IP Security - Virtual Private Network
Left running head:
Chapter name (automatic)
886
Beta Beta
OmniAccess 5740 Unified Services Gateway CLI Configuration Guide
Alcatel-Lucent
DYNAMIC MULTIPOINT VIRTUAL PRIVATE NETWORK (DMVPN)
O
VERVIEW
VPN is a mechanism to provide secure and private communication channel over
public infrastructure. Normally a secure tunnel is formed between two
communication end-points. Today’s geographically distributed business
establishments needs multiple end points to be connected via VPN. Effectively the
VPN connectivity forms an overlay network on the public Internet. In order to
provision and manage the VPN network, few standard topologies like ring, star,
mesh are deployed.
A Dynamic Multipoint Virtual Private Network is an enhancement of VPN
configuration process. DMVPN provides a scalable and efficient site-to-site VPN
setup across multiple branch offices. The VPN tunnels are formed on demand and
brought down when not in use, hence scalable. The tunnels are between branch
office end points, with the help of central control, normally central office. The end
point traffic does not flow via central office, thus efficient. Scaling to higher number
of branch office is not limited by the central office bandwidth or processing power.
DMVPN forms site-to-site VPN in hub and spoke configuration. In typical
deployments, branch offices are spokes and central office is a hub. Financial
institutions, transport service providers and medical institutions are few of the
common deployment sites where hub and spoke model is used.
The main idea of DMVPN is to develop a scalable large network (hub and spoke
model), where a spoke can be removed/added into the network without any
change in configuration in any other nodes. At any point of time, a spoke should
be able to establish a IPsec tunnel with another spoke. This can be achieved in
two steps. Firstly, to identify the spoke with who the tunnel will be set up and
secondly to establish a standard IPsec VPN tunnel with that spoke. The Next Hop
Resolution Protocol (NHRP) is used to identify the peer end spoke for IPsec
tunnel establishment.
NHRP works in client-server model. In the hub and spoke network, the hub acts
as the "Next Hop Server" (NHS) and each spoke acts as a "Next Hop Client".
When a spoke is added to the network, it registers with the NHS by sending a
NHRP REGISTER request. This way, the NHS learns the IP address and the
corresponding NBMA address of each of the spokes. So the hub (NHS) will have
a cache database of all the spokes (NHRP clients). A spoke needs to re-register
after registration timeout. Whenever required, a spoke queries the NHS with a
NHRP RESOLUTION request to get information about other spoke. After having
the information about the peer, the spoke initiates a IPSec tunnel establishment in
the normal way.
To Next Page
Loading...
