89
this new routing and the new branch routers can also learn the routing information to reach all
other routers.
2.3 Dynamic Tunnel Establishment of Spoke−to−Spoke
In DMVPN network, the Spoke−to−Hub tunnel, once established, will persist, while it is not
required to directly configure a continuous tunnel between branches.
When a branch wants to transmit data package to another branch, it will use NHRP to dynamically
acquire the IP address of destination branch. In this process, the center router acts as the NHRP
server to respond to the request of NHRP and provide the public network address of destination
branch to the source branch. Hence, an IPSec tunnel can be dynamically established between two
branches through the mGRE port for data transmission. The tunnel will be automatically removed
after a predefined cycle.
2.4 Support for Dynamic Routing Protocols
DMVPN is based on GRE tunnel, while GRE tunnel supports the transmission of multicast or
broadcast IP packet in tunnel. Therefore, DMVPN network supports running dynamic routing
protocols on IPSec and mGRE tunnels. It should be pointed out that NHRP must be configured as
dynamic multicast mapping, so that when the branch router registers unicast mapped address on the
NHRP server (center router), NHRP will also establish a multicast / broadcast mapping for the
branch router.
We have mentioned above that IPSec tunnel does not support multicast / broadcast packet
encapsulation, while GRE tunnel encapsulates multicast / broadcast packet in GRE packet, and
GRE packet is a unicast packet and can be encrypted by IPSec. In encryption of GRE packet with
IPSec, IPSec can be configured to the transmission mode, because GRE has encapsulated the
original packet as the unicast IP packet and it is unnecessary to let IPSec re-encapsulate a header.
The transmission mode IPSec requires that the source and destination addresses of encrypted data
packet must match with the addresses of the IPSec tunnel’s both terminals. It means that the
addresses of the GRE tunnel’s both terminals must be the same with those of the IPSec tunnel’s
both terminals. Since the routers on both terminals of GRE tunnel are the same routers on both
terminals of IPSec tunnel, so this can be guaranteed.
Through the combination of GRE tunnel and IPSec encryption, we can utilize the dynamic routing
protocol to update the routing tables on the routers at both ends of the encrypted tunnel. The subnet
learned from the tunnel peer will contain the IP address of tunnel’s opposite terminal as the next
hop address of the opposite terminal’s subnet. So that, in case of change in the network at any
terminal of tunnel, the other end will dynamically learn this change and maintain the connectivity of
network without changing the configuration of router.
III. Realization of Dynamic Routing Protocol in DMVPN Network
We have mentioned above that in the DMVPN network, the Spoke−to−Hub tunnel, once
established, will persist, while there is no persistent tunnel between branches. So that, after the
initialization of router, the center router will announce the reachable routings of other branch
subnets to branch routers through the persistent tunnel. Therefore, the "next hop" address reaching
other branch subnet in the branch router's routing table will be the address of center router’s tunnel
To Next Page
Loading...
