Sie sind auf Seite 1von 51

ADVPN Technical

Deep Dive
Technical Training Presentation

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Agenda
HP Auto Discovery VPN (ADVPN) solution technical deep dive

Value proposition
Design guidelines
Features
Configurations
Specifications

2 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
Value proposition

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP Auto Discovery VPN (ADVPN) provides a
solution

IPsec tunnels • ADVPN tunnel setup


+ • Reduced configuration complexity
ADVPN = Address management • Multiple transport options
+ • Provides security across tunnels
Automatic tunnel setup

4 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
Introducing HP Auto Discovery VPN (ADVPN)

HP ADVPN is an enhancement to the


original HP Dynamic VPN (DVPN) solution
• ADVPN is supported in HP Comware v7
• ADVPN is compatible with HP DVPN
• Supports large scale networks
• Multi-domain
• Single or many hub-groups within a domain
• Load balancing at hubs
• Supports NAT traversal
• IPv6 support in ADVPN network

5 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN advantages

Considerably easier to configure and deploy than conventional VPN


solutions
Managed deployment through IMC BIMS
Supports UDP encapsulation for NAT traversal
Native routing protocol support in the tunnel
Can be used over any IP network (MPLS, Internet, 4G-LTE/3G)

6 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
Design guidelines

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
Where to use HP ADVPN solution?

Where Payment Card Industry (PCI) requirements exist


• Examples: Bank ATM networks and Retail stores
Customers want lower cost connectivity for remote sites
• Examples: Enterprise Branch offices
Customers are moving away from MPLS based VPN’s to an Open
WAN
Customers want lower cost backup connectivity for the MPLS WAN
Where data traffic over private networks must be encrypted

8 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN overview
VAM
Enables enterprise branches that VAM
server
Protocol
use dynamic public addresses to VAM
establish a VPN network client
VAM control UDP
Tunnel
ADVPN Data GRE

Hub
Domain Hub-group
Spoke

IPsec

9 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN solution components
AAA Server/IMC
HQ/Dat
a Center
Domain
VPN Address Management (VAM)
server
Backbone
Hub-Group 1 Hub 4 Hub-Group
VAM client
Hub 1
Hub 2 Hub 3 VAM Servers • Hub
• Spoke
IP Network AAA server (optional)
HP IMC (optional)
Spoke 1 Spoke 5 Hub-hub ADVPN tunnel
Spoke 2 ADVPN Domain 1
Hub-spoke ADVPN tunnel
Spoke 3 Spoke 4
Hub-Group 2 Hub-Group Spoke-spoke ADVPN tunnel
3
10 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN solution component details
VAM (VPN Address Management) is the main
HP ADVPN includes 3 roles: hub, spoke, and VAM
server. The hub and spoke routers are the VAM protocol used by HP ADVPN. The VAM protocol
clients. uses a client/server model.
VAM server(s) collect, maintain and
distribute public and private addresses for VAM Server Central Private
each spoke and hub router. The VAM Network The hub acts as the exchange center for
server can also be used to authenticate routing information, and is the forwarding
spoke/hub routers before providing center in the hub and spoke model. Its public
information necessary to join ADVPN Hub IP address can be static or dynamic.
domains.
Every VAM client registers its public and
When a VAM client needs to
DVPN private IP address to the VAM
forward traffic to another private
server
network, it requests the peer IP Network

public IP address from the VAM


A spoke acts as the gateway of
server by the peer private address Spoke 1
a branch network. Its public
which should be the next-hop to address can be static or
Spoke 2
the destination. Once it receives Spoke n
Branch Private dynamic
… ….
the information, a connection is Network
Branch Private Branch Private
initiated. Network
Network
11 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN VAM (VPN Address Management)
protocol
AAA Server/IMC
HQ/Data
Center Public address
• Used to establish ADVPN tunnel
and IPsec tunnel
Hub Hub
(secondary) VAM Server Private address
(primary)
(primary) • Address of ADVPN tunnel
interface
• The next hop for private network
IP Network
Private network
VAM Server
• Used to establish direct tunnels
(secondary)

Spoke Spoke Public address – 202.115.3.1

Private address – 10.200.18.1


Branch
Branch Private network – 192.168.37.0/24

12 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN tunnel establishment
AAA Server
HQ/Data
Center

1. Initialization
Hub
(primary)
Hub
(secondary) VAM Server 2. Device authentication, then
(primary)
registration
3 3. Data tunnel establishment
IP Network
2
1
VAM Server
(secondary)
ADVPN VAM Control Tunnel
Spoke Spoke Spoke

ADVPN Data Forwarding Tunnel (IPsec)

Branch Branch
Branch

13 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN packet format

Outer UDP/GRE Original IP


Outer IP header Payload
header header

14 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN data forwarding tunnels
AAA Server/IMC
HQ/Data
Center
Hub-Hub tunnel – full mesh between hubs, permanent

Hub Hub
(primary) (secondary)

Hub-Spoke tunnel – P2MP, permanent

IP Network

Spoke-Spoke tunnel – triggered by spoke-spoke traffic, temporary

Spoke
Spoke

Branch
Branch

15 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN encapsulation Methods
AAA Server/IMC
HQ/Data
Center When ADVPN packets need to traverse NAT gateway
without IPsec protection, UDP encapsulation is
required
Hub
UDP encapsulation
Hub
(primary) (secondary) Original ADVPN Outer IP
UDP
payload header header
When traffic between branch network and central
IP Network
network is encapsulated by MPLS, GRE
encapsulation is required
GRE encapsulation
Original Outer IP
Spoke Spoke GRE
payload header

Branch
Branch

16 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN packet forwarding process
VAM Server

Hub Spoke Branch Private


IP
Network
Network
Central Private
Network
The spoke receives a packet from local LAN
network , it checks the FIB for the next hop which
FIB lookup is performed and packet is
should be the private address of a peer tunnel
forwarded to appropriate next hop

Lookup is performed for the peers public address


DVPN packet is de-encapsulated to get according to the private address. The packet is then
the original private packet encapsulated by DVPN with its local public
address and peers public address
IPSec packet is decrypted
The packet is then encrypted by IPSec
The peer router receives the
encrypted packet from the public
A second FIB lookup is performed for the public
network
next-hop, and the encrypted packet is forwarded to
the peer over the public network
17 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN Topologies
Backbone Hub 4
Hub-group 1 Hub 5
Hub 1 Design models:
• Hub-hub full-mesh
• Hub-spoke
Hub 2 Hub 3
• Spoke-spoke (Full-Mesh)
Hub- Hub-
group group
2 3

Spoke 1 Spoke 8
Spoke 2
Spoke 4 Spoke 5 Spoke 6 Spoke 7
Spoke 3
ADVPN
Domain 1

18 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
Why use hub-groups?
When the number of spokes exceed the routing
Hub 4 protocol's limit to neighbors, more domains need
Hub 1 to be created.
Hub 2 Hub 3
Defect:
DVPN • Traffic between DVPN domains are not
DVPN Domain 2 protected by DVPN session.
Domain 1 • Spokes belong to different domains can not
establish direct tunnels.

Spoke 1 Spoke 8
Traffic not protected by DVPN
Spoke 2
Spoke 4 Spoke 5 Spoke 6 Spoke 7 Traffic protected by DVPN
Spoke 3
HUB-SPOKE DVPN session
SPOKE-SPOKE session between Domains
HUB-HUB DVPN session
19 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
The advantages of HP ADVPN hub-groups
When the number of spokes in one hub-group
exceed the routing protocol's limit to neighbors,
Hub-group 1 Hub 4 a new hub-group needs to be added
Hub 1
Advantage:
• The inter-group communications between
spokes belong to different groups will be
Hub 2 Hub 3
protected by the ADVPN tunnel
Hub- Hub-
group 2 group 3 • Spokes belong to different hub groups can
establish a direct tunnel as a shortcut. And
this improves the user experience on
Spoke 1 latency-sensitive applications such as VoIP
Spoke 2
Spoke 4 Spoke 5 Spoke 6 Spoke 7 Traffic protected by ADVPN
Spoke 3
HUB-SPOKE ADVPN session
ADVPN Domain 1 SPOKE-SPOKE session between Hub-Groups
HUB-HUB ADVPN session
20 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN hub-group structure
An ADVPN domain contains
Backbone
Hub-group 1
multiple hub-groups
Hub 1 Hub 2 • Each hub-group has one or more hubs
and spokes
VAM All hubs must belong to the
Servers
Hub-group 2 Hub-Ggp 3 backbone hub- group
• This hub-group forms the full-mesh
backbone area
Spokes must belong to non-
backbone hub-groups
Spoke 1 Spoke 2
• Each non-backbone hub-group includes
at least one hub and uses either the full-
HP
ADVPN
mesh or hub-spoke topology
Domain 1

21 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN classify Hub-groups on VAM server
More than two hubs can work together for load balancing in
Backbone
Hub 4 one group. Spokes are divided into different hub groups
Hub 1 Hub-group 1
according to private-address range or network.
Hub 2 Hub 3 Hub 5
vam server advpn-domain 1 id 888
hub-group 1
hub private-address HUB1
Hub- hub private-address HUB2
Hub- hub private-address HUB3
group group hub private-address HUB4
2 3
hub-group 2
hub private-address HUB1
hub private-address HUB2
Spoke 1 Spoke 8 spoke private-address range spoke1 spoke2 spoke3 spoke4
Spoke 2
Spoke 4 Spoke 5 Spoke 6 Spoke 7 hub-group 3
Spoke 3 hub private-address HUB3
hub private-address HUB4
ADVPN spoke private-address range spoke5 spoke6 spoke7 spoke8
Domain 1

22 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
Establish direct spoke-spoke tunnel between hub-
groups
Direct tunnels can reduce the pressure on hubs during inter-group communications, and also improve
the user experience on those latency-sensitive applications such as VOIP.
Client name : hub1
ADVPN domain name: test
Client type : Hub
ACL rules :1 HUB-GROUP1
Rule 0: Permit HUB1 HUB2
Protocol : 0 (IP)
Source : Address 192.168.36.0-
192.168.36.255
Destination: Address 192.168.38.0-
192.168.38.255
Summary Count : 1 HUB-GROUP2 HUB-GROUP3

Destination/Mask Proto Pre Cost NextHop


Interface SPOKE2
SPOKE1
192.168.38.0/24 Static 8 0 10.1.2.3 tunnel 10.1.2.3
tunnel 10.1.1.3
Tun0 ADD ROUTE 192.168.36.0/24 NEXTHOP 10.1.1.3 Public 202.115.7.1
Public 202.115.3.1
Packet:AB
Packet AB
added
private networks A private networks B
ADVPN domain name: test 192.168.36.0/24
Total private networks: 2 192.168.37.0/24
Network/Mask Private address
Preference shortcut interest acl 3999
192.168.36.0/24 10.1.1.3 8 ADVPN-DOMAIN 1
192.168.38.0/24 10.1.2.3 8 VAM SERVER
23 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN hubs load balance
AAA Server/IMC
HQ/Dat
a Center

There can be more than 2 hubs


Backbone
Hub-Group 1 Hub 4
in one domain
• Hubs support load balance by
Hub 1 distributing to spokes in different
Hub 2 Hub 3 VAM Servers groups

IP Network

Spoke 1 Spoke 5

Spoke 2 ADVPN Domain 1


Spoke 3 Spoke 4
Hub-Group 2 Hub-Group
3
24 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN with multiple domains
Hub 1 Hub 1

HP HP HP HP
ADVPN ADVPN ADVPN ADVPN
Domain 1 Domain 2 Domain 1 Domain 2

Spoke 4 Spoke 4
Spoke 1 Spoke 2 Spoke 3 Spoke 1 Spoke 2 Spoke 3

HP
ADVPN
Used to implement a multi-tenant scenario Domain 3
• Spokes cannot access each other across ADVPN domains
• Create domains that span spokes that need to communicate with each other
25 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
Routing protocols for HP ADVPN solution

Static Routing
• Applicable for small ADVPN hub-groups
Dynamic Routing
• RIP – for small size
• OSPF – for medium size
• BGP – for large size

26 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN solution OSPF design
AAA/IMC Server
HQ/Data
Center

Area 0 OSPF is suitable for a domain


Hub 2
with less than 500 branches
Hub 1
• OSPF supports hub-spoke and
full-mesh modes
• Each ADVPN hub-group must
Area 100 IP Network Area 200 be in a single OSPF area
ADVPN ADVPN
Hub-group 2 Hub-group 3

Spoke Spoke
Spoke

Branch 1 Branch 30 Branch 60

27 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN solution iBGP design
AAA/IMC Server
HQ/Data
Center MSR4000 supports up to 3,000 branches
per ADVPN hub-group using iBGP in a
hub-spoke topology
Hub 1 Hub 2 • Method 1: The hub does not advertise routes
among spokes, only a default route to a spoke
• Implies a hub and spoke topology
iBGP
IP Network
iBGP • Method 2: a hub acts as the route reflector to
exchange routes among spokes ( up to 1000
spokes for full-mesh)
Spoke Spoke
Spoke

Branch 1 Branch 30 Branch 60

28 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN solution eBGP design
AAA/IMC Server
HQ/Data
Center

MSR4000 supports up to 3,000


branches per ADVPN hub-group using
Hub 1 Hub 2 eBGP in a hub-spoke topology
• Default route method
• Hubs and spokes reside in separate AS
eBGP eBGP
IP Network • In hub-spoke mode, a hub enables next-
hop local feature, then all spokes send
packets destined for other spokes via the
Spoke Spoke hub
Spoke

Branch 1 Branch 30 Branch 60

29 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
Integration with other vendor's devices
HQ/Data
Center
DVPN Hub/L2TP/GRE/IPsec Other vendors cannot
Access Gateway AAA/IMC Server
Router participate in a ADVPN
domain
HP ADVPN
• They can connect to the
VAM Server
L2TP ADVPN hub concurrently
IP Network
using standard protocols
HP ADVPN • GRE
Spoke
GRE • L2TP
Router IPsec Branch
• IPsec
Branch

Branch Tunnel from HQ to Branch

Branch
30 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
Next generation of HP MSR Series modular chassis
routers
HP MSR2000, MSR3000 and MSR4000 support HP
ADVPN HP MSR4000
• HP ADVPN is a Comware 7 feature Series
Up to 8 HMIM slots,
New architecture and enhanced performance up to 36Mpps
HP MSR4080
• Multi-core processor and PCIE bus
• All GE WAN/LAN on platform, SFP HP MSR3000 Series
• Comware v7 2 or 4 SIC slots, Up to 6 HMIM
slots, up to 5Mpps
HP MSR3044
• Unified OS and single pane of glass management
• 1+1 and N+1 power supplies, hot swap
HP MSR2000 Series
• Compatible with HP MSR SIC/MIM modules 3 SIC slots, up to 1Mpps
• Upgradable service engine on HP MSR4000 HP MSR2003

31 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
Features

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN key features

High availability
VAM client dynamic IP addressing
NAT traversal
IPv6
QoS
Dynamic routing
Security
Multicast
Management with IMC and BIMS

33 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN is compatible with HP DVPN
HP DVPN runs on HP Comware 5
HP ADVPN runs on HP Comware 7
• HP ADVPN on Comware 7 is compatible with HP DVPN on Comware 5
• In a hybrid system, the overall functionality is that of Comware 5
• VAM server on Comware 7 is compatible with VAM clients on Comware 5
• VAM clients (hub and spoke) on Comware 7 are compatible VAM server on Comware
5
• VAM clients (hub and spoke) on Comware 7 are compatible with VAM clients (hub and
spoke) on Comware 5

34 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN solution high availability
AAA/IMC Server
HQ/Data VAM Server Redundancy
Center
• Clients register with both at same time
Hub Redundancy
• Spokes establish tunnels to both hubs
• Hubs dynamically establish tunnels
primary secondary primary secondary
between each other
Hub Routers VAM Servers Link Redundancy
• Encryption independent of interface
IP
Network Fault Detection
Primary Link Secondary Link • VAM Protocol Switchover/Recovery
Spoke Standby or active secondary • Routing Protocol Convergence
Router
interfaces must be in a • BFD
Branch different DVPN domain
35 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN dynamic addressing
AAA/IMC Server
HQ/Data
Center

ADVPN clients can use


primary secondary primary secondary DHCP or PPPoE to obtain a
dynamic public IP address
Hub Routers VAM Servers
IP
Network

DSLAM
DHCP xDSL - ADVPN VAM control tunnel
PPPoE
Spoke
Router ADVPN data forwarding tunnel

Branch
36 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN NAT traversal
Central network

HUB1 HUB2 All the Hubs, spokes and VAM


Global address202.115.5.1
servers can be located behind
Inside address 192.168.20.2

NAT Server NAT Server Inside address 192.168.10.2


NAT box under some
Global address 202.115.1.1
NAT Server restrictions.
VAM SERVER
(primary)
− The VAM server and Hubs should be
behind the static NAT box
NAT Server
VAM SERVER
− If initiator resides behind a NAT gateway,
(secondary) a spoke-spoke tunnel can be established
Global address 202.115.3.1
− If tunnel receiver is behind a NAT
SPOKE2 gateway, packets must be forwarded by a
NAT dynamic hub before the receiver originates a
Inside address 192.168.1.2
tunnel establishment request
SPOKE1 − If both ends reside behind a NAT
Branch network 2
gateway, no tunnel can be established
and packets must be forwarded by a hub.
Branch network 1

37 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN key security features
Data Plane
• Uses UDP encapsulation or GRE, allows configuration of IPsec with IKE
• Encryption algorithm up to: AES-256
• Authentication algorithm: SHA-1
• Supports up to DH-group24 with Perfect Forward Secrecy (PFS)
Control Plane (VAM Protocol)
• Payload encryption algorithm: up to AES-256
• Payload authentication algorithm: SHA-1
VAM Clients authenticated to an AAA Server inside VAM Tunnel
• Authentication method: Pre-shared key and username/password
• Authentication protocol: PAP or CHAP with RADIUS

38 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN IPv6 support
AAA Server/IMC
HQ/Data
Center

IPv4 HP ADVPN supports:


Hub Hub
• IPv6 packets over ADVPN IPv4 tunnel
(primary) (secondary)
• IPv6 packets over ADVPN IPv6 tunnel
• IPv4 packets over ADVPN IPv6 tunnel

IP Network

IPv6

Spoke Spoke

Branch IPv4 IPv4 Branch

39 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN and multicast traffic
Multicast
Server
HP ADVPN HQ/Data
Hub router Center
HP ADVPN supports multicast
HP ADVPN protocols
VAM server AAA/IMC Server
Rules for routing protocol packet:
• The hub will send the multicast packets to all
the spokes in the same group.
IP • The spoke will send the multicast packets to
Network all the hubs in the same group.
Rules for data packet:
HP ADVPN
Spoke • The hub will send the multicast packets to all
Router the spokes in the same group.
HP ADVPN Branch • The spoke will only send the multicast
Spoke HP ADVPN packets through its first spoke-hub session.
Router Spoke
Router Multicast traffic
Branch
Branch
DVPN data forwarding tunnel
40 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN management with IMC BIMS
AAA Server/IMC
HQ/Data
Center

Zero touch configuration and


Hub
software upgrades for branch
Hub
(primary) (secondary) VAM Server
(primary)
device deployments
• Out of path from DVPN
• Secure with SSL
IP Network • Scheduled ad-hoc configuration
and software upgrades
VAM Server
(secondary)
• Comprehensive monitoring of
physical links
Spoke Spoke Spoke • Scales to 10,000 branches
(MSR’s)

Branch Branch
Branch

41 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
Configurations

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN hub and VAM server combination
HQ/Data
HP ADVPN Hub/VAM Server Center
Router

AAA/IMC Server
If no AAA Server is
available, can configure
local authentication on
IP the VAM Server
Network HP ADVPN
HP ADVPN Spoke Helps reduce investment
Spoke Router
Pay attention to maximum
Router
Branch number of local users
Branch

HP ADVPN
Spoke DVPN Tunnel between Branches
Router

Branch DVPN Tunnel between HQ and Branch


43 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN local user authentication
HQ/Data
HP ADVPN Hub/VAM Server Center
Router

AAA/IMC Server
In a relatively small
deployment, can combine
Local User Authentication
ADVPN hub and ADVPN
IP VAM server on the same
Network HP ADVPN
Spoke router
HP ADVPN
Spoke Router
Router
Branch
Branch

HP ADVPN
Spoke DVPN Tunnel between Branches
Router

Branch DVPN Tunnel between HQ and Branch


44 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
Using 4G-LTE/3G as backup to wired HP ADVPN
AAA/IMC Server
HQ/Data
Center

Standby or active
secondary interfaces must
be in a different DVPN
primary secondary primary secondary domain
Hub Routers VAM Servers

IP
Network
Primary Link
DVPN VAM Control Tunnel
HP ADVPN
Spoke Secondary Link DVPN Data Forwarding Tunnel
Router
Branch
45 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
HP ADVPN through MPLS network
Server
Central Network

VAM Server-1 VAM Server-2


Hub-1 Hub-2 (CE)
(CE) (CE)
(CE)

On the Hubs and spokes, DVPN is deployed, the private PE MPLS network needs to
routes are transferred by routing protocol on the DVPN PE
provide reachability between
tunnel hubs, spokes and VAM
MPLS
network by SP servers
The private traffic should be forwarded PE PE
through DVPN tunnel and encrypted by
IPSEC, then forwarded via MPLS VPN
Spoke-1 Spoke-2
(CE)
(CE)

Branch Network 1 Branch Network 2


46 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
Using HP ADVPN as backup to MPLS L3 VPN
HQ/Data
Center AAA/IMC Server
CE

HP ADVPN HP ADVPN
PE Hub Router VAM Backup could also
Server be 4G-LTE/3G as
opposed to wired
ISP
Internet
PE

Backup ISP Circuit


Primary Circuit
Spoke DVPN VAM Control Tunnel
CE Router

Branch DVPN Data Forwarding Tunnel

47 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
Using HP ADVPN to create multiple VPNs
AAA/IMC Server
HQ/Data
Center

Configure multiple ADVPN


domains on Hub and Spoke for
different departments
primary secondary primary secondary • Configure the Spoke to terminate
multiple service VLANs, each
Hub Routers VAM Servers corresponding to a ADVPN domain
IP and a VRF, and map VLANs to Layer
Network
3 VPNs
Spoke Spoke
Router Router
Branch Branch

Marketing CustomerFinance Marketing CustomerFinance


Service Service
48 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
Summary

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
Summary
HP Auto Discovery VPN (ADVPN) solution

Solves the scaling and configuration issues inherent in overlay VPNs


• Can use lower cost ISP based transport for WAN backup or private line replacement
• Can be deployed over other IP based transports (such as MPLS)
Reduced hub configuration (single tunnel interface)
• Routing protocols run natively on tunnel interface
• Clients can use static OR dynamic addressing for hub and spoke routers
Separation of control and data planes
• Data plane encryption is standards-based IPsec

50 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.
Thank you

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted.