Vam server, Vam client, Spoke – H3C Technologies H3C SecPath F1000-E User Manual

402

VAM server

A VAM server receives registration information from DVPN nodes and manages and maintains

information about DVPN clients. A VAM server is usually a high performance routing device with VAM
server enabled.

VAM client

A VAM client registers its private address and public address with the VAM server and obtains

information about other VAM clients from the VAM server. The VAM client function must be implemented
on DVPN nodes. Unless otherwise noted, the term "VAM client" in this document refers to a "hub" or a

"Spoke."

Hub

A hub is a type of VAM client. As a central device of a VPN, it is the exchange center of routing

information. A hub in a hub-spoke network is also a data forwarding center.

Spoke

A spoke is a type of VAM client. Usually acting as the gateway of a branch office, a spoke does not

forward data received from other DVPN nodes.

AAA server

An Authentication, Authorization, and Accounting (AAA) server is used for user authentication and

accounting.

Operation of DVPN

DVPN employs the client/server model. Operating at the application layer of the TCP/IP protocol stack,

DVPN supports two tunnel encapsulation modes: UDP and GRE.
A DVPN comprises one server and multiple clients. The public address of the server in a DVPN must be

static. The private address of a client needs to be statically assigned. The public address of a client can

be manually configured or dynamically assigned. All the private addresses of the nodes composing a

DVPN must belong to the same network segment.
Each client registers the mapping of its private address and public address with the server. After a client

registers its address mapping with the server, other clients can get the public address of this client from

the server. This is for DVPN tunnel establishment between clients. Each client uses the VAM protocol to

communicate with the server and uses the DVPN tunneling protocol to establish, maintain, and remove
tunnels to other clients. Whenever there is a change in the topology, the server will be notified

automatically.

Networking structures of DVPN

DVPN supports two typical networking structures, full mesh and hub-spoke.

•

Full mesh DVPN: In a full mesh DVPN, spokes can communicate with each other directly by
establishing tunnels between them, and the hub is mainly used as the routing information exchange

center. As shown in

Figure 295

, after the spokes (the clients) register with the VAM server and get

the hub information in the VPN domain, they establish permanent tunnels with the hub. Any two
spokes can establish a tunnel directly between them. The tunnel is dynamic and will be aged out if

no data exchange occurs on it during the specified period of time (the idle timeout for the

spoke-spoke tunnel).