The GRE tunnel packet is an IP unicast packet, so the GRE packet can be encrypted using IPsec. GRE tunnels do support transporting IP multicast and broadcast packets to the other end of the GRE tunnel. The current method for solving this problem is to use generic routing encapsulation (GRE) tunnels in combination with IPsec encryption. Dynamic routing protocols rely on using IP multicast or broadcast packets, but IPsec does not support encrypting multicast or broadcast packets. There is a fundamental problem with IPsec tunnels and dynamic routing protocols. If the network lost a hub router, a backup hub router could automatically take over to retain network connectivity to the spoke networks. This was useful for dynamically advertising the reachability of spoke networks and also to support redundancy in the IP routing network. In the older Frame Relay hub-and-spoke networks this was accomplished by running a dynamic routing protocol like OSPF or EIGRP over the Frame Relay links. Another example where direct spoke-to-spoke traffic would be useful is the case where two spokes are in the same city and the hub is across the country.Īs IPsec hub-and-spoke networks were deployed and grew in size, it became more desirable to have them route IP packets as dynamically as possible. Spoke-to-spoke traffic traversing the hub uses hub resources and can incur extra delays, especially when using IPsec encryption, since the hub will need to decrypt the incoming packets from the sending spokes and then re-encrypt the traffic to send it to the receiving spoke.
#Multi server hub map full#
Full or partial mesh networks are often desirable because there can be a cost savings if spoke-to-spoke traffic can go directly through rather then via the hub.
When using the Internet as the interconnection between the hub and spokes, the spokes also have direct access to each other with no additional cost, but it has been very difficult, if not impossible, to set up and/or manage a full (partial) mesh network. This design also matches with older Frame Relay networks since it was prohibitively expensive to pay for links between all sites in these networks. In most networks, the majority of the IP traffic is between the spokes and the hub, and very little is between the spokes, so the hub-and-spoke design is often the best choice. The most feasible method to scale a large point-to-point network is to organize it into a hub-and-spoke or full (partial) mesh network. Because of this, IPsec is intrinsically a point-to-point tunnel network. Since this secret is shared only between these two endpoints, encrypted networks are inherently a collection of point-to-point links.
IPsec encrypts traffic between two endpoints (peers), and the encryption is done by the two endpoints using a shared "secret". In order for companies to build large IPsec networks interconnecting their sites across the Internet, you need to be able to scale the IPsec network. If all of the sites (including the main site) already have relatively cheap Internet access, then this Internet access can also be used for internal IP communication between the stores and headquarters by using IPsec tunnels to ensure privacy and data integrity.
Setting up and paying for these hard-wired links for internal IP traffic can be time consuming and costly. In the past, the only way to make the connection was to use a Layer-2 network such as ISDN or Frame Relay to interconnect everything. For example, a set of retail stores that need to connect to the company headquarters for inventory and ordering may also need to connect to other stores within the company to check out product availabilty. Background InformationĬompanies may need to interconnect many sites to a main site, and perhaps also to each other, across the Internet while encrypting the traffic to protect it. This document discusses Dynamic Multipoint IPsec VPNs (DMVPN) and why a company might want to design or migrate their network to make use of this new IPsec VPN solution in Cisco IOS ® Software.
0 kommentar(er)
