Palo Alto Networks, Inc.
DYNAMIC ESTABLISHMENT AND TERMINATION OF VPN TUNNELS BETWEEN SPOKES

Abstract:

To reduce overhead generated by maintaining a full mesh network with static spoke-to-spoke tunnels while providing the efficiency of spoke-to-spoke communication, BGP configuration is automated to provide for dynamic establishment of spoke-to-spoke tunnels. A virtual Internet Protocol (VIP) address is assigned to each spoke in the network. Spokes advertises their VIP address to the hub for communication to the other spokes. A spoke sets the route next hop in its routing table for a remote spoke to the VIP of the remote spoke. Establishment of a tunnel between spokes is initiated after detecting data is to be communicated between the spokes while data is temporarily routed through the hub. Data is routed directly to the receiving spoke through the dynamic tunnel once the tunnel is active. Tunnels between spokes are terminated dynamically after a period of inactivity to reduce overhead caused by consistent maintenance of dynamic tunnels with low use.