cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
992
Views
0
Helpful
7
Replies

Multi Site VPN

lnarbatovics
Level 1
Level 1

Ok, just wondering what is the suggest route to fix my problem.

I am looking to create a network that has one central site and 13 branches which connect to the central site via VPN, will a PIX route packets from one branch to another branch if all of the VPNs are connected to the central site?

7 Replies 7

afakhan
Level 4
Level 4

Hi,

No pix wont do that, you need to have a router on the head-end site, if you are going to have hub-&-spoke topology.

Thx

Afaq

Do I need to have a standard router or a VPN router?

Lucas

Any router will support VPN's if you have the right IOS image on it. Whether or not you go for a VPN-specific router probably depends on how much traffic you think you're going to be sending. HW encryption cards do all the encryption in HW rather than on the router CPU, so they free up the router to do other things.

The main thing you'll need to look at is do you want to do encryption in HW or in SW. There's no exact figure that says if you send more than "x" packets over the tunnels then you need to use HW encryption, it's more a case of estimating the encryption load and making the decision yourself. you can always try it in SW and monitor your CPU util, if it gets high and the encryption process is using most of it, then go for a HW card solution. Probably max out the router with memory also cause this always helps.

In short though, you can use any router for this purpose, just make sure it has the grunt to do what you want it to do.

Would this allow hosts on each spoke to communicate with hosts on another spoke? i.e. Site B is the hub site, Sites A and C are spokes off Site B. Would a host on Site A be able to communicate with a host in Site C? Hope I asked this as clearly as possible.

Thanks

You asked it fairly clearly. Yes if you have a router at the hub site B terminating IPSec tunnels from remote sites A and C, then the remote sites can communicate with each other.

I am currently working on a project for a customer where we have almost 80 remote sites sending IPSec to a router at the central site (actually it is to redundant routers at the central site for failover capability). It is very important to this customer that the remote sites be able to communicate with each other. This solution of IPSec terminated on a router(s) at the hub is very effectively providing that ability of remote sites to communicate with each other.

HTH

Rick

HTH

Rick

Thanks for answering that! We have the same needs as well. Would you happen to have a couple sample configs for each end? I know how to configure VPN on PIX firewalls but have never done so on a router.

If you don't have any samples, I understand.

Thanks again.

jeffrey.chong
Level 1
Level 1

Cisco PIX 6.x and below software does not support hub and spoke routing.

Only the routing (IPSec) support this kind of hub and spoke routing between branches.

Heard that PIX version 7.0 should support this, but it is not out yet, so until we see the new software, can't confirm it is supported.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: