88
to maintain a network with full mesh structure even though some branches do not need to
conduct direct communication through IPSec VPN. Since each router maintains tunnel
connectivity with all other routers, it can not be achieved on small routers, so it is required
to use more powerful routers on smaller branches.
II. DMVPN Solution
DMVPN is achieved through the combination of multi-point GRE (mGRE) and Next Hop
Resolution Protocol (NHRP).
In DMVPN solution, IPSec is used to achieve encryption, GRE or multi-point GRE (mGRE) is used
to create a tunnel, and NHRP is used to resolve the problem of dynamic address. DMVPN only
requires that the center nodes must apply for a static public IP address.
Next Hop Resolution Protocol (NHRP) is defined in RFC 2332 by the IETF. It is used to obtain the
interconnected network layer address and NBMA subnetwork address for reaching the “next hop”
of destination nodes for the source node (host or router) on the non-broadcast multiple access
(NBMA) network.
2.1 Automatic Starting of IPSec Encryption
IPSec uses access control list (ACL) to decide what data to be encrypted. It means that when there
is a data package matching the defined ACL, the IPSec encryption tunnel will be created. When
GRE Over IPSec is used, GRE tunnel configuration has included the address of GRE tunnel’s
opposite end. This address is also on the address of the opposite terminal of IPSec tunnel. Therefore,
it is unnecessary to separately define matching ACL for IPSec.
Through binding GRE tunneling with IPSec, once the GRE tunnel is established, IPSec encryption
will be immediately triggered.
2.2 Dynamic Tunnel Establishment of Spoke-to-Hub
In DMVPN network, there is no branch GRE or IPSec configuration information on the center
router, while it is required to configure GRE tunnel according to the external network’s public IP
address and NHRP protocol of the center router. When the branch router is energized and started up,
the IP address can be obtained through DHCP at ISP, and an IPSec encrypted GRE tunnel can be
automatically established and the IP address of external port can be registered at the center router
through NHRP. There are reasons in three aspects:
1) Since the IP address of branch router’s external network port is automatically obtained, the IP
address may be different every time. Therefore, the center router can not be configured based
on the address information.
2) The center router is not required to configure GRE or IPSec information for all branches, which
will greatly simplify the configuration of the center router. All relevant information can be
automatically obtained through NHRP.
3) In case of DMVPN network expansion, it is not required to change the configuration of the
center router and other branch routers. The new branch routers will be automatically registered
in the center router. Through the dynamic routing protocol, all other branch routers can learn
To Next Page
Loading...
