DSVPN Fundamentals

Dynamic Smart VPN (DSVPN) allows VPNs to be established between branches in the following scenarios: non-shortcut scenarios on small- or medium-sized networks and shortcut scenarios on large-scale networks.

Route deployment varies according to different scenarios:

  • Non-shortcut scenario: route learning between branches

    In a non-shortcut scenario, there are only a few branches on a small- or medium-sized network, and the branches learn routes from each other so that the next-hop address of a route from a source Spoke to a destination Spoke subnet is the tunnel address of the destination Spoke. This deployment solution applies to small- or medium-sized networks, and the number of routes dynamically learned between branches is small, which therefore does not require high performance of the Hub and Spoke nodes.

  • Shortcut scenario: saving routes summarized to the HQ

    In a shortcut scenario, there are a large number of branches on a large-scale network, and the branches save only routes summarized to the HQ (Hub node) so that the next-hop address of a route from a source Spoke to a destination Spoke subnet is the tunnel address of the Hub node. If route learning in non-shortcut mode applies to the large-scale network, the Spoke nodes (branches) have to save network-wide routes and consume lots of CPU and memory resources to compute dynamic routes, which requires large capacity of routing tables and high performance of Spoke nodes. To compensate for this shortcoming, DSVPN is enhanced to support route learning in shortcut mode.

DSVPN Principles in Non-Shortcut Scenarios

Route Deployment

In a non-shortcut scenario, Spoke nodes establish tunnels with each other for direct communication. The next-hop address of a route from a source Spoke to a destination Spoke subnet is the tunnel address of the destination Spoke. Spoke nodes can learn routes from each other in the following ways:

  • Static routes are configured on branches.

    Static routes to destination branch subnets are configured on the source branch, and the next hops of the routes are the tunnel addresses of the destination branches.

  • Routes are dynamically learned between branches.

    DSVPN supports OSPF and BGP, both of which can implement route learning between branch subnets and between a branch subnet and the HQ subnet. A routing protocol is configured on both the Hub node and Spoke nodes to implement dynamic route learning.

Branches learn routes from each other, and each Spoke node stores routes to all branch subnets.

Principles

DSVPN uses Next Hop Resolution Protocol (NHRP) to dynamically obtain a peer's public IP address. In non-shortcut scenarios, DSVPN working principles are as follows.

Figure 1 DSVPN principles in non-shortcut scenarios
On the network shown in Figure 1:
  1. The network administrator manually specifies a public IP address or tunnel address for the Hub node. All Spoke nodes on the network send registration requests to the Hub node.
  2. The Hub node generates NHRP peer entries based on the received requests and sends NHRP Registration Reply messages to the Spoke nodes.
  3. The Spoke nodes learn subnet routes from each other either by static route configuration or a dynamic routing protocol. The next hops of the routes are the tunnel addresses of the peer Spoke nodes.
  4. When the source Spoke node forwards a data packet, it obtains the public IP address corresponding to the packet next hop (tunnel address of the destination Spoke node).
  5. If the public IP address corresponding to the tunnel address of the destination Spoke does not exist, the source Spoke sends an NHRP Resolution Request message.
  6. The source Spoke node constructs an NHRP Resolution Request message to request the public IP address corresponding to the tunnel address of the destination Spoke node.
  7. After the NHRP Resolution Request message arrives at the Hub node, the Hub node sends the message to the destination Spoke node.
  8. The destination Spoke receives the NHRP Resolution Request message and sends an NHRP Resolution Reply message to the source Spoke.
  9. Then the source Spoke can directly communicate with the destination Spoke.

DSVPN Principles in Shortcut Scenarios

Route Deployment

In a shortcut scenario, the next-hop address of a route from a source Spoke to a destination Spoke subnet is the tunnel address of the Hub node. The branches are deployed to store only routes summarized to the HQ so that traffic to all destination branches is sent to the Hub node. Spoke nodes can learn routes in the following ways:

  • Static routes are configured on branches.

    Static routes to destination branch subnets are configured on the source branch, and the next hops of the routes are the tunnel address of the Hub node.

  • Branches dynamically learn routes destined for the HQ.

    DSVPN supports OSPF and BGP. Route summarization is configured on the Hub node, and either OSPF or BGP is configured on the Spoke nodes so that the Spoke nodes store only routes summarized to the Hub node. In this manner, traffic to all destination branches is sent to the Hub node. If different routing protocols are used, the Hub and Spoke nodes must be configured separately.

In shortcut mode, the default traffic egress is the Hub node. The branches do not learn routes from each other. The Hub node aggregates the branch routes and then advertises the summarized routes. Additionally, the Hub node forwards NHRP Resolution Request messages to the destination Spoke nodes. Upon receipt, the destination Spoke nodes parse and respond to the requests.

Principles

DSVPN uses NHRP to dynamically obtain a peer's public IP address. In shortcut scenarios, DSVPN working principles are as follows.

Figure 2 DSVPN principles in shortcut scenarios
On the network shown in Figure 2:
  1. The network administrator manually specifies a public IP address or tunnel address for the Hub node. All Spoke nodes on the network send registration requests to the Hub node.
  2. The Hub node generates NHRP peer entries based on the received requests and sends NHRP Registration Reply messages to the Spoke nodes.
  3. The Spoke nodes learn routes either by static route configuration or a dynamic routing protocol and store only routes summarized to the Hub node.
  4. When the source Spoke forwards a data packet, it searches for the public IP address corresponding to the packet next hop, encapsulates the data packet, and then sends the packet to the next hop. (The next hop here is the Hub node.)
  5. After the data packet reaches the Hub node, the Hub node sends the packet to the destination Spoke and sends an NHRP Redirect message to the source Spoke as well.
  6. Upon receipt, the source Spoke sends an NHRP Resolution Request message to the destination Spoke.
  7. After the NHRP Resolution Request message arrives at the Hub node, the Hub node forwards it to the destination Spoke.
  8. The destination Spoke receives the NHRP Resolution Request message and sends an NHRP Resolution Reply message to the source Spoke.
  9. Then the source Spoke can directly communicate with the destination Spoke.
Parent Topic: Understanding DSVPN
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >