Site-to-Site VPN Topologies

You should understand the three site-to-site VPN topologies before planning and creating your VPN configuration.

Peer-to-Peer VPN Topology

A single encrypted VPN gateway between two sites.

Full-Mesh VPN Topology

Every remote site is connected to every other remote site as well as the central site. All remote sites can communicate directly with the central site and with every other remote site without need to route through the central site.

Full-mesh VPNs are extremely reliable, because all the remote sites can still communicate even if the main site goes down. A full-mesh configuration also offers reduced latency for sensitive applications, because each remote site can communicate with the other remote sites directly.

Each device can set up a VPN connection with four other devices, including third-party devices. Any two directly-connected peers can communicate. Any indirectly connected peers cannot communicate.

See Example: Full-Mesh Site-to-Site VPN

Star VPN Topology

Multiple remote sites all connect to a central site. This topology resembles a spoke and hub configuration. All remote sites can communicate directly with the central site; however, for communication from one remote site to another remote site, the IPsec traffic must travel to the central site and then the hub device routes traffic to the destination remote site.

Star topologies support one hub device and four spoke devices, including third-party devices (five total devices). A spoke device can communicate with the hub device directly. A spoke device communicates with other spoke devices indirectly as all IPsec traffic is first sent to the hub device.

See Example: Star Site-to-Site VPN