Basic Concepts
Figure 1 shows the typical network architecture of the DSVPN solution. An enterprise connects the Hub to Spokes in different geographical locations through the public network. The Hub uses the static public address, and Spokes use dynamic public addresses.
In the figure, the public network address is considered as a Non-Broadcast Multiple Access (NBMA) address, and the tunnel address is regarded as a protocol address.
DSVPN Node
Spoke
A Spoke is the network gateway of a branch. Generally, a Spoke uses a dynamic public network address.
Hub
A Hub is the gateway in the headquarters and receives registration packets from Spokes. On a DSVPN network, the Hub can use a fixed public network address or a domain name.
mGRE, mGRE Tunnel Interface, and mGRE Tunnel
mGRE is a point-to-multipoint GRE technology developed based on GRE. It extends traditional P2P tunnel interfaces to P2MP mGRE tunnel interfaces. One tunnel interface can be used to establish tunnels with multiple remote devices by changing the interface type. Therefore, only one tunnel interface needs to be configured on the Hub or Spoke, reducing the GRE tunnel configuration workload.
- Source tunnel address: is the source address of a GRE encapsulated packet, that is, public network address of one end in Figure 1.
- Destination tunnel address: is the destination address of a GRE encapsulated packet, that is, public network address of the other end in Figure 1. This address is based on NHRP, which is different from the manually specified destination address of the GRE tunnel interface.
- Tunnel interface IP address: is the tunnel address in Figure 1. Similar to an IP address of a physical interface, a tunnel interface IP address is used for communication between devices, for example, routing information is obtained.
- The destination IP address of a GRE tunnel interface is manually specified. Unlike this, the destination IP address of an mGRE tunnel interface is dynamically obtained by NHRP. A single mGRE tunnel interface can establish multiple GRE tunnels with different GRE peers.
- mGRE tunnel interfaces do not support keepalive detection of the GRE interface.
NHRP
NHRP allows the source Spoke to obtain the dynamic public IP address of the destination Spoke on a non-broadcast multiple access (NBMA) network over which a DSVPN is deployed. When a Spoke accesses an NBMA network, it uses the outbound interface's public IP address to send an NHRP Registration request to the Hub. The Hub creates or updates its NHRP peer entry for the Spoke node based on the received request. The Spokes create and update NHRP peer entries by exchanging NHRP Resolution Request and Reply messages with each other.
Hub-Spoke Tunnel
A Hub-Spoke tunnel is established between a Spoke and the Hub. Figure 1 shows an example Hub-Spoke tunnel. Similarly, other Spokes also establish Hub-Spoke tunnels with the Hub.
On a DSVPN, Spoke information is not configured on the Hub. The Hub's public IP address and tunnel address are manually specified on the Spokes. When a Spoke accesses an NBMA network, it sends an NHRP Registration request to the Hub and notifies the Hub of its outbound interface's public IP address. After receiving the request, the Hub updates the local NHRP peer entry for the Spoke.
Spoke-Spoke Tunnel
Spoke-Spoke tunnels are established between Spokes. Figure 1 shows an example Spoke-Spoke tunnel.
After the source Spoke finds the destination Spoke's next hop in the routing table, it sends an NHRP Resolution request to obtain the destination Spoke's public IP address if the public IP address corresponding to the next hop cannot be found in the local NHRP peer table. Then the Spokes dynamically establish a VPN tunnel with each other through mGRE tunnel interfaces. In this manner, the source Spoke and destination Spoke can exchange data. If no traffic is forwarded through a Spoke-Spoke tunnel within a certain period, the tunnel is automatically dismantled.