Network infrastructure of enterprises and organizations inevitably expands and reaches beyond the boundaries of a single building to the branch offices. Ensuring a stable and secure connection between company offices is a routine task for a network engineer.

The provided diagram offers a solution for establishing secure communication links between company headquarters and branch offices, which not only ensures security but also makes it easy to manage and scale the network.

Notes and warnings

Hints contain small explanations to help with learning to use the equipment more quickly, or additional information.

Notes contain important information about setting up the equipment.

Warnings inform the user of situations that may cause harm, incorrect system operation or loss of data.

Glossary

  • AES (Advanced Encryption Standard) is a symmetric block encryption algoritm.
  • ARP (Address Resolution Protocol) is a protocol used to map network layer addresses to link layer addresses in multiple access networks.
  • ARP Proxy is a mechanism for using the ARP protocol, in which a host responds to ARP requests for an IP address that is not assigned to its network interface.
  • BFD (Bidirectional Forwarding Detection) is a protocol designed to quickly detect connectivity between two routers.
  • BGP (Border Gateway Protocol) is a routing protocol used to exchange routing information between autonomous systems.
  • DHCP (Dynamic Host Configuration Protocol) is a protocol for dynamic configuration of network nodes.
  • DMVPN (Dynamic Multipoint Virtual Private Network) is a technology for deploying virtual private networks in a point-to-multipoint configuration.
  • DMVPN Hub is a device role in the DMVPN cloud, a central device in a point-to-multipoint configuration that has information about all members of the DMVPN cloud and allows traffic to be redirected as well as directly connecting any member of the DMVPN cloud via temporary tunnels.
  • DMVPN Spoke is a device role in the DMVPN cloud; after connecting to the DMVPN Hub, it allows traffic to be redirected to other DMVPN Spokes and a temporary tunnel to be established to another DMVPN Spoke.
  • DMZ (Demilitarized Zone) is a segment of the network containing publicly accessible enterprise services.
  • DPD (Dead Peer Detection) is a mechanism for detecting inactive peers in the context of IPsec tunneling.
  • ESP (Encapsulating Security Payload) is a protocol used in IPsec technology to ensure the confidentiality of transmitted data by encrypting the contents of the transmitted IP packet.
  • FIB (Forwarding Information Base) is an optimized routing table used to forward IP packets.
  • Front-Door VRF is a connection scheme in which the transport network for a certain virtual network is moved to a separate network namespace.
  • GRE (Generic Routing Encapsulation) is a protocol for tunneling IP packets.
  • ICMP (Internet Control Message Protocol) is a protocol for transmitting error messages and control information in TCP/IP networks.
  • IKE (Internet Key Exchange) is a key management protocol used to establish and maintain IPsec tunnels.
  • IMIX (Internet mix) is a template of typical Internet traffic passing through network equipment. The term is used when describing the results of load testing of network equipment.
  • IPsec (IP security) is a technology that uses a set of protocols to ensure the confidentiality, integrity, and availability of data sent over public networks.
  • LACP (Link Aggregation Control Protocol) is a standard link aggregation protocol.

  • LAG (Link Aggregation Group) is a group of aggregated links.

  • MD5 (Message Digest 5) is a 128-bit hash algorithm.
  • MOBIKE is an extension of the IKEv2 protocol that allows the use of an established IPsec tunnel in the event of a change in IP addressing on one side of the IPsec tunnel.
  • MTU (Maximum Transmission Unit) is the maximum size of a data packet that can be transmitted over a network without fragmentation.
  • NAT (Network Address Translation) is a mechanism in TCP/IP networks that allows changing fields in the header of a packet passing through a router. This document mentions: Source NAT is conversion of data about the sender of the packet in the headers of forwarded IP packets; Destination NAT is conversion of data about the recipient of the packet in the headers of forwarded IP packets; Static NAT is conversion of one IP address to another on a one-to-one basis without changing other headers.
  • NAT-OA (NAT Original Address) is the IP address of the packet sender before Source-NAT conversion, used in protocols.
  • NBMA (Non-Broadcast Multiple Access network) is a network to which multiple devices are connected, with data transmitted only directly from one device to another. There is no option to send broadcast messages that will be received by all devices.
  • NHRP (Next Hop Resolution Protocol) is a client-server address translation protocol that allows all hosts on an NBMA network to dynamically learn each other's NBMA addresses (physical addresses).
  • PFS (Perfect forward secrecy) is a mechanism that triggers a new Diffie-Hellman key exchange each time an IPsec tunnel child security association is reinstalled.
  • PPPoE (Point-to-Point Protocol over Ethernet) is a channel-layer network protocol for transmitting PPP frames over Ethernet networks, often used by Internet service providers as a mechanism for providing subscribers with access to the Internet.
  • RIB (Routing Information Base) is a routing table containing all routing information obtained from various sources.
  • SFP (Small Form-factor Pluggable) is an industry standard for modular compact transceivers used to transmit and receive data in telecommunications equipment.
  • SHA2 (Secure Hash Algorithm Version 2) is a family of cryptographic algorithms, one-way hash functions.
  • SLA (Service Level Agreement) is a technology for measuring active computer networks by testing the qualitative and quantitative characteristics of communication links in the TCP/IP data transmission network.
  • TCP Adjust-MSS is a mechanism that makes it possible to set the maximum segment size in a TCP session to prevent fragmentation of TCP packets transmitted over a link with a low MTU.
  • TTL (Time To Live) is the maximum number of routers through which an IP packet can pass before it is discarded.
  • VLAN (Virtual Local Area Network) is a virtual local computer network.
  • VPN (Virtual Private Network) is a technology that makes it possible to create a secure, encrypted connection between two hosts on a network.
  • VRF (Virtual Routing and Forwarding) is a technology that allows multiple network name spaces with their own addressing and routing tables to be separated on a single network device.
  • Нет меток