3com 3031 Instruccion De Instalación
65
D
YNAMIC
VPN
This chapter tells you the following:
■
Introduction to VPN and Dynamic VPN
■
How To Configure Dynamic VPNs
■
Typical Example of DVPN Configuration
Introduction to VPN
and Dynamic VPN
and Dynamic VPN
In present VPN (virtual private network) networking solutions, Layer-3 VPN is often
in GRE (generic routing encapsulation) tunneling and MPLS (multi-protocol label
switching) /BGP (boarder gateway protocol) VPN mode. The latter is often used in
backbone forwarding layer, while the former is in access layer. The existing GRE
tunneling solution has these disadvantages:
in GRE (generic routing encapsulation) tunneling and MPLS (multi-protocol label
switching) /BGP (boarder gateway protocol) VPN mode. The latter is often used in
backbone forwarding layer, while the former is in access layer. The existing GRE
tunneling solution has these disadvantages:
■
Complicated networking and configuration. Conventionally, point-to-point
tunneling solution is used. If N nodes need to be interconnected in VPN mode,
then N
tunneling solution is used. If N nodes need to be interconnected in VPN mode,
then N
× (n - 1) /2 links should be set up in the network.
■
Poor maintainability and scalability. If you want to add nodes or modify
configurations of some nodes in a finished VPN network, you should also
modify configurations of other nodes based on the newly-added ones.
Maintenance cost is high.
configurations of some nodes in a finished VPN network, you should also
modify configurations of other nodes based on the newly-added ones.
Maintenance cost is high.
■
Fail to traverse NAT (network address translation) gateway. In conventional GRE
tunneling mode, if NAPT (network address port translation) gateways work as
egress, one private IP address must correspond to one public IP address, which
may occupy enormous public IP addresses. So GRE tunneling is unfit for NAT
gateway.
tunneling mode, if NAPT (network address port translation) gateways work as
egress, one private IP address must correspond to one public IP address, which
may occupy enormous public IP addresses. So GRE tunneling is unfit for NAT
gateway.
■
Unfit for dynamic IP. Conventional GRE tunneling is based on fixed IP addresses
and it cannot set up VPN for dialup subscribers.
and it cannot set up VPN for dialup subscribers.
Dynamic VPN (DVPN) provides NBMA (non-broadcast multiple access) tunneling
mechanism and the client/server structure can effectively solve the
above-mentioned defects of conventional VPN. When multiple access devices in
different private networks are connected into one VPN through backbone
network, NAMA links can be set up between tunnels in a same VPN and one
device can have multiple tunnels for different VPNs. So one device supports
multiple VPNs. Characteristics of DVPN:
mechanism and the client/server structure can effectively solve the
above-mentioned defects of conventional VPN. When multiple access devices in
different private networks are connected into one VPN through backbone
network, NAMA links can be set up between tunnels in a same VPN and one
device can have multiple tunnels for different VPNs. So one device supports
multiple VPNs. Characteristics of DVPN:
■
It supports both GRE tunneling and UDP tunneling, so it can traverse NAPT
gateway. It solves the problems when private IP addresses are connected to
VPN network through NAPT gateway or other kinds of routers.
gateway. It solves the problems when private IP addresses are connected to
VPN network through NAPT gateway or other kinds of routers.
■
It uses dynamic IP addresses to build VPNs. To build tunnels within a VPN in this
mode, you only need to specify IP address for the server, regardless of the IP
addresses for clients. It is applicable to general dialup and xDSL dialup
applications which are based on dynamic IP addresses.
mode, you only need to specify IP address for the server, regardless of the IP
addresses for clients. It is applicable to general dialup and xDSL dialup
applications which are based on dynamic IP addresses.