Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN3000 - VPN3002 Hub and Spoke

Dear All,

Does it possible for the following scenario ?

Branch1---VPN3002 ---Internet---VPN3060---Internet---VPN3002---Branch2

Requirement 1: VPN3002 at Branch1 creates a tunnel to VPN3060

Requirement 2: VPN3002 at Branch2 creates a tunnel to VPN3060

Requirement 3: VPN3002 at Branch 1 connects to Branch 2 through VPN3060

Requirement 1 & 2 is possible but how is the possibility of requirement 3 ?

Appreciate for any help

Cisco Employee

Re: VPN3000 - VPN3002 Hub and Spoke


You should be able to define the Network list on the 3060 to be sent down to the Branch 1 3002, which will include the Network for the Branch 2 aswell.

So in this way Branch 1 will send the information through the tunnel to the Corporate for Branch 2 aswell, and do the vice versa for the Split tunnel list for Branch 2 group.

Hope this helps,




New Member

Re: VPN3000 - VPN3002 Hub and Spoke

Thanks Aamir,

Base on your suggestion, please kindly assist for the following questions:

1. Does VPN3060 re-route the packet with a destination address to Branch2 from Branch 1? How VPN3000 recognizes that the packet is not belongs to the network it is responsible for ?

2. If the VPN3000 learns the routes from both of branches through RRI (VPN3002 with Network Extension Mode) , does it still need to define the network list to be sent to both branches ?

3. Another option other than using VPN3002 at branches is using PIX (501 or 506). Does hub&spoke solution also possible with PIX at spoke and VPN3000 at hub , connection between spokes are through hub.

Really appreciate for your help.

Best Regards,


CreatePlease login to create content