Page 171 / 199 Scroll up to view Page 166 - 170
Configuring a Gateway-to-Gateway VPN Tunnel Between RV0xx Series Routers
Topology Options
Cisco Small Business RV0xx Series Routers Administration Guide
171
D
VPN Hub and Spoke Topology
In a VPN hub-and-spoke topology, multiple VPN routers (spokes) communicate
securely with a central VPN router (hub). A separate, secured tunnel extends
between each individual spoke and the hub.
In the following example, two branch offices (spokes) have site-to-site VPN tunnels
to the main office (hub). The traffic typically is between a remote site and the main
office. Inter-site traffic must pass through the hub first and then out to a spoke.
Figure 1
Hub and Spoke
This topology is a simple way to allow all branch employees to access the main
network. It works well if most traffic is from the remote sites to the main network
and there is little traffic among the sites. Too much inter-site traffic may create
bottlenecks at the hub.
Site 2
Site 1
Site 3
Internet
Main Office
VPN
Tunnel
VPN
Tunnel
VPN
Tunnel
284286
Page 172 / 199
Configuring a Gateway-to-Gateway VPN Tunnel Between RV0xx Series Routers
Topology Options
Cisco Small Business RV0xx Series Routers Administration Guide
172
D
VPN Mesh Topology
In a VPN mesh topology, each VPN router can communicate securely with all other
VPN routers. Multiple secured tunnels extend from each site to all other sites.
In the following example, four sites are connected in a VPN mesh topology. Three
VPN tunnels extend from each site, providing secure communications with all
other sites. Data can travel directly between any two sites.
Figure 2
Mesh
This topology requires much more configuration on each router. However, it works
well in a complicated network with data traveling between multiple sites. Because
all devices have direct peer relationships with one another, this design prevents
the bottlenecks that can occur with a hub-and-spoke topology. This design also
ensures that if one site is down, the other sites can continue to exchange data.
NOTE
When the number of nodes in a full mesh topology increases, scalability may
become an issue—the limiting factor being the number of tunnels that the devices
can support at a reasonable CPU utilization.
Site 1
Site 2
Site 3
Site 4
VPN Tunnel
VPN Tunnel
VPN
Tunnel
VPN
Tunnel
284287
VPN
Tunnel
VPN
Tunnel
Internet
Page 173 / 199
Configuring a Gateway-to-Gateway VPN Tunnel Between RV0xx Series Routers
Other Design Considerations
Cisco Small Business RV0xx Series Routers Administration Guide
173
D
Other Design Considerations
Before you configure your VPN tunnels, consider the following points about your
network setup.
WAN Setup
The WAN setup pertains to the network that your router connects to outside your
office. The first consideration is the type of IP addresses that you received for
your Internet service at your two sites. As when constructing a physical tunnel or
bridge, you need to know where the VPN tunnel is going.
If at least one site has a static IP address:
A VPN tunnel easily can be
established if at least one of the sites has a static IP address for the WAN
connection. A static IP address is a publicly routable Internet address that
does not change. In this scenario, establishing a VPN tunnel can be
compared to building a bridge between two docks (two sites with static IP
addresses), or even setting a gangplank between a dock and an
unanchored boat (one site with a static IP address and one with a dynamic
IP address).
Figure 3
Gateway To Gateway Tunnel with Static IP Addresses
If both sites have dynamic IP addresses:
A dynamic IP address is a
publicly routable IP address that is issued for your use when you connect to
your service provider’s network. Dynamic IP addresses may change
without warning. In this scenario, establishing a VPN tunnel is like trying to
build a bridge between two unanchored boats. However, you can “anchor”
199468
Site A
RV016
router
RV042
router
Site B
Inside
192.168.1.1/24
Outside
209.165.200.226/24
Outside
209.165.200.236/24
Inside
192.168.2.1/24
Personal
computers
Personal
computers
Printer
Printer
Internet
Page 174 / 199
Configuring a Gateway-to-Gateway VPN Tunnel Between RV0xx Series Routers
Other Design Considerations
Cisco Small Business RV0xx Series Routers Administration Guide
174
D
one boat, so to speak, by obtaining a Fully Qualified Domain Name (FQDN)
and registering at least one site with a Dynamic DNS service. This service
associate tracks your dynamic IP address to ensure that your router is
reachable even when the address changes.
As illustrated below, Dynamic DNS service ensures that traffic for the FQDN,
MyBusiness.DynDNS.org, is routed to the dynamic IP address.
Figure 4
Gateway To Gateway Tunnel with a Dynamic IP Address
Free Dynamic DNS accounts are available through many providers.
Examples are listed below.
-
http://dyn.com/dyndns
-
-
-
-
LAN Setup
The LAN setup pertains to the network that your router connects to inside your
office. It should not be necessary to make any changes in your LAN setup, unless
both sites have the same addressing. The two ends of the tunnel cannot be on the
same subnet. For example, if the LAN IP address of the RV0xx router at Site A is
192.168.15.1, Site B must use a different subnet, such as 192.168.75.1.
199896
Site A
RV016
router
RV042
router
Site B
Inside
192.168.1.1
Outside
209.165.200.226
Outside
MyBusiness.DynDNS.org
(dynamic IP address)
Inside
192.168.2.1
Personal
computers
Personal
computers
Printer
Printer
Internet
Page 175 / 199
Configuring a Gateway-to-Gateway VPN Tunnel Between RV0xx Series Routers
Configuring a VPN Tunnel on a Cisco RV0xx Series Router
Cisco Small Business RV0xx Series Routers Administration Guide
175
D
Configuring a VPN Tunnel on a Cisco RV0xx Series Router
This procedure describes the basic tasks in configuring your router. Example
entries are provided on
page 176
.
NOTE
For a hub-and-spoke topology, configure one tunnel between each remote
site and the central site. For the scenario illustrated in
Figure 1
, configure
three VPN tunnels on the router at the main site, and configure one VPN
tunnel on the router at each remote site.
For a mesh topology, configure multiple tunnels on each router to ensure
connectivity between all sites. For the scenario illustrated in
Figure 2
,
configure three VPN tunnels on each router.
STEP 1
Connect a computer to your Cisco RV0xx Series router (called Site A in the
examples), and start the web-based configuration utility.
STEP
2
Click
VPN > Gateway to Gateway
in the navigation tree.
STEP
3
Enter the following information about the tunnel:
Tunnel Name—
Enter a name, for your reference. This name will be used on
the
VPN > Summary
page.
Interface—
Select the appropriate Interface,
WAN1
or
WAN2
.
Note:
The
Enable
check box is unavailable until after you save the configuration.
STEP
4
In the
Local Group Setup
section, enter the following information about this router
(Site A):
Local Security Gateway Type—
Select
IP Only
. The WAN IP address of the
router will be automatically detected and will appear in the
IP Address
field.
Local Security Group Type—
Select
Subnet
. Enter the LAN
IP Address
and
the subnet mask.
STEP
5
In the
Remote Group Setup
section, enter the following information about the
router at the other end of the tunnel (Site B):
Remote Security Gateway Type—
Depending on the type of IP address for
the Internet connection, choose one of the following options:
-
If the remote gateway (Site B) has a static WAN IP address:
Select
IP
Only
. Enter the WAN
IP Address
of the Site B router.

Rate

4 / 5 based on 1 vote.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top