Manualshelf

HP VPN Firewall Appliances VPN Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
31323334353637383940
24
As shown in Figure 20, for higher network reliability, you can deploy multiple gateways at the
headquarters and specify one or more backup interfaces for the main tunnel interface on the main
gateway (for example, Tunnel 1), to implement headquarters node backup and GRE tunnel backup. If the
link between the main gateway and the branch gateway goes down, the main tunnel interface will soon
lose the matching tunnel entry for forwarding packets to the branch. In this case, the main tunnel
interface will forward the packets to the backup interface, which will then forward the packets to the
branch. You need to configure the GRE over IPv4 mode on the backup interface.
When a matching tunnel entry on the main gateway exists, a backup interface can also participate in
tunnel selection that is based on tunnel priority.
If you do not specify a GRE key on a backup interface, the backup interface will have a lower
priority than any P2MP tunnel entry.
If you specify a GRE key on the backup interface, the key value will be compared with the GRE key
values in the P2MP tunnel entries, and the smaller the key value, the higher the priority.
Advantages and restrictions of the P2MP GRE tunnel
technology
The P2MP GRE tunnel technology features the following advantages:
Simple configuration—On the headquarters node, you only need to configure the P2MP GRE
tunnel mode, instead of configuring a P2P GRE tunnel with each branch node.
Low maintenance cost—When a branch is added, no manual configuration is required on the
headquarters node. The headquarters node will learn the address of the added branch and then
establish a tunnel with the branch node.
Flexible access of branches—Because the headquarters node learns tunnel destination addresses
dynamically, whether the branches obtain public addresses dynamically or not does not impact the
configurations on the headquarters node. This allows for more flexible accesses for branches.
Interoperability and investment protection—Based on the standard GRE protocol, the P2MP GRE
tunnel technology requires no special or proprietary protocol, nor special requirements on branch
gateways. The branch gateways can be from any vendors as long as they support GRE. This not
only ensures better cooperation of devices from different vendors, but also helps avoid repetitive
investments on branch node devices.
High reliability—It supports GRE tunnel backup at the headquarters and branches, improving the
network reliability.
The P2MP GRE tunnel technology has the following restrictions:
Both the transport protocol and passenger protocol must be IPv4.
The headquarters node cannot send packets to a branch before the branch sends packets to it. Only
after receiving a packet from the branch can the headquarters node install a tunnel entry for the
branch and send packets to the branch.
No tunnel can be established between branch nodes and therefore branch nodes cannot
communicate with each.