04-07-2003 01:57 PM - edited 02-20-2020 10:40 PM
Ok, just wondering what is the suggest route to fix my problem.
I am looking to create a network that has one central site and 13 branches which connect to the central site via VPN, will a PIX route packets from one branch to another branch if all of the VPNs are connected to the central site?
04-07-2003 09:46 PM
Hi,
No pix wont do that, you need to have a router on the head-end site, if you are going to have hub-&-spoke topology.
Thx
Afaq
04-08-2003 09:22 AM
Do I need to have a standard router or a VPN router?
Lucas
04-08-2003 06:35 PM
Any router will support VPN's if you have the right IOS image on it. Whether or not you go for a VPN-specific router probably depends on how much traffic you think you're going to be sending. HW encryption cards do all the encryption in HW rather than on the router CPU, so they free up the router to do other things.
The main thing you'll need to look at is do you want to do encryption in HW or in SW. There's no exact figure that says if you send more than "x" packets over the tunnels then you need to use HW encryption, it's more a case of estimating the encryption load and making the decision yourself. you can always try it in SW and monitor your CPU util, if it gets high and the encryption process is using most of it, then go for a HW card solution. Probably max out the router with memory also cause this always helps.
In short though, you can use any router for this purpose, just make sure it has the grunt to do what you want it to do.
09-03-2004 02:49 PM
Would this allow hosts on each spoke to communicate with hosts on another spoke? i.e. Site B is the hub site, Sites A and C are spokes off Site B. Would a host on Site A be able to communicate with a host in Site C? Hope I asked this as clearly as possible.
Thanks
09-05-2004 09:15 PM
You asked it fairly clearly. Yes if you have a router at the hub site B terminating IPSec tunnels from remote sites A and C, then the remote sites can communicate with each other.
I am currently working on a project for a customer where we have almost 80 remote sites sending IPSec to a router at the central site (actually it is to redundant routers at the central site for failover capability). It is very important to this customer that the remote sites be able to communicate with each other. This solution of IPSec terminated on a router(s) at the hub is very effectively providing that ability of remote sites to communicate with each other.
HTH
Rick
09-06-2004 07:40 AM
Thanks for answering that! We have the same needs as well. Would you happen to have a couple sample configs for each end? I know how to configure VPN on PIX firewalls but have never done so on a router.
If you don't have any samples, I understand.
Thanks again.
11-15-2004 07:57 PM
Cisco PIX 6.x and below software does not support hub and spoke routing.
Only the routing (IPSec) support this kind of hub and spoke routing between branches.
Heard that PIX version 7.0 should support this, but it is not out yet, so until we see the new software, can't confirm it is supported.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide