Professional Documents
Culture Documents
Central Private Like a GRE tunnel, DVPN provides a virtual tunnel that
Network
can transport private traffic and use the underlying
Hub public IP network as the link layer. The original private
packet is encapsulated by an outer IP header where the
source address is the local public address and the
destination address is the peer public address.
Spoke 1 Public Spoke 3
Network
3) Identity information
4) authentication request
5) authentication acknowledgement
6) accounting request
7) accounting acknowledgement
8) Registration acknowledgement
Spoke/Hub Hub
Note:
1. If IPSec is configured on the DVPN tunnel interface, It is
1) Tunnel establishment request the DVPN tunnel establishment request packet that
2) Tunnel established triggers negotiation for the IPSEC SA. An IPSec tunnel is
then set up and all private packets are sent over the
IPSec tunnel.
2. IPSec is not necessary for DVPN . But for security,
usually it is configured
2 VAM Servers,
2 Hubs for
the secondary
HA and load
acts as backup
balancing Primary Secondary
Hub-1 Hub-2
VAM Server VAM Server
The public IP Network should
ensure that Hubs, VAM Public
Network Routing protocols such
servers and spokes have as OSPF are deployed
public IP reachability with inside the branch
each other network
Spoke-1 Spoke-2 Spoke-3 Spoke-4
Branch Branch
Network Branch Network
Branch
Network
13 © Copyright 2012 Hewlett-Packard Development Company, L.P. Network
The information contained herein is subject to change without notice.
DVPN Configuration Example
Data Center
192.168.100.200
Tunnel 1 Network
10.0.1.2/16
Tunnel 1 AAA
10.0.1.1/16 Server
192.168.1.1 192.168.2.1 G0/1 G0/1
G0/0/1 G0/0/1 192.168.102.1 192.168.103.1
Primary Secondary
Hub-1 Hub-2 VAM VAM Server
Server
G5/0/1 G5/0/1 G0/0 G0/0 (MSR50)
122.200.0.1 120.200.0.1 100.100.100.1 100.100.200.1
120.200.0.2 100.100.100.2
122.200.0.2 100.100.200.2
Public
Network
40.1.1.2 40.2.1.2
Spoke-1 Tunnel 1
Spoke-2 10.0.8.1/16
Tunnel 1
G7/1 G0/1
10.0.6.1/16
G7/0 40.1.1.1 40.2.1.1
172.16.1.1/24
Branch Network G0/0
172.16.2.1/24
Branch Network
14 © Copyright 2012 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
Configure VAM Servers
1、Basic Configurations 3、Configurations for authentication
# configure the interface connected to the private network
# configure RADIUS scheme
interface GigabitEthernet0/1
radius scheme radsun
ip address 192.168.102.1 255.255.255.0
server-type extended
# configure the interface connected to the public network
primary authentication 192.168.100.200
interface GigabitEthernet0/0
primary accounting 192.168.100.200
ip address 100.100.100.1 255.255.255.0
# configure share-key to correspond to AAA server
# configure the default route directing to the public network
key authentication simple expert
ip route-static 0.0.0.0 0.0.0.0 100.100.100.2
key accounting simple expert
2、Configurations for VAM server (primary)
user-name-format without-domain
# Specify the listening address and udp port (default 18000)
# specify radius-scheme for dvpn authentication, accounting
VAM server ip 100.100.100.1
domain dmdvpn
# create a DVPN domain
authentication dvpn radius-scheme radsun
VAM server vpn 1
authorization dvpn radius-scheme radsun //necessary
server enable
accounting dvpn radius-scheme radsun
# set the pre-shared key
# specify the default domain
pre-shared-key simple 123
domain default enable dmdvpn
# specify the tunnel private IP addresses of the hubs
hub private-ip 10.0.1.1
hub private-ip 10.0.1.2 The configurations in this page are on the primary server, those on the
15 © Copyright 2012 Hewlett-Packard Development Company, L.P. secondary VAM server are shown below in the notes
The information contained herein is subject to change without notice.
Configure Hubs
1、Basic Configuration 2、Configure VAM client
# configure the interface connected to the private network VAM client name dvpn1hub1
interface GigabitEthernet0/0/1
ip address 192.168.1.1 255.255.255.0 # specify the dvpn domain that the VAM client belongs to
vpn 1
interface GigabitEthernet7/0
# specify the dvpn domain that the VAM client belongs to
ip address 172.16.1.1 255.255.255.0
vpn 1
client enable
# configure DPD
Ike dpd 1 # specify UDP as the encapsulation protocol
time-out 10
# Configure the IKE peer # specify the source address
DVPN
Spoke DVPN Tunnel between Branches
Router
Branch DVPN Tunnel between HQ and Branch
21 © Copyright 2012 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
DVPN Local User Authentication
Data Center
HQ
DVPN Hub/DVPN VAM Server If no AAA Server is
Router
available, can configure
local authentication on the
Local User Authentication
DVPN VAM Server
IP Network Helps reduce investment
DVPN
DVPN Spoke Pay attention to maximum
Spoke Router
Router
Branch
number of local users
Branch
DVPN
Spoke DVPN Tunnel between Branches
Router
Branch DVPN Tunnel between HQ and Branch
22 © Copyright 2012 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
DVPN Full-Mesh Implementation - OSPF
interface Tunnel1 Data Center Network interface Tunnel1
ip address 10.0.1.1 255.255.0.0 ip address 10.0.8.1 255.255.0.0
tunnel-protocol dvpn udp Tunnel 1
10.0.1.1/16 Tunnel 1 tunnel-protocol dvpn udp
source GigabitEthernet5/0/1
192.168.1.1 192.168.2.1 10.0.1.2/16 source GigabitEthernet0/1
ospf network-type broadcast
G0/0/1 G0/0/1
ospf dr-priority 255 ospf network-type broadcast
ipsec profile vamp
Hub-2 ospf dr-priority 0
Hub-1
VAM client dvpn1hub1 G5/0/1 G5/0/1 ipsec profile vamp
122.200.0.1 120.200.0.1 VAM client dvpn1spoke2
ospf 1
area 0.0.0.0 IP
Network ospf 1
network 192.168.1.0 0.0.0.255
area 0.0.0.1
area 0.0.0.1 Spoke-1 40.2.1.1
G7/1
network 10.0.0.0 0.0.255.255 40.1.1.1
G0/1 network 10.0.0.0 0.0.255.255
Tunnel 1
10.0.6.1/16 network 172.16.2.0 0.0.0.255
Spoke-2
G7/0
Tunnel 1 G0/0
172.16.1.1/24 10.0.8.1/16 172.16.2.1/24
Branch Network Branch Network
G5/0/1 G5/0/1
peer branch1 route-policy aaa export
122.200.0.1 120.200.0.1 peer branch2 route-policy bbb export
IP ospf 1
Network 10.0.8.1/16
import-route bgp route-policy eee
Spoke-1 Tunnel 1
G0/1 area 0.0.0.0
G7/1 40.2.1.1
Tunnel 1 40.1.1.1 network 192.168.2.0 0.0.0.255
spoke-1 has similar
10.0.6.1/16 Spoke-2 configurations
G7/0
172.16.1.1/24
bgp 300
G0/0
AS 200 AS 300 peer 10.0.1.1 as-number 100
172.16.2.1/24
peer 10.0.1.2 as-number 100
Branch Network 1 Branch Network 2
network 172.16.2.0 255.255.255.0
ospf 1
IP
Network 10.0.8.1/16 import-route bgp route-policy eee
Spoke-1 Tunnel 1 area 0.0.0.0
G0/1 Note:
G7/1 40.2.1.1 network 192.168.2.0 0.0.0.255
Tunnel 1 40.1.1.1 in order to accelerate
10.0.6.1/16 Spoke-2 BGP convergence,
G7/0 bgp 300 BFD can be used (See
172.16.1.1/24 G0/0 Note 2)
AS 200 172.16.2.1/24
peer 10.0.1.1 as-number 100
peer 10.0.1.2 as-number 100
Branch Network Branch Network
network 172.16.2.0 255.255.255.0
27 © Copyright 2012 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice. AS 300
DVPN Hub-Spoke Implementation - iBGP
bgp 100
preference 255 140 130
reflector cluster-id 100
peer 10.0.1.2 as-number 100
network 192.168.11.0 255.255.255.0 For load-balance.
Data Center Network group branch1 internal
The route-policies
192.168.11.1 peer branch1 reflect-client
AS 100 peer 10.0.6.1 group branch1
aaa, bbb and eee
Tunnel 1 peer branch1 route-policy aaa export have different
10.0.1.1/16 Tunnel 1 group branch2 internal definitions on
192.168.1.1 192.168.2.1 10.0.1.2/16 peer branch2 reflect-client different Hubs (See Note
1)
G0/0/1 peer 10.0.8.1 group branch2
G0/0/1
peer branch2 route-policy bbb export
Hub-1 Hub-2 ospf 1
import-route bgp allow-ibgp route-policy eee
G5/0/1 G5/0/1
area 0.0.0.0
122.200.0.1 120.200.0.1 network 192.168.2.0 0.0.0.255
Note:
in order to accelerate IP
BGP convergence, route-policy aaa permit node 0
Network 10.0.8.1/16
BFD can be used (See apply ip-address next-hop 10.0.1.1
Note 2) Tunnel 1
Spoke-1
G7/1 G0/1 route-policy bbb permit node 0
40.2.1.1
Tunnel 1 40.1.1.1 apply ip-address next-hop 10.0.1.2
10.0.6.1/16 Spoke-2 bgp 100
G7/0
172.16.1.1/24 G0/0 peer 10.0.1.1 as-number 100
AS 100 172.16.2.1/24 peer 10.0.1.2 as-number 100
peer 10.0.1.1 route-policy aaa import
Branch Network Branch Network peer 10.0.1.2 route-policy bbb import
28 © Copyright 2012 Hewlett-Packard Development Company, L.P. network 172.16.2.0 255.255.255.0
The information contained herein is subject to change without notice. AS 100
DVPN Hub-Spoke Implementation - iBGP
ip vpn-instance branch
route-distinguisher 100:101
Data Center Network
interface GigabitEthernet7/0
192.168.11.1
ip binding vpn-instance branch AS 100
ip address 172.16.1.1 Hub-1
Tunnel 1 bgp 100
255.255.255.0
10.0.1.1/16 Tunnel 1 network 192.168.11.0 255.255.255.0
interface GigabitEthernet7/1 192.168.1.1 192.168.2.1 10.0.1.2/16
ip address 40.1.1.1 group branch1 internal
G0/0/1 G0/0/1
255.255.255.0 peer 10.0.6.1 group branch1
Hub-1 Hub-2 peer branch1 update-no-advertise (1)
ospf 1 vpn-instance branch peer branch1 default-route-advertise route-policy
default-route-advertise G5/0/1 G5/0/1 aaa
area 0.0.0.0
network 172.16.1.0 0 0.0.0.255 122.200.0.1 120.200.0.1
group branch2 internal
peer 10.0.8.1 group branch2
bgp 100 IP
ipv4-family vpn-instance branch peer branch2 update-no-advertise
peer 10.0.1.1 as-number 100 Network Tunnel 1 peer branch2 default-route-advertise route-policy
peer 10.0.1.2 as-number 100 Spoke-1 10.0.8.1/16 bbb
G7/1 G0/1
network 172.16.1.0 40.2.1.1
255.255.255.0 Tunnel 1 40.1.1.1 ospf 1
10.0.6.1/16 Spoke-2 import-route bgp allow-ibgp route-policy eee
interface Tunnel1 G7/0
172.16.1.1/24 G0/0 area 0.0.0.0
ip binding vpn-instance branch AS 100
ip address 10.0.6.1 255.255.0.0 AS 100 172.16.2.1/24 network 192.168.2.0 0.0.0.255
tunnel-protocol dvpn udp
source GigabitEthernet7/1 Branch Network Branch Network
ipsec profile vamp
VAM client dvpn1spoke1
29 © Copyright 2012 Hewlett-Packard Development Company, L.P.
ip route 0.0.0.0 0.0.0.0 40.1.1.2
The information contained herein is subject to change without notice.
DVPN Through MPLS Network
Server
Central Network
PE
Branch 1
31 © Copyright 2012 Hewlett-Packard Development Company, L.P. Branch 2
The information contained herein is subject to change without notice.
DVPN Deployment Using 3G as Backup Link
Central Network
VAM Server
On each Hub,two DVPN tunnels are
bound to the same public interface but Hub-1 Hub-2
belong to different DVPN domain. So the
DVPN tunnel have to have UDP
encapsulation
IP Public Network
• Two default routes are configured, one uses a cable
interface as the output interface, the other specifies
Cable
Cable the 3G interface as the output interface. The former
interface
interface has higher priority, so normally the spoke uses the
3G interface Spoke-2
Spoke-1 cable interface to access the public network
DVPN
tunnels to improve multicast
Spoke forwarding performance
Router
Branch
DVPN
Spoke
DVPN
Router Multicast Traffic
Spoke
Branch Router
DVPN Data Forwarding Tunnel
Branch
36 © Copyright 2012 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
HP DVPN Scalability
DVPN OSPF
Hub (VAM client) Minimum software version BGP peers
Tunnels neighbors
DVPN
Spoke DVPN Tunnel between Branches
Router
Branch DVPN Tunnel between HQ and Branch
51 © Copyright 2012 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
Router Configuration for RADIUS
# configure RADIUS scheme
radius scheme radsun
server-type extended
primary authentication 10.10.10.221
primary accounting 192.168.100.200
# configure share-key to correspond to AAA server
key authentication simple expert
key accounting simple expert
user-name-format without-domain
# specify radius-scheme for dvpn authentication, accounting
domain dmdvpn
authentication dvpn radius-scheme radsun
authorization dvpn radius-scheme radsun //necessary
accounting dvpn radius-scheme radsun
# specify the default domain
domain default enable dmdvpn
# username/password for authentication
user dvpn1hub1 password simple dvpn1hub1
1. Access Device
2. Service Configuration
3. Adding Account
Key requirements:
HUB VAM 1. Must support IPsec and dynamic
Routers main backup main backup Servers tunneling
2. Must support OSPF in full-mesh
3. Must scale to ~25 branch sites
MPLS DVPN Control Tunnels (2) 4. Use MPLS transport
DVPN Data Tunnels (2)
Network
Other Details
1. Using 6602’s for all “spoke” sites
Main link Backup link 2. Using 6604 for 4 hubs
3. Dual DVPN domains
DVPN Spoke EMEA Corpnet 200k to date with another 60k this FY
and approximately 200k FY13.
DVPN Data Tunnel
56 © Copyright 2012 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice. DVPN Control Tunnel
Major Global Financial Services Client
$760K FOB through FY14 2000-3000 routers
Project Description:
Demonstrate DVPN capabilities for ~2000-
3000 remote Retail sites. BGP is used
over the DVPN. MSR20-12’s will be used
Key requirements:
1. Must use BGP over DVPN
2. Must support 500 remote sites per
hub given configuration templates
provided
3. Use Internet broadband transport
Timeline:
1. Prod Pilot roll out has begun on
ClientNet in US
2. Head ends are up, spokes will be
brought online in the coming months.
3. After successful testing, both projects
will be signed by client.
57 © Copyright 2012 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
Government agency in Brazil
$360K list Project Description:
2040 – 10/100 or V.35 to the Telefonica’s IP/MPLS Backbone DVPN support for ~250 remote sites.
5040 – 2xGE to the Telefonica’s IP/MPLS Backbone MSR5040 used as hub/VAM server.
1 x MSR-5040 with SNDE encryption card Connect to Telefonica IP/MPLS
240 x MSR-2040 backbone
Project Description:
DVPN capabilities for ~800 remote sites. 6604, MSR30-20, MSR50-
40 used in this deployment.
800 x MSR-30-20 Key requirements:
4 x 6604 1. IPsec support and performance
2 x MSR50-40 2. Value (features and price)
3. Single OS (ComWare)
4. Firewall capabilities
5. Product homologated with Telefonica
60 © Copyright 2012 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice. 6. DVPN was the key, Cisco had GetVPN in the old network
Top DVPN Opportunities
Key requirements:
HUB VAM 1. Each branch requires dual SP
Routers main backup main backup Servers connections with HQ
2. Cost effectively support 14,000
locations
MPLS DVPN Control Tunnels (2) 3. Spoke to spoke is not a
DVPN Data Tunnels (2) Network requirement
4. All encryption and equipment must
be owned by bank (kept internal)
Main link Backup link
Timeline:
DVPN Spoke 1. Initial stages - SA is collecting
additional information from client
DVPN Data Tunneland positioning
63 © Copyright 2012 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice. DVPN Control Tunnel
Branch
Summary