet and generates an NHRP mapping table. Each Spoke obtains the tunnel address or subnet address and public address of the remote Spoke from an NHRP Resolution packet and generates an NHRP mapping table.

For details about NHRP Registration and Resolution packets, see RFC 2332.

Download
Updated: 2019-04-12

Document ID: EDOC1100041799

Views: 34539

Downloads: 45

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next