6.1 DSVPN Overview
Dynamic Smart Virtual Private Network (DSVPN) is a technology that allows branches to use
the NBMA Next Hop Resolution Protocol (NHRP) to dynamically establish data forwarding
tunnels in the hub-spoke model.
In the traditional hub-spoke model, data traffic concentrates at branches and the central office.
If data traffic is transmitted between two branches, to implement IP Security (IPSec), the central
office needs to decrypt data on the tunnel of the source branch and encrypt the data on the tunnel
of the destination branch. Traffic between the two branches needs to pass through the central
office, wasting resources of the central office and causing a delay in traffic forwarding. To solve
this problem, the DSVPN technology is used to enable the two branches to dynamically establish
a data forwarding tunnel.
To enable two branches to directly establish an tunnel, ensure that the next hop of the route
between the two branch subnets is a branch device. The following routing plans are available:
l Static routes are configured on branches.
Static routes to other branch subnets are configured on the source branch so that tunnels
can be established between two branches.
l Branches learn routes from each other.
Routing protocols are enabled to allow routes to be learned between branches, and between
branches and the central office. All the branches must be connected to the same logical
interface of the central office device so that routes can be advertised between branches. If
the Routing Information Protocol (RIP) is enabled, the split horizon function must be
disabled to ensure that routes are directly advertised between branches.
l Branches have only summarized routes to the central office.
If branches need to learn routes from each other, they must have high-performance and
large-capacity devices. To solve this problem and enable branches to directly communicate
with each other, configure the path from a branch to the central office as the default
forwarding path and allow branches to use NHRP packets to exchange routing information.
NOTE
When DSVPN is configured, IPSec does not need to be configured. If IPSec is configured to protect GRE
traffic, the remote IP address in an NHRP mapping entry needs to be advertised to the local device to
establish an IPSec tunnel.
6.2 DSVPN Features Supported by the AR1200
Before implementing the DSVPN feature on the AR1200, consider routing plans and configure
Multipoint GRE (MGRE) tunnel interfaces.
When branches learn routes from each other or have only summarized routes to the central office,
perform the following operations to configure DSVPN:
1. Create tunnel interfaces and specify source addresses for tunnel interfaces.
2. Configure routes between AR1200s.
3. Configure NHRP mapping entries of the central office device on branch devices.
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN 6 DSVPN Configuration
Issue 01 (2012-04-20) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
345
To Next Page
Loading...
Need help?
General
