Dynamic Smart Virtual Private Network (DSVPN) establishes VPN tunnels between Spokes with dynamically variable public addresses in the Hub-Spoke model.
More enterprises want to build the IPsec VPN in Hub-Spoke model to connect the Hub to Spokes in different geographical locations. This enhances enterprise communication security and reduces communication costs. When the Hub uses the static public address to connect to the Internet and Spokes use dynamic public addresses to connect to the Internet, Spokes cannot communicate with each other directly if traditional IPsec or GRE over IPsec is used to build the VPN. This is because Spokes cannot learn the public addresses of the remote ends in advance and tunnels cannot be set up between Spokes. In this case, communication data between Spokes must be forwarded by the Hub.
When all communication data between Spokes is forwarded by the Hub, the following problems may occur:
To resolve this issue, DSVPN uses Next Hop Resolution Protocol (NHRP) to collect and maintain information about dynamically changing public IP addresses of the Spokes. In this manner, the Spokes can obtain each other's public IP address before establishing a tunnel with each other.
On the network shown in Figure 2, DSVPN allows the Spokes to dynamically establish a Spoke-Spoke tunnel when they use dynamic IP addresses to access the public network. This implements direct communication between the Spokes. In addition, DSVPN supports multipoint Generic Routing Encapsulation (mGRE), which allows multiple GRE tunnels to be set up on a single mGRE tunnel interface. This simplifies subnet traffic management and configurations of GRE and IPsec on devices.
Reduced VPN network construction costs
DSVPN implements dynamic connections between the Hub and Spokes, and between Spokes. Spokes do not need to purchase static public network addresses.
Simplified configuration of the Hub and Spokes
The Hub and Spokes use an mGRE tunnel interface but not multiple GRE tunnel interfaces to establish tunnels. When a new Spoke is added to the network, the network administrator does not need to change configurations on the Hub or any existing Spokes. The administrator only needs to configure the new Spoke, and then the Spoke dynamically registers with the Hub.
Reduced data transmission delay between branches
Spokes can dynamically establish tunnels to directly exchange service data, reducing the forwarding delay and improving forwarding performance and efficiency.