Configuring hub-and-spoke with VPN for data and VoIP control backup
This section describes how to configure hub-and-spoke with VPN for data and VoIP control
backup, followed by a detailed configuration example.
To configure hub-and-spoke with VPN for data and VoIP control backup:
1. Configure the Branch Office as follows:
The default gateway is the Internet interface.
●
VPN policy is configured on the Internet interface egress as follows:
●
Traffic from the local GRE tunnel endpoint to the remote GRE tunnel endpoint -> encrypt,
using IPSec tunnel mode, with the remote peer being the Main Office.
An access control list (ACL) is configured on the Internet interface to allow only the VPN
●
tunnel and ICMP traffic, as follows:
Note:
For information about using access control lists, see the chapter
Note:
policy
on page 441.
Ingress:
1. IKE (UDP/500) from remote tunnel endpoint to local tunnel endpoint -> Permit
2. ESP/AH from remote tunnel endpoint to local tunnel endpoint -> Permit
3. Remote GRE tunnel endpoint to local GRE tunnel endpoint -> Permit
4. Allowed ICMP from any IP address to local tunnel endpoint -> Permit
5. Default -> Deny
Egress:
1. IKE (UDP/500) from local tunnel endpoint to remote tunnel endpoint -> Permit
2. Local GRE tunnel endpoint to remote GRE tunnel endpoint -> Permit
3. All allowed services from any local subnet to any IP address -> Permit
4. Allowed ICMP from local tunnel endpoint to any IP address -> Permit
5. Default -> Deny
Policy Based Routing (PBR) is configured as follows, on VoIP VLAN and loopback
●
interfaces:
Note:
For information about Policy-Based Routing, see the chapter
Note:
policy-based routing
Destination IP = local subnets -> Route: DBR
●
DSCP = bearer -> Route: WAN
●
DSCP = control -> Route: 1. WAN 2. DBR
●
on page 465.
Typical installations
Configuring
Configuring
Issue 1.1 June 2005
409