24-2
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 24 Managing Site-to-Site VPNs: The Basics
Understanding VPN Topologies
Understanding VPN Topologies
A VPN topology specifies the peers and the networks that are part of the VPN and how they connect to
one another. After you create a VPN topology, the policies that can be applied to your VPN topology
become available for configuration, depending on the assigned IPsec technology.
Security Manager supports three main types of topologies—hub and spoke, point to point, and full mesh,
with which you can create a site-to-site VPN. Not all policies can be applied to all VPN topologies. The
policies that can be applied depend on the IPsec technology that is assigned to the VPN topology. In
addition, the IPsec technology that is assigned to a VPN depends on the topology type. For example, the
DMVPN and Easy VPN technologies can only be applied in a hub-and-spoke topology.
For more information, see Understanding IPsec Technologies and Policies, page24-5.
The following topics describe:
Hub-and-Spoke VPN Topologies, page24-2
Point-to-Point VPN Topologies, page24-3
Full Mesh VPN Topologies, page 24-4
Implicitly Supported Topologies, page24-5

Hub-and-Spoke VPN Topologies

In a hub-and-spoke VPN topology, multiple remote devices (spokes) communicate securely with a
central device (hub). A separate, secured tunnel extends between the hub and each individual spoke.
The following illustration shows a typical hub-and-spoke VPN topology.
Figure 24-1 Hub-and-Spoke VPN Topology
This topology usually represents an intranet VPN that connects an enterprise’s main office with branch
offices using persistent connections to a third-party network or the Internet. VPNs in a hub-and-spoke
topology provide all employees with full access to the enterprise network, regardless of the size, number,
or location of its remote operations.
S
e
c
u
r
e
t
u
n
n
e
l
Securetunnel
S
e
c
u
r
e
t
u
n
n
e
l
Secure tunnel
Spoke
Spoke
Spoke
Spoke

Branch

office

Branch

office
Hub

Main

office
Optional
secondary hubs
for resilience
130052
Internet