hub-and-spoken VPN

Unanswered Question
Jul 12th, 2007
User Badges:

In hub-and-spoken topology,all hubs can set up ipsec vpn tunnel to spoken.When station from one hub wants to visit station from other hub,do I only change acl to implement it?

for example:

hub,spokenA and spokenB start to set up vpn tunnel when traffic fit to below acl

spokenA:

access-list 101 permit ip <spokenA subnet> <hub subnet>

access-list 101 permit ip <spokenA subnet> <hub subnet>

hub:

access-list 101 permit ip <hub subnet> <spokenA subnet>

access-list 101 permit ip <hub subnet> <spokenB subnet>

access-list 101 permit ip <spokenA subnet> <spokenB subnet>

access-list 101 permit ip <spokenB subnet> <spokenA sbunet>

spokenB:

access-list 101 permit ip <spokenB subnet> <hub subnet>

access-list 101 permit ip <spokenB subnet> <hub subnet>

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Hello,


What platform and version are you using?


Your configuration above would not work so well, as your not defining at each spoke access to the other spoke.


Update the acls on the spokes to include


spoke A

access-list 101 permit ip


Spoke B

access-list 101 permit ip


this is very dependant on platform and version. I.e pix 515 running software version 6 will not work.


Tim

Actions

This Discussion