What Is DSVPN?
Dynamic Smart Virtual Private Network (DSVPN), which Cisco calls DMVPN, works in conjunction with Multipoint Generic Routing Encapsulation (mGRE) and Next Hop Resolution Protocol (NHRP) to establish dynamic full-mesh VPNs between branches and between branches and the headquarters (HQ). Compared with traditional VPN technologies, DSVPN simplifies the HQ's configuration and O&M when new branches join the network, making network expansion easy. It helps realize direct communication between branches, improving transmission efficiency by avoiding delays caused by HQ pass-through. Additionally, DSVPN supports dynamic public addresses at branches, eliminating the need to purchase static public addresses and thereby reducing network construction costs.
Why Do We Need DSVPN?
Currently, more and more enterprises want to connect branches (spokes) to the HQ (hub) and to each other through VPNs over a public network. They also require service traffic encryption and guaranteed quality of voice and video services. When realizing enterprise branch interconnection, traditional VPN technologies have the following problems:
- Complex configuration: When a new spoke joins the network, the hub needs to create and maintain the VPN configuration for this spoke. In this case, having a large number of spokes on a network complicates the configuration at the hub and makes network expansion difficult.
- Delayed traffic forwarding: Since traffic between branches has to traverse the hub, this traffic consumes bandwidth resources of the hub and results in an additional delay (especially when the hub needs to decrypt and encrypt the traffic). This may interrupt delay-sensitive services such as audio and video conferencing.
- Failure to use dynamic public addresses: When spokes want direct communication with each other and their egresses use dynamic IP addresses, they cannot obtain the peer end's address in advance. As a result, they cannot set up a tunnel between them. In this situation, purchasing static public addresses can solve the problem, but increases costs.
Typical networking for enterprise branch interconnection (without DSVPN deployed)
To solve the preceding problems, Huawei launches the dynamic smart VPN technology, that is, DSVPN.
What Are the Advantages of DSVPN?
In terms of enterprise interconnection, DSVPN offers the following advantages over traditional VPN technologies:
- Dynamic: Spokes set up a dynamic tunnel between each other when they have traffic to exchange, eliminating the need for spoke-spoke traffic to traverse the hub.
- Intelligent: Spoke devices use dynamic public addresses, eliminating the need for static address configuration and reducing network construction costs.
- Simplified: Each device only needs one tunnel interface to communicate with all other devices, and adding a new spoke to the network does not require any configuration changes at the hub. These simplify the hub's VPN configuration and O&M, making network expansion easy.
- Secure: DSVPN can work in conjunction with Internet Protocol Security (IPsec) to protect enterprise services.
Typical enterprise branch interconnection networking (with DSVPN deployed)
How Does DSVPN Work?
DSVPN relies on the following four technologies:
mGRE
mGRE is a point-to-multipoint GRE technology that defines logical mGRE tunnel interfaces to help implement DSVPN. It allows a single GRE interface to support multiple GRE tunnels, simplifying the size and complexity of the configuration. With mGRE, the hub can use only one mGRE tunnel interface with a source specified to help every two spokes set up tunnels. Additionally, adding spokes to a DSVPN network requires no configuration changes at the hub or existing spokes. Only the new spokes need to be configured, after which they automatically register with the hub.
- Tunnel source address: is used by the transport protocol to identify the packet source.
- Tunnel destination address: is used by the transport protocol to identify the packet destination.
- Tunnel interface IP address: Similar to an IP address of a physical interface, it is used for communication between devices, for example, obtaining routing information. The destination address of a GRE tunnel interface needs to be manually configured, whereas that of an mGRE tunnel interface is determined by NHRP. An mGRE tunnel interface can have multiple peer ends because it supports multiple GRE tunnels.
NHRP
NHRP helps a spoke obtain the dynamic public address of another spoke on a public network. When a spoke comes online on a DSVPN network, it sends an NHRP Registration Request message to the hub, with the public address of the outbound interface as the source. The hub then creates or updates the corresponding NHRP mapping entry based on the message received. Two spokes also exchange NHRP Resolution Request and Reply messages to create or update NHRP mapping entries. DSVPN works in conjunction with NHRP to collect and maintain site information, such as dynamic public addresses. On a DSVPN network, branches use dynamic addresses for public network access and establish dynamic spoke-spoke tunnels between each other for direct communication. If a spoke-spoke tunnel has no traffic to forward within a certain period, the tunnel is automatically torn down. With NHRP, there is no need for spokes to purchase static public addresses, reducing network construction costs.
Routing
During DSVPN deployment, routing needs to be considered to ensure proper forwarding of mGRE-encapsulated packets. DSVPN supports the following route learning modes:
- Route learning between spokes (non-shortcut mode)
In this mode, the next-hop address of the route from one spoke to another is the tunnel address of the destination spoke. Each spoke needs to learn routes to all other spokes. This consumes many CPU and memory resources and requires large routing tables and high performance on spokes. In practice, spokes have relatively low performance and can store a limited number of routes. As such, this route learning mode applies only to small and midsize networks where there are a few network nodes and a small number of routes.
On such a DSVPN network, mGRE tunnels between spokes are set up in non-shortcut mode.
Route summarization on the hub (shortcut mode)
In this mode, the next-hop address of the route from one spoke to another is the tunnel address of the hub, and spokes only save routes destined for the hub. This mode reduces the number of routes on spokes, which makes it suitable for large networks with many spokes.
On such a DSVPN network, mGRE tunnels between spokes are set up in shortcut mode.
On a DSVPN network, route learning in either mode can be achieved through static route configuration or a dynamic routing protocol (OSPF or BGP).
IPsec
- The establishment of an mGRE tunnel immediately triggers that of an IPsec tunnel.
- Typical IPsec technology uses ACLs to identify unicast traffic to be encrypted. An IPsec policy requires a large number of ACLs to be defined, which is difficult to implement. DSVPN combines NHRP and mGRE with IPsec to provide ease of device configurations, while ensuring data transmission security and facilitating network deployment.
- Because IPsec tunnels are dynamically established between spokes, IPsec data exchanged between spokes does not need to be decrypted or encrypted by the hub. This minimizes data transmission delay.
DSVPN over IPsec
Application Scenarios of DSVPN
DSVPN helps branches dynamically establish VPN tunnels in two scenarios: non-shortcut scenario for small and midsize networks and shortcut scenario for large networks.
DSVPN on Small and Midsize Networks
A small or midsize network has only a few branches. They can dynamically establish VPNs with each other by using DSVPN in a non-shortcut scenario for direct communication. As shown in the following figure, two branches (Spoke1 and Spoke2) connect to the HQ (Hub) through the Internet. Spoke1 and Spoke2 are configured to learn routes from each other. They can communicate with each other directly because they are each other's next hop.
DSVPN on small and midsize networks
DSVPN on Large Networks
A large network involves a large number of branches. Deploying DSVPN in a non-shortcut scenario on such networks requires spokes to support large routing tables and offer high forwarding performance. If upgrading spokes is not considered, DSVPN in a shortcut scenario can be a better solution. It reduces routing entries on spokes, lowering the requirements on their routing table sizes and forwarding performance. As shown in the following figure, all spokes have routes only to the hub. When two spokes need to communicate, the originating spoke sends the first packet to the hub. After that, a tunnel is established between the spokes, through which they can directly exchange data.
DSVPN on large networks
- Author: Bai Hehui
- Updated on: 2024-11-21
- Views: 937
- Average rating: