Partially Meshed, Fully Meshed, Distributed, and Hub-and-Spoke Networks

Partially Meshed, Fully Meshed, Distributed, and Hub-and-Spoke Networks

When overlaying VPNs on any network topology, many factors affect the scalability and performance of the network. Some

of these factors include encrypted versus clear traffic processing, hardware acceleration versus software IPSec, configuration

complexity, high availability, related security features (firewall, IDS, and so on), the number of routing peers and networks

to track, and maintaining QoS. Fully meshed networks quickly run into scalability constraints because every device in theCisco Systems

 

network must communicate with every other device in the network via a unique IPSec tunnel. That is n(n - 1)/2 tunnels for

a 50-node network, or 1225 tunnels! The configuration complexity is immense, and at some point growing the size of the

mesh will not be possible. Keeping state for that many tunnels also has performance implications. Partially meshed networks

scale better than fully meshed because inter-spoke connections are established only as needed. Similar to devices in fully

meshed networks, the limiting factor in this topology is the number of tunnels that the devices can support at a reasonable

CPU utilization. Both of these networks could use a dynamic tunnel endpoint discovery mechanism to simplify the

configuration and increase scalability. However, as documented in the caveats section, these networks are not covered in this

document.

Hub-and-spoke networks scale better because the headend hub site can expand to meet growing spoke capacity

requirements. Low-horsepower spokes that need connectivity to other remote sites will be able to connect via the hub site.

However, all traffic flows through the hub site, and this setup requires significant bandwidth because it includes all

spoke-to-spoke traffic as well as spoke-to-hub traffic. Not all headend VPN devices support spoke-to-spoke

intercommunication. Split tunneling may be required at remote sites, depending on the type of device chosen at the headend.

For instance, the model for firewalls is to enable split tunneling at all sites, thus eliminating the need for the hub firewall to

process spoke-to-spoke traffic. If there are regional or other requirements for traffic routing where most traffic does not

require access to networks via the hub site, consider a distribution layer to lower the bandwidth requirements at the headend

and thus increase the scalability of the network