I want some opinions on this. I have a customer who has multiple remote sites that connect to a central site for Active Directory. The remote sites do not need to have connectivity to each other nor does the customer want them to have connectivity to each other. Given these circumstances, should I configure a hub and spoke topology or just do a site to site tunnel between each remote site and the hub? If I configure a hub and spoke topology, should I just create policies that Deny the spokes from speaking to each other?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
If all locations need to get to the AD at the main location, you have to have at least one S2S VPN from each location to the main location. Then the main location would become the hub. So no difference between multiple S2Ses and Hub and Spoke.
Until you create policy between multiple S2Ses at the main location, nothing would connect between them.
Toshi
If all locations need to get to the AD at the main location, you have to have at least one S2S VPN from each location to the main location. Then the main location would become the hub. So no difference between multiple S2Ses and Hub and Spoke.
Until you create policy between multiple S2Ses at the main location, nothing would connect between them.
Toshi
never ever switch over a wan circuitry.. if you still thinking about then go for point-to-point (hub&spoke)... under the hood for point-to-multipoint, isps provide you vpls or evpn, and these cannot perform igmp snooping if you use vlan tags inside, because they have no knowledge about the inner vlans... isp guy here with a horror story: i had a big enterprise asking me shutting down all of their multipoint connections and reenabling them one by one because of a routing protocol storm on every endpoint after they rebooted a bigger site's cpe... so go with a fully routed network over the wan.... you can still stretch layer2 yourself over vxlan or vpls over gre if you want, but once again, dont... keep layer2 as small as you can to have a good sleep at night https://100001.onl/
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.