In the multi-hub model, there are multiple links between a spoke node and the hub nodes. Therefore, addresses of all nodes must be public IP addresses.įigure 3-4 IPsec VPN intelligent traffic steering model In the mesh model, devices need to establish links between each other and the peer address cannot be a private IP address. When creating an IPsec VPN, you must specify the private IP address of the hub site so that a static route can be generated on the spoke site for accessing the intranet data of the hub site. When creating an IPsec VPN, you need to specify the network segments that are allowed to access HQ/DC services through the VPN tunnel. For example, users on the network segment of employees can access the intranet, whereas users on the network segment of guests cannot. If the intranet of a spoke site has multiple network segments, you need to determine which network segment addresses can access the HQ/DC through VPN tunnels. Each site is automatically allocated a network segment from the address pool, simplifying operation and maintenance. The network segments of the global address pool are divided based on the overall user scale. In this scenario, the network segments can be automatically allocated globally. If there are a large number of sites, it is complex to manually divide network segments and difficult to manage and maintain the network segments. Therefore, the private IP addresses of spoke sites cannot overlap. IPsec VPN does not support the VPN routing and forwarding (VRF) table. Therefore, the hub node must be configured with a public IP address, and the spoke node can use a private IP address as long as it communicates with the public network through NAT. In the hub-spoke model, the spoke node initiates a link establishment request and the hub node receives the request. The advantage of configuring routes is that the data flows to be protected do not need to be defined, which simplifies the IPsec configuration for sites that have a large number of subnets. The IPsec tunnel interfaces are Layer 3 logical interfaces. All packets routed to these interfaces will then be protected. Routes can be configured to define the data flows to be protected by an IPsec tunnel established through IPsec tunnel interfaces. Routes (based on virtual tunnel interfaces).ACL-based IPsec can use various ACLs to filter packets based on the IP address, port number, and protocol type, providing flexible IPsec protection methods. Only the packets matching the permit rules are protected. On an IPsec tunnel established in manual mode or IKE negotiation mode, the range of data flows to be protected by IPsec can be defined by ACLs. The data flows to be protected by IPsec can be defined using either of the following methods: Therefore, you need to plan and design VPNs on the entire network in a unified manner to prevent conflicts between sites. When sites are interconnected using the IPsec VPN technology, each site can be added to only one IPsec VPN.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |