24-4
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 24 Managing Site-to-Site VPNs: The Basics
Understanding VPN Topologies
Full Mesh VPN Topologies
A full mesh topology works well in a complicated network where all peers need to communicate with
each other. In this topology type, every device in the network communicates with every other device
through a unique IPsec tunnel. All devices have direct peer relationships with one another, preventing a
bottleneck at the VPN gateway device, and saving the overhead of encryption and decryption on the
device.
You can assign only Regular IPsec, IPsec/GRE, and GET VPN technologies to a full mesh VPN
topology.
The following illustration shows a typical full mesh VPN topology.
Figure 24-3 Full Mesh VPN Topology
A full mesh network is reliable and offers redundancy. When the assigned technology is GRE and one
device (or node) can no longer operate, all the rest can still communicate with one another, directly or
through one or more intermediate nodes. With regular IPsec, if one device can no longer operate, a crypto
access control list (ACL) that specifies the protected networks, is created per two peers.
GET VPN is based on the group trust model. In this model, group members register with a key server.
The key server uses the Group Domain of Interpretation (GDOI) protocol for distributing the security
policy and keys for encrypting traffic between the group members. Because you can configure a primary
key server and secondary key servers that synchronize their policies with the primary one, if the primary
key server becomes unavailable, a secondary key server can take over.
Note When the number of nodes in a full mesh topology increases, scalability may become an issue—the
limiting factor being the number of tunnels that the devices can support at a reasonable CPU utilization.
Site 2
Site 1
Site 4
Site 3
130054
Secure tunnel
Secure tunnel
Secure tunnel
Securetunnel
Secure tunnel
Secure tunnel
Internet