Manualshelf

R3303-HP HSR6800 Routers Layer 3 - IP Services Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR6804 Router Chassis
301302303304305306307308309310
289
Configuring DVPN
Overview
Dynamic VPN (DVPN) collects, maintains, and distributes dynamic public addresses through the VPN
Address Management (VAM) protocol, making VPN establishment available between enterprise
branches that use dynamic addresses to access the public network.
In DVPN, a collection of nodes connected to the public network form a VPN. From the perspective of
DVPN, the public network is the link layer of the VPN, and the tunnels which are used as the virtual
channels between subnets of an intranet constitute the network layer. Branch devices dynamically access
the public network. DVPN can get the public IP addresses of the peers through VAM to set up secure
internal tunnels conveniently.
When a DVPN device forwards a packet from a user subnet to another, it performs these operations:
1. Gets the next hop on the private network through a routing protocol.
2. Gets the public network address of the next hop through the VAM protocol.
3. Encapsulates the packet, using the public address as the destination address of the tunnel.
4. Sends the packet along the tunnel to the destination.
Basic concepts
The following key roles are involved in DVPN:
DVPN node—A DVPN node is a device at an end of a DVPN tunnel. It can be a networking device
or a host. A DVPN node takes part in tunnel setup and must implement the VAM client.
VAM server—A VAM server receives registration information from DVPN nodes and manages and
maintains information about DVPN clients. A VAM server is usually a high performance routing
device with VAM server enabled.
VAM client—A VAM client registers its private address and public address with the VAM server and
obtains information about other VAM clients from the VAM server. The VAM client function must be
implemented on DVPN nodes. Unless otherwise noted, the term "VAM client" refers to a hub or a
spoke.
Hub—A hub is a type of VAM client. As a central device of a VPN, it is the exchange center of
routing information. A hub in a hub-spoke network is also a data forwarding center.
Spoke—A spoke is a type of VAM client. Usually acting as the gateway of a branch office, a spoke
does not forward data received from other DVPN nodes.
AAA server—An AAA server is used for user authentication and accounting.
How DVPN operates
DVPN employs the client/server model. Operating at the application layer of the TCP/IP protocol stack,
DVPN supports two tunnel encapsulation modes: UDP and GRE.