Академический Документы
Профессиональный Документы
Культура Документы
Deep Dive
Technical Training Presentation
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Agenda
HP Auto Discovery VPN (ADVPN) solution technical deep dive
Value proposition
Design guidelines
Features
Configurations
Specifications
2 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
Value proposition
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP Auto Discovery VPN (ADVPN) provides a
solution
4 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
Introducing HP Auto Discovery VPN (ADVPN)
5 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN advantages
6 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
Design guidelines
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
Where to use HP ADVPN solution?
8 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN overview
VAM
Enables enterprise branches that VAM
server
Protocol
use dynamic public addresses to VAM
establish a VPN network client
VAM control UDP
Tunnel
ADVPN Data GRE
Hub
Domain Hub-group
Spoke
IPsec
9 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN solution components
AAA Server/IMC
HQ/Dat
a Center
Domain
VPN Address Management (VAM)
server
Backbone
Hub-Group 1 Hub 4 Hub-Group
VAM client
Hub 1
Hub 2 Hub 3 VAM Servers • Hub
• Spoke
IP Network AAA server (optional)
HP IMC (optional)
Spoke 1 Spoke 5 Hub-hub ADVPN tunnel
Spoke 2 ADVPN Domain 1
Hub-spoke ADVPN tunnel
Spoke 3 Spoke 4
Hub-Group 2 Hub-Group Spoke-spoke ADVPN tunnel
3
10 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN solution component details
VAM (VPN Address Management) is the main
HP ADVPN includes 3 roles: hub, spoke, and VAM
server. The hub and spoke routers are the VAM protocol used by HP ADVPN. The VAM protocol
clients. uses a client/server model.
VAM server(s) collect, maintain and
distribute public and private addresses for VAM Server Central Private
each spoke and hub router. The VAM Network The hub acts as the exchange center for
server can also be used to authenticate routing information, and is the forwarding
spoke/hub routers before providing center in the hub and spoke model. Its public
information necessary to join ADVPN Hub IP address can be static or dynamic.
domains.
Every VAM client registers its public and
When a VAM client needs to
DVPN private IP address to the VAM
forward traffic to another private
server
network, it requests the peer IP Network
12 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN tunnel establishment
AAA Server
HQ/Data
Center
1. Initialization
Hub
(primary)
Hub
(secondary) VAM Server 2. Device authentication, then
(primary)
registration
3 3. Data tunnel establishment
IP Network
2
1
VAM Server
(secondary)
ADVPN VAM Control Tunnel
Spoke Spoke Spoke
Branch Branch
Branch
13 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN packet format
14 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN data forwarding tunnels
AAA Server/IMC
HQ/Data
Center
Hub-Hub tunnel – full mesh between hubs, permanent
Hub Hub
(primary) (secondary)
IP Network
Spoke
Spoke
Branch
Branch
15 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN encapsulation Methods
AAA Server/IMC
HQ/Data
Center When ADVPN packets need to traverse NAT gateway
without IPsec protection, UDP encapsulation is
required
Hub
UDP encapsulation
Hub
(primary) (secondary) Original ADVPN Outer IP
UDP
payload header header
When traffic between branch network and central
IP Network
network is encapsulated by MPLS, GRE
encapsulation is required
GRE encapsulation
Original Outer IP
Spoke Spoke GRE
payload header
Branch
Branch
16 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN packet forwarding process
VAM Server
Spoke 1 Spoke 8
Spoke 2
Spoke 4 Spoke 5 Spoke 6 Spoke 7
Spoke 3
ADVPN
Domain 1
18 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
Why use hub-groups?
When the number of spokes exceed the routing
Hub 4 protocol's limit to neighbors, more domains need
Hub 1 to be created.
Hub 2 Hub 3
Defect:
DVPN • Traffic between DVPN domains are not
DVPN Domain 2 protected by DVPN session.
Domain 1 • Spokes belong to different domains can not
establish direct tunnels.
Spoke 1 Spoke 8
Traffic not protected by DVPN
Spoke 2
Spoke 4 Spoke 5 Spoke 6 Spoke 7 Traffic protected by DVPN
Spoke 3
HUB-SPOKE DVPN session
SPOKE-SPOKE session between Domains
HUB-HUB DVPN session
19 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
The advantages of HP ADVPN hub-groups
When the number of spokes in one hub-group
exceed the routing protocol's limit to neighbors,
Hub-group 1 Hub 4 a new hub-group needs to be added
Hub 1
Advantage:
• The inter-group communications between
spokes belong to different groups will be
Hub 2 Hub 3
protected by the ADVPN tunnel
Hub- Hub-
group 2 group 3 • Spokes belong to different hub groups can
establish a direct tunnel as a shortcut. And
this improves the user experience on
Spoke 1 latency-sensitive applications such as VoIP
Spoke 2
Spoke 4 Spoke 5 Spoke 6 Spoke 7 Traffic protected by ADVPN
Spoke 3
HUB-SPOKE ADVPN session
ADVPN Domain 1 SPOKE-SPOKE session between Hub-Groups
HUB-HUB ADVPN session
20 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN hub-group structure
An ADVPN domain contains
Backbone
Hub-group 1
multiple hub-groups
Hub 1 Hub 2 • Each hub-group has one or more hubs
and spokes
VAM All hubs must belong to the
Servers
Hub-group 2 Hub-Ggp 3 backbone hub- group
• This hub-group forms the full-mesh
backbone area
Spokes must belong to non-
backbone hub-groups
Spoke 1 Spoke 2
• Each non-backbone hub-group includes
at least one hub and uses either the full-
HP
ADVPN
mesh or hub-spoke topology
Domain 1
21 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN classify Hub-groups on VAM server
More than two hubs can work together for load balancing in
Backbone
Hub 4 one group. Spokes are divided into different hub groups
Hub 1 Hub-group 1
according to private-address range or network.
Hub 2 Hub 3 Hub 5
vam server advpn-domain 1 id 888
hub-group 1
hub private-address HUB1
Hub- hub private-address HUB2
Hub- hub private-address HUB3
group group hub private-address HUB4
2 3
hub-group 2
hub private-address HUB1
hub private-address HUB2
Spoke 1 Spoke 8 spoke private-address range spoke1 spoke2 spoke3 spoke4
Spoke 2
Spoke 4 Spoke 5 Spoke 6 Spoke 7 hub-group 3
Spoke 3 hub private-address HUB3
hub private-address HUB4
ADVPN spoke private-address range spoke5 spoke6 spoke7 spoke8
Domain 1
22 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
Establish direct spoke-spoke tunnel between hub-
groups
Direct tunnels can reduce the pressure on hubs during inter-group communications, and also improve
the user experience on those latency-sensitive applications such as VOIP.
Client name : hub1
ADVPN domain name: test
Client type : Hub
ACL rules :1 HUB-GROUP1
Rule 0: Permit HUB1 HUB2
Protocol : 0 (IP)
Source : Address 192.168.36.0-
192.168.36.255
Destination: Address 192.168.38.0-
192.168.38.255
Summary Count : 1 HUB-GROUP2 HUB-GROUP3
IP Network
Spoke 1 Spoke 5
HP HP HP HP
ADVPN ADVPN ADVPN ADVPN
Domain 1 Domain 2 Domain 1 Domain 2
Spoke 4 Spoke 4
Spoke 1 Spoke 2 Spoke 3 Spoke 1 Spoke 2 Spoke 3
HP
ADVPN
Used to implement a multi-tenant scenario Domain 3
• Spokes cannot access each other across ADVPN domains
• Create domains that span spokes that need to communicate with each other
25 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
Routing protocols for HP ADVPN solution
Static Routing
• Applicable for small ADVPN hub-groups
Dynamic Routing
• RIP – for small size
• OSPF – for medium size
• BGP – for large size
26 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN solution OSPF design
AAA/IMC Server
HQ/Data
Center
Spoke Spoke
Spoke
27 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN solution iBGP design
AAA/IMC Server
HQ/Data
Center MSR4000 supports up to 3,000 branches
per ADVPN hub-group using iBGP in a
hub-spoke topology
Hub 1 Hub 2 • Method 1: The hub does not advertise routes
among spokes, only a default route to a spoke
• Implies a hub and spoke topology
iBGP
IP Network
iBGP • Method 2: a hub acts as the route reflector to
exchange routes among spokes ( up to 1000
spokes for full-mesh)
Spoke Spoke
Spoke
28 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN solution eBGP design
AAA/IMC Server
HQ/Data
Center
29 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
Integration with other vendor's devices
HQ/Data
Center
DVPN Hub/L2TP/GRE/IPsec Other vendors cannot
Access Gateway AAA/IMC Server
Router participate in a ADVPN
domain
HP ADVPN
• They can connect to the
VAM Server
L2TP ADVPN hub concurrently
IP Network
using standard protocols
HP ADVPN • GRE
Spoke
GRE • L2TP
Router IPsec Branch
• IPsec
Branch
Branch
30 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
Next generation of HP MSR Series modular chassis
routers
HP MSR2000, MSR3000 and MSR4000 support HP
ADVPN HP MSR4000
• HP ADVPN is a Comware 7 feature Series
Up to 8 HMIM slots,
New architecture and enhanced performance up to 36Mpps
HP MSR4080
• Multi-core processor and PCIE bus
• All GE WAN/LAN on platform, SFP HP MSR3000 Series
• Comware v7 2 or 4 SIC slots, Up to 6 HMIM
slots, up to 5Mpps
HP MSR3044
• Unified OS and single pane of glass management
• 1+1 and N+1 power supplies, hot swap
HP MSR2000 Series
• Compatible with HP MSR SIC/MIM modules 3 SIC slots, up to 1Mpps
• Upgradable service engine on HP MSR4000 HP MSR2003
31 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
Features
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN key features
High availability
VAM client dynamic IP addressing
NAT traversal
IPv6
QoS
Dynamic routing
Security
Multicast
Management with IMC and BIMS
33 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN is compatible with HP DVPN
HP DVPN runs on HP Comware 5
HP ADVPN runs on HP Comware 7
• HP ADVPN on Comware 7 is compatible with HP DVPN on Comware 5
• In a hybrid system, the overall functionality is that of Comware 5
• VAM server on Comware 7 is compatible with VAM clients on Comware 5
• VAM clients (hub and spoke) on Comware 7 are compatible VAM server on Comware
5
• VAM clients (hub and spoke) on Comware 7 are compatible with VAM clients (hub and
spoke) on Comware 5
34 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN solution high availability
AAA/IMC Server
HQ/Data VAM Server Redundancy
Center
• Clients register with both at same time
Hub Redundancy
• Spokes establish tunnels to both hubs
• Hubs dynamically establish tunnels
primary secondary primary secondary
between each other
Hub Routers VAM Servers Link Redundancy
• Encryption independent of interface
IP
Network Fault Detection
Primary Link Secondary Link • VAM Protocol Switchover/Recovery
Spoke Standby or active secondary • Routing Protocol Convergence
Router
interfaces must be in a • BFD
Branch different DVPN domain
35 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN dynamic addressing
AAA/IMC Server
HQ/Data
Center
DSLAM
DHCP xDSL - ADVPN VAM control tunnel
PPPoE
Spoke
Router ADVPN data forwarding tunnel
Branch
36 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN NAT traversal
Central network
37 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN key security features
Data Plane
• Uses UDP encapsulation or GRE, allows configuration of IPsec with IKE
• Encryption algorithm up to: AES-256
• Authentication algorithm: SHA-1
• Supports up to DH-group24 with Perfect Forward Secrecy (PFS)
Control Plane (VAM Protocol)
• Payload encryption algorithm: up to AES-256
• Payload authentication algorithm: SHA-1
VAM Clients authenticated to an AAA Server inside VAM Tunnel
• Authentication method: Pre-shared key and username/password
• Authentication protocol: PAP or CHAP with RADIUS
38 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN IPv6 support
AAA Server/IMC
HQ/Data
Center
IP Network
IPv6
Spoke Spoke
39 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN and multicast traffic
Multicast
Server
HP ADVPN HQ/Data
Hub router Center
HP ADVPN supports multicast
HP ADVPN protocols
VAM server AAA/IMC Server
Rules for routing protocol packet:
• The hub will send the multicast packets to all
the spokes in the same group.
IP • The spoke will send the multicast packets to
Network all the hubs in the same group.
Rules for data packet:
HP ADVPN
Spoke • The hub will send the multicast packets to all
Router the spokes in the same group.
HP ADVPN Branch • The spoke will only send the multicast
Spoke HP ADVPN packets through its first spoke-hub session.
Router Spoke
Router Multicast traffic
Branch
Branch
DVPN data forwarding tunnel
40 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN management with IMC BIMS
AAA Server/IMC
HQ/Data
Center
Branch Branch
Branch
41 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
Configurations
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN hub and VAM server combination
HQ/Data
HP ADVPN Hub/VAM Server Center
Router
AAA/IMC Server
If no AAA Server is
available, can configure
local authentication on
IP the VAM Server
Network HP ADVPN
HP ADVPN Spoke Helps reduce investment
Spoke Router
Pay attention to maximum
Router
Branch number of local users
Branch
HP ADVPN
Spoke DVPN Tunnel between Branches
Router
AAA/IMC Server
In a relatively small
deployment, can combine
Local User Authentication
ADVPN hub and ADVPN
IP VAM server on the same
Network HP ADVPN
Spoke router
HP ADVPN
Spoke Router
Router
Branch
Branch
HP ADVPN
Spoke DVPN Tunnel between Branches
Router
Standby or active
secondary interfaces must
be in a different DVPN
primary secondary primary secondary domain
Hub Routers VAM Servers
IP
Network
Primary Link
DVPN VAM Control Tunnel
HP ADVPN
Spoke Secondary Link DVPN Data Forwarding Tunnel
Router
Branch
45 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN through MPLS network
Server
Central Network
On the Hubs and spokes, DVPN is deployed, the private PE MPLS network needs to
routes are transferred by routing protocol on the DVPN PE
provide reachability between
tunnel hubs, spokes and VAM
MPLS
network by SP servers
The private traffic should be forwarded PE PE
through DVPN tunnel and encrypted by
IPSEC, then forwarded via MPLS VPN
Spoke-1 Spoke-2
(CE)
(CE)
HP ADVPN HP ADVPN
PE Hub Router VAM Backup could also
Server be 4G-LTE/3G as
opposed to wired
ISP
Internet
PE
47 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
Using HP ADVPN to create multiple VPNs
AAA/IMC Server
HQ/Data
Center
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
Summary
HP Auto Discovery VPN (ADVPN) solution
50 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
Thank you
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.