86
The meanings of key items in the page are shown in the table below.
12.5 DMVPN
12.5.1 Technical Principle of DMVPN
I. Background Information
Many companies want to connect their offices and branches at various places with their
headquarters through the public network in a safe way, and connect the offices and branches. In the
past, the only way is to interconnect all nodes through the layer 2 networks, e.g. ISDN or frame
relay, to achieve internal IP interworking, and the costs of lines are high. Now, these offices,
branches and headquarters can be interconnected through low-cost Internet access and the security
of internal communications can be guaranteed through IPSec tunnel.
IPSec achieves data encryption at both ends of communication through a shared key. It means that
any arbitrary two terminals should share a different key. Therefore, IPSec tunnel is actually a
point-to-point encryption tunnel. IPSec network is the assembly of point-to-point encryption tunnels.
The organization of IPSec network can be hub−and−spoke or full mesh. In most networks, the data
flow is mainly distributed between the branch and center, and there is little data flow between the
branch and center. Therefore, hub−and−spoke is a better structure, which complies with the
traditional way of frame relay internetworking. Since hub−and−spoke uses less point-to-point links
than the full mesh, it can reduce line costs.
When the internetworking is achieved through the Internet, the spoke −to−spoke connection does
not require additional communication costs, and can bring about better performance for enterprises'
internal network, while there are certain difficulties with the implementation and management of
full mesh. In hub−and−spoke, branch to branch communication must cross the center, which will
consume the resources of the centre and give rise to a longer delay. Especially in using IPSec for
encryption, the center is required to decrypt on the branch tunnel that sends data and re-encrypt on
the branch tunnel that receives data. Another case is that two branches of communication are in the
same city, while the center is in another city, which will also result in unnecessary delay.
When the size of hub−and−spoke IPSec network (hub-and-spoke) continuously grows, the dynamic
routing of IP data package will be very meaningful. In the past frame relay hub−and−spoke network,
the reachability of branch network can be notified through the frame relay links running dynamic
To Next Page
Loading...
