Chapter 14 IPSec VPN
ZyWALL 2 Plus User’s Guide
272
Figure 178 on page 272 shows some example network topologies. In the first (fully-meshed)
approach, there is a VPN connection between every pair of routers. In the second (hub-and-
spoke) approach, there is a VPN connection between each spoke router (B, C, D, and E) and
the hub router (A). The hub router routes VPN traffic between the spoke routers and itself.
Figure 178 VPN Topologies
Hub-and-spoke VPN reduces the number of VPN connections that you have to set up and
maintain in the network. Small office or telecommuter IPSec routers that support a limited
number of VPN tunnels are also able to use VPN to connect to more networks. Hub-and-spoke
VPN makes it easier for the hub router to manage the traffic between the spoke routers. If you
have the spoke routers access the Internet through the hub-and-spoke VPN tunnel, the hub
router can also provide content filtering protection for the spoke routers.
You should not use a hub-and-spoke VPN in every situation, however. The hub router is a
single point of failure, so a hub-and-spoke VPN may not be appropriate if the connection
between the spoke routers cannot be down occasionally (for maintenance, for example). In
addition, there is a significant burden on the hub router. It receives VPN traffic from one
spoke, decrypts it, inspects it to find out where to send it, encrypts it, and sends it to the
appropriate spoke. Therefore, a hub-and-spoke VPN is more suitable when there is a minimum
amount of traffic between spoke routers.
14.17.1 Hub-and-spoke VPN Example
The following figure shows a basic hub-and-spoke VPN. Branch office A uses one VPN rule
to access both the headquarters (HQ) network and branch office B’s network. Branch office B
uses one VPN rule to access both the headquarters and branch office A’s networks.
To Next Page
Loading...
