tb2375 rastogi simplifying wide area network design_final


Simplify Large Scale Secure WAN DeploymentsSam RastogiSpencer MenardJune 6, 2012

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.3

Challenges of Legacy WAN Architectures

• ComplexConfiguration is manually intensive & error-prone

• VulnerableLimited flexibility & security

• ConstrainedLegacy architectures limit performance of rich media applications (e.g., video conferencing)

Campus

BranchBranch

DataCenter

BranchBranch


Zero-touch deployment of routers across enterprise locations

DVPN Automates Secure Connectivity

• SimpleAutomated zero-touch deployment with IMCReduces configuration steps

• SecureStandards-based IPsec encryptionFlexible support for any IP WAN technology

• ScalableSite-to-site performance for rich media Scales to over 30,000 sites

Campus

BranchBranch

WAN

IMC BIMS

Secu

re d

ata tu

nnelS

ecu

re d

ata

tunnel

93% reduction in configuration stepsSecure data

tunnel


HP DVPN Solution Portfolio

8800 Router Series

6600 Router Series MSR50

MSR20-1X MSR900

MSR30

MSR20

8800 Router Series

6600 Router Series

FlexNetwork Architecture

FlexManagement – HP Intelligent Management Center (IMC) BIMS

FlexFabric FlexCampus FlexBranch

MSR50

MSR20-1X MSR900

MSR30

MSR20

6600 Router Series 6600 Router Series


Gain visibility

Increase efficiency

Integrate security

Reduce OPEX with network transparency

Achieve enhanced performance and superior reliability

Preserve network integrity with full featured network control

Gain business agility through single pane-of-glass management

HP Intelligent Management Center


Fault

Alarms

Syslog & Trap Mgr

Service OperationMgmt

Configuration

Intelligent Configuration Center

IPsec VPN Mgr

MPLS VPN Mgr

Wireless Services Mgr

QoS/SLA Manager

VLAN & ACL Manager

Accounting

Network Assets

User Behavior Analysis

Desktop Asset Mgmt

Performance

Performance Mgmt

Network Traffic Analyzer

Virtual Network Mgmt

Security

Security Control Center

User Access Manager

Endpoint Admission Defense

FCAPS model

IMC platform features

Add-on modules

HP IMC Module Portfolio

BIMSQoS


Modules – Branch Intelligent Management System

• Leverages standards based CWMP protocol

• Secure device & configuration management

• “Zero Touch” deployment for branch networks

Automated configuration management across large scale networks

HeadquartersBranch


Modules – IPsec/VPN Manager (IVM)

• Pre-defined DVPN security templates

• DVPN auto discovery

• DVPN management and provisioning

Greater visibility and control for DVPN


Large scale VPN topologies Flexible architecture

HP DVPN Solution – Key Features and Benefits Predictable performanceDynamic routing & QoS

Resilient and adaptableDynamic IP addressing

Zero-touch deployment Single pane-of-glass management

DVPN domain management Visibility and control

Control and data pane separation

Highly scalable and secure


HP DVPN Solution Components

• VPN Address Management (VAM) server (up to 2 per DVPN domain)

• VAM client• Hub (up to 2 per DVPN domain)

− Resides at HQ or DC• Spoke

− Resides at campus or branch• HP IMC (optional)

− Resides at HQ or DC− BIMS (TR-69) − Optional AAA server provides

centralized spoke authentication

Hub

HQ / Data center

VAM Servers

Spoke

Branch

HP IMC

IP Network


Employs client/server model, operating at application layer of TCP/IPSupports up to 10 DVPN domains per router

Supports 2 tunnel encapsulations: UDP and GRE

Each client registers mapping of its private and public IP addresses with server using DVPN control protocol (VAM)

HP DVPN Solution Operation

Hub(secondary)

VAM Server (primary)

VAM Server (secondary)

Server Public IP Address

Client Public IP Address

Client Private IP Address DVPN configured

on single tunnel interface

Hub(primary)

HQ / Data Center

Spoke

Branch

IP NetworkTunnel

Tu

nn

el

HP IMC


HP DVPN Solution Hub and Spoke Topology

• Each spoke establishes a permanent tunnel with hub

− No tunnels between spokes

− Hub is used as routing information exchange and data forwarding center

− Traffic between spokes is forwarded through hub

Hub Routers VAM Servers

SpokeRouter

SpokeRouter

SpokeRouter

Branch BranchBranch

IP Network

primary secondaryprimary

Data Center / HQ

Tu

nn

el

s

Tu

nn

el

s

HP IMC

Tu

nn

el

s

secondary


HP DVPN Solution Full Mesh Topology

• Each spoke establishes a permanent tunnel with hub

− Spokes can establish dynamic (temporary) tunnels between each other

− Hub is mainly used for routing information exchange

Hub Routerssecondary

VAM Servers

SpokeRouter

SpokeRouter

Branch Branch

IP Network


Data Center / HQ

Tu

nn

el

s

Tu

nn

el

sTunnel

HP IMC


HP DVPN Solution High Availability

• VAM server redundancy− Clients register with both at same

time

• Hub redundancy− Spokes establish tunnels to both

hubs− Hubs dynamically establish tunnels

between each other

• Link redundancy− Encryption independent of

interface

• Fault detection− VAM protocol switchover/recovery− Routing protocol convergence− BFD

Standby or active secondary interfaces must be in a different DVPN domain

Hub Routerssecondary

VAM Servers


Branch

IP Network

Primary Link Secondary Link

SpokeRouter

HP IMCData Center / HQ


HP DVPN Solution Quality of Service

• Use QoS to guarantee service quality of key traffic flows

• Hub & spokes identify and mark traffic on internal interface

• Use firewall, Netstream, and QoS to implement DVPN traffic filtering and statistics

• Single or multi-tunnel service

DVPN HubRouter

Branch

SpokeRouter Branch

IP Network

DVPN HubRouter

Firewall, Netstream,

and QoS features

HP IMC

Data Center / HQ

SpokeRouter


HP DVPN Solution Management with IMC BIMS

• Zero touch configuration and software upgrades for branch device deployments

• Out of path from DVPN • Secured with SSL • Scheduled and ad-hoc

configuration and software changes

• Comprehensive monitoring of physical links

• Scales to up to 10,000 branches

Hub Routers

secondary

VAM Servers


IP Network

SpokeRouter

Tunnels

HP IMCData Center / HQ

Branch


3rd Party Validation – Network Test Report“…With DVPN enabled on HP Networking routers, IPsec tunnels are automatically established between sites. This eliminates the need for complex configuration of IPsec parameters, especially at branch-office sites that may not have full-time IT staff present. DVPN also can greatly reduce configuration complexity…”

- David Newman (Network Test)Fully Meshed

Routers DVPN Savings in Configuration

Complexity

5 75%

10 89%

15 93%


Global Financial Service Provider Adopts HP DVPN

Challenges

• Slow and unstable WAN

• Complex secure connectivity

• High TCO

HP solution

• Thousands of HP MSR and 6600 routers

• 3G/Internet and MPLS

Business benefits

• Reduced complexity: 30 variations of software down to

2

• Simplified network: fully automated, 20% higher

performance

• Reduced cost: 20-30% lower TCO

Business

• Operations in over 30 countries

• 6M+ merchant locations

• $10B+ annual revenue

IT environment

• 10-year relationship with one

vendor

• Two distinct networks

• Six data centers


Tools for Clients

• Visit

HP DVPN solutions page at www.hp.com/networking/dvpn

HP routers product page at www.hp.com/networking/routers

HP IMC product page at www.hp.com/networking/imc

• Download DVPN resources at www.hp.com/networking/dvpn

DVPN White Paper, Configuration Guide, Datasheets, Blog

http://www.hp.com/networking/dvpn

http://www.hp.com/networking/routers

http://www.hp.com/networking/imc

http://www.hp.com/networking/dvpn


Simplify secure WAN connectivity with the HP DVPN solution

Summary

• Up to 93% configuration reduction

• Highly scalable and resilient

• Carrier agnostic connectivity

• Zero-touch automation with HP IMC


Thank you

tb2375 rastogi simplifying wide area network design_final

Technology