Configuring Nhrp Overview - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Configuring ScreenOS Devices Guide

Configuring NHRP Overview

332
ScreenOS devices support autoconnect virtual private networks (ACVPNs) in a
hub-and-spoke network topology. ACVPN provides a way for you to configure your
hub-and-spoke network so that spokes can dynamically create VPN tunnels directly
between each other as needed. This not only solves the problem of latency between
spokes but also reduces processing overhead on the hub and thus improves overall
network performance. Additionally, because ACVPN creates dynamic tunnels that time
out when traffic ceases to flow through them, network administrators are freed from the
time-consuming task of maintaining a complex network of static VPN tunnels.
After you set up a static VPN tunnel between the hub and each of the spokes, you
configure ACVPN on the hub and the spokes and then enable the Next Hop Resolution
Protocol (NHRP). The hub uses NHRP to obtain a range of information about each spoke,
including its public-to-private address mappings, subnet mask length, and routing and
hop count information, which the hub caches. Then, when any spoke begins
communicating with another spoke (through the hub), the hub uses this information, in
combination with information obtained from the ACVPN configuration on the spokes, to
enable the spokes to set up an ACVPN tunnel between themselves. While the tunnel is
being negotiated, communication continues to flow between the two spokes through
the hub. When the dynamic tunnel becomes active, the hub drops out of the link and
traffic flows directly between the two spokes. When traffic ceases to flow through the
dynamic tunnel, the tunnel times out.
In cases where the hub fails and the dynamic tunnel expires, the spokes cannot reestablish
the connection. To avoid this, ScreenOS 6.3 allows you to configure two hubs on the
same virtual router (VR) so that connectivity is not lost even if one hub fails.
As ACVPN supports dynamic routing protocols, traffic from other subnets behind the
spoke that needs to be routed through a hub may pass through the dynamic tunnel
already created by the first cached subnet. To avoid this, ScreenOS 6.3 allows you to
disable the dynamic routing operation on the ACVPN tunnel. Additionally, you can
redistribute routes learned from NHRP into dynamic routing protocols such as BGP, OSPF,
and RIP. In the same way, routes learned by the dynamic routing protocols can be
redistributed automatically into the NHRP routing instance.
The following procedure explains how ACVPN works:
Adjust the topology to assign the VPN and gateway.
1.
Assign the ACVPN—dynamic and next-hop server (NHS) IP address.
2.
Set the NHRP redistribute rules.
3.
Add NHRP to other dynamic routing protocols such as OSPF, BGP, and RIP redistribute.
4.
Set the routing on tunnel interface.
5.
You can configure the NHRP parameters as described in Table 81 on page 333.
Copyright © 2010, Juniper Networks, Inc.