My Profile: Dynamic VPN Solution - Secure and Scalable WAN Connectivity for Branch Offices

Dynamic VPN Solution - Secure and Scalable WAN Connectivity for Branch Offices

[6:49 PM | 0 comments ]

Nowadays, more and more enterprises are demanding for virtual private networks (VPNs) to connect their branches across the public network.

In case your branches use a static IP addresses assigned by ISP (or branches of an enterprise usually use dynamically assigned IP addresses), so you can still depoy this DVPN solution, it allow to bring a lot of benefits in environment DRC site and PDC site for creasing a intranet from them to braches. So that in this article I will only write about this solution in a enterprises architecture in environment DRC and PDC, your branches will connect to both DRC site and PDC site for redundance. When VPN communication at PDC is failed, banrches will switch to DRC.

DVPN collects, maintains, an distributes dynamic public addresses through the VPN Address Management (VAM) protocol, making VPN establishment available between enterprise branches that use dynamic addresses to access the public network.

In DVPN, a collection of nodes connected to the public network form a VPN. From the perspective of DVPN, the public network is the link layer of the VPN, and the tunnels which are used as the virtual channels between subnets of an intranet constitute the network layer. Branch devices dynamically access the public network. DVPN can get the public IP addresses of the peers through VAM to set up secure internal tunnels conveniently.

When a DVPN device forwards a packet from a user subnet to another, it performs these operations:

1) Obtaining the next hop on the private network through a routing protocol.

2) Inquiring the public network address of the next hop through the VAM protocol.

3) Encapsulating the packet, using the public address as the destination address of the tunnel.

4) Sending the packet down the tunnel to the destination.

The following key roles are involved in DVPN:

DVPN node

A DVPN node is a device at an end of a DVPN tunnel. It can be a networking device or a host. A DVPN node takes part in tunnel setup and must implement VAM client. VAM client are your bracnhes will connect to DRC site and PDCsite by two vpn tunnel 1 and 2

VAM server

A VAM server receives registration information from DVPN nodes and manages and maintains information about DVPN clients. Currently, a VAM server is usually a high performance routing device with VAM server enabled. You can set this VAM server on DRC's router and PDC's router. on PDC site has a primary VAM server, and on DRC site has a secondary VAM server.

VAM client

A VAM client registers its private address, public address, and VAM ID with the VAM server and obtains information about other VAM clients from the VAM server. The VAM client function must be implemented on DVPN nodes. Unless otherwise noted, the term “VAN client” in this document refers to a Hub or a Spoke.
VAM client are your bracnhes will connect to DRC site and PDCsite by two vpn tunnel 1 and 2

Hub

A Hub is a type of VAM client. As a central device of a VPN, it is the exchange center of routing information. A Hub in a Hub-Spoke network is also a data forwarding center. in DRC and PDC environment, you have two Hub, Hub#1 at DRC site and Hub#2 at PDC site.

Spoke

A Spoke is a type of VAM client. Usually acting as the gateway of a branch office, a Spoke does not forward data received from other DVPN nodes.

AAA server

An Authentication, Authorization, and Accounting (AAA) server is used for user authentication and accounting. with this architecture of DVPN at here I not use function of Authorization, and Accounting (AAA) server, on router allow you to support authenticaiton base on username and password., still make security for only VAM clients (your branches) which is authenticated will is connected to VAM servers successfully.

Operation of DVPN

DVPN employs the client/server model. Operating at the application layer of the TCP/IP protocol stack, DVPN uses UDP as its transport layer protocol.

A DVPN consists of one server and multiple clients. The public address of the server in a DVPN must be static. The private address of a client needs to be statically assigned, while the public address of a client can be manually configured or dynamically assigned. All the private addresses of the nodes composing a DVPN must belong to the same network segment.

Each client registers the mapping of its private address and public address with the server. After a client registers its address mapping with the server, other clients can get the public address of this client from the server. This is for DVPN tunnel establishment between clients. Each client uses the VAM protocol to communicate with the server and uses the DVPN tunneling protocol to establish, maintain, and remove tunnels to other clients. Whenever there is a change in the topology, the server will be notified automatically.

Networking Structures of DVPN

DVPN supports two typical networking structures, full mesh and Hub-Spoke.

+ Full mesh DVPN: In a full mesh DVPN, Spokes can communicate with each other directly by establishing tunnels between them, and the Hub is mainly used as the routing information exchange center. As shown in Figure 1-1, after the Spokes (the clients) register with the VAM server and get the Hub information in the VPN domain, they establish permanent tunnels with the Hub. Any two Spokes can establish a tunnel directly between them, which is dynamic and will be aged out if no data exchange occurs on it during the specified period of time (the idle timeout for the Spoke-Spoke tunnel).

+ Hub-Spoke DVPN. In a Hub-Spoke DVPN, no tunnel can be established between two Spokes, and data between them has to be forwarded through the Hub. That is, the Hub is used as both the routing information exchange center and the data forwarding center. As shown in Figure1-2, each Spoke establishes a permanent tunnel with the Hub, and data between Spokes is forwarded through the Hub.

In this solution, I will deploy Hub-Spoke DVPN with two Hub 01 (PDC) and Hub 02 (DRC), and all Spoke will be connected to these two hubs.

Implementation of DVPN

DVPN works in three phases: connection initialization, registration, and tunnel establishment. The following is a brief description of the phases.

Refer to more document:
HP Dynamic Virtual Private Network (DVPN)
Cisco Dynamic Multipoint VPN (DMVPN) Design Guide

0 comments

Introduce myself

This is a personal blog about connectivity for learning - funny - sharing and reference, in my opinion, covers everything about IT network infrastructures and all of its related components, like new software and/or hardware from vendors like Cisco Systems, Microsoft, IBM, HP, CheckPoint, Juniper and other things and so on. So that some blogs also contain useful configuration examples, posts and articles, at least for me, from different network components. I created this blog to share my knowledge with other people and hopefully someone will share his knowledge with me ... contains blogs about everything related to IT network infrastructures. Most of the blogs contain experiences of myself during my work.

Who am I ... My name is Huynh Phi Long and currently I work as a IT network administrator at PPF - Homecredit.

You can contact to me by email: longhp@live.com

DVPN node

VAM server

VAM client

Hub

Spoke

AAA server

Operation of DVPN

Networking Structures of DVPN

Implementation of DVPN

0 comments

Post a Comment

Introduce myself

Google Maps

Visitor Locations

Lunar Calendar

Link URL

Followers

My Blogs