No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR650, AR1600, and AR6100 V300R003

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Overview of DSVPN

Overview of DSVPN

Definition

Dynamic Smart Virtual Private Network (DSVPN) establishes VPN tunnels between Spokes with dynamically variable public addresses in the Hub-Spoke model.

Purpose

More enterprises want to build the IPSec VPN in Hub-Spoke model to connect the Hub to Spokes in different geographical locations. This enhances enterprise communication security and reduces communication costs. When the Hub uses the static public address to connect to the Internet and Spokes use dynamic public addresses to connect to the Internet, Spokes cannot communicate with each other directly if traditional IPSec or GRE over IPSec is used to build the VPN. This is because Spokes cannot learn the public addresses of the remote ends in advance and tunnels cannot be set up between Spokes. In this case, communication data between Spokes must be forwarded by the Hub. Figure 3-1 shows the networking.

Figure 3-1  Typical Hub-Spoke networking without DSVPN enabled

When all communication data between Spokes is forwarded by the Hub, the following problems may occur:

  • The Hub consumes many CPU and memory resources to forward data flows between Spokes, causing resource shortage.
  • The Hub needs to encapsulate and decapsulate data flows between Spokes, which causes extra delay.

When the IPSec network scale increases continuously, dynamic routing protocols need to be deployed to reduce route configuration and maintenance. There is a common issue when IPSec and dynamic routing protocols are deployed. Dynamic routing protocols use multicast or broadcast packets for route update, whereas IPSec does not support transmission of broadcast and multicast packets.

Huawei proposes the DSVPN solution that integrates the Next Hop Resolution Protocol (NHRP) and Multipoint Generic Routing Encapsulation (mGRE) with IPSec to solve the preceding issue.
  • DSVPN uses NHRP to dynamically collect, maintain, and advertise dynamic public network addresses of nodes, and allows the source Spoke to obtain the public network address of the destination Spoke so that a dynamic VPN tunnel can be set up between Spokes. Spokes can communicate with each other directly, reducing the burden of the Hub and preventing the network delay.

  • DSVPN uses mGRE technology to transmit multicast and broadcast packets over VPN tunnels that can be established between one tunnel interface and multiple remote devices, reducing the tunnel configuration workload. In addition, when a Spoke is added or the public address of a Spoke changes, DSVPN automatically maintains the tunnel between the Hub and Spoke. There is no need to change the tunnel configuration of the Hub, and DSVPN facilitates network maintenance.

Figure 3-2 shows a VPN using DSVPN.

Figure 3-2  Hub-Spoke networking enabled with DSVPN

Benefits

  • Reduce costs on VPN construction.

    DSVPN implements dynamic connections between the Hub and Spokes, and between Spokes. Spokes do not need to purchase static public network addresses.

  • Simplify configuration on the Hub and Spokes.

    The Hub and Spokes use an mGRE tunnel interface but not multiple GRE tunnel interfaces to establish tunnels. When a new Spoke is added to the network, the network administrator does not need to change configurations on the Hub or any existing Spokes. The administrator only needs to configure the new Spoke, and then the Spoke dynamically registers with the Hub.

  • Reduce the forwarding delay between Spokes.

    Spokes can dynamically establish tunnels to directly exchange service data, reducing the forwarding delay and improving forwarding performance and efficiency.

Download
Updated: 2019-04-12

Document ID: EDOC1100041799

Views: 34110

Downloads: 45

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next