Manualshelf

HP VPN Firewall Appliances VPN Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
401402403404405406407408409410
401
VAM client—A VAM client registers its private address and public address with the VAM server and
obtains information about other VAM clients from the VAM server. The VAM client function must be
implemented on DVPN nodes. Unless otherwise noted, the term "VAM client" refers to a hub or a
spoke.
Hub—A hub is a type of VAM client. As a central device of a VPN, it is the exchange center of
routing information. A hub in a hub-spoke network is also a data forwarding center.
Spoke—A spoke is a type of VAM client. Usually acting as the gateway of a branch office, a spoke
does not forward data received from other DVPN nodes.
AAA server—An AAA server is used for user authentication and accounting.
How DVPN operates
DVPN employs the client/server model. Operating at the application layer of the TCP/IP protocol stack,
DVPN supports two tunnel encapsulation modes: UDP and GRE.
A DVPN comprises one server and multiple clients. The public address of the server in a DVPN must be
static. The private address of a client needs to be statically assigned. The public address of a client can
be manually configured or dynamically assigned. All the private addresses of the nodes composing a
DVPN must belong to the same network segment.
Each client registers the mapping of its private address and public address with the server. After a client
registers its address mapping with the server, other clients can get the public address of this client from
the server. This is for DVPN tunnel establishment between clients. Each client uses the VAM protocol to
communicate with the server and uses the DVPN tunneling protocol to establish, maintain, and remove
tunnels to other clients. Whenever there is a change in the topology, the server will be notified
automatically.
Network structures
DVPN supports two typical networking structures: full mesh and hub-spoke.
Full mesh DVPN—In a full mesh DVPN, spokes can communicate with each other directly by
establishing tunnels between them, and the hub is mainly used as the routing information exchange
center.
As shown in Figure 307, after the spokes (the clients) register with the VAM server and get the hub
informatio
n in the VPN domain, they establish permanent tunnels with the hub.
Any two spokes can establish a tunnel directly between them. The tunnel is dynamic and will be
aged out if no data exchange occurs on it during the specified period of time (the idle timeout for
the spoke-spoke tunnel).