Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Hub and Spoke topology

djhurt1djhurt1 Newbie ✭
edited June 2021 in High End Firewalls

I'd never heard of Hub and spoke before but from reading it looks like it would fit our needs quite well for a VPN to our remote sites. We have a "headquarters" and 3 remote sites, a fourth in the near future. Our hub would be our NSA 5600. The spokes are TZ570s. Remote sites are a dozen or less PCs/devices so much smaller than headquarters. Can the NSA 5600 handle this load and potentially a 5th and 6th site down the road? I'm sure we'll have replaced the NSA 5600 by that point but never the less wanted to ask.

For efficiency ideally I'd want all WAN traffic not destined for VPN to use the local gateway. With the added routing + VPN, will the TZ570s be able to handle that load as well?

The 570s were purchased by the powers that be above myself so I'm playing catch up to find out if they will handle what we're trying to do.

Another thought is having access consistent among all sites. Outside of exporting the entire config. of the main firewall, is there a better way to export just access rules, content filter objects etc.?

Comments?

Category: High End Firewalls
Reply

Best Answers

  • CORRECT ANSWER
    TKWITSTKWITS Community Legend ✭✭✭✭✭
    edited June 2021 Answer ✓

    Without knowing the footprint (# of PCs, servers, etc.) of your headquarters, we can't make a true judgement call, but a NSA 5600 can more than handle the connections from the spoke sites. Will your ISP line bandwidth be able to handle the additional traffic? Do you have statistics on current usage?

    The TZ570's can more than handle a dozen PCs and the connectivity you are looking for.

    AFAIK, you cannot export / import individual pieces of a config (address objects, access rules, etc.). I cannot recommend exporting / importing configs between different series or models (even if sonicwall says you can). If you run into something weird support will just ask you to reset to factory and recreate the config manually anyways.

  • CORRECT ANSWER
    SaravananSaravanan Moderator
    Answer ✓

    Hi @DJHURT1,

    Thank you for visiting SonicWall Community.

    NSA 5600 should be able to handle up to 6 spokes solidly provided sufficient bandwidth on the HUB and Spokes are in place. The performance also depends upon amount of load via the HUB and Spokes sites respectively. The NSA 5600 can definitely meet this requirement. The spokes 570's too as they are powerful and can support more than a dozen devices behind them.

    There are options to export access rules in CSV format for audit purpose. Importing of access rules alone is not yet supported. Settings import is the only option to migrate and it contains all configuration.

    Hope this helps.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

Answers

  • djhurt1djhurt1 Newbie ✭

    I haven't done the setup yet and I'm quite ignorant on the hub and spoke part. When setting this up, I assume we're choosing Tunneling interface? Also, on the proposals tab, if I choose Ikev2, will that support DHCP for the clients on the spoke subnets back to our internal DHCP server(behind the hub firewall)?

  • SaravananSaravanan Moderator

    Hi @DJHURT1,

    For a Hub and Spoke scenario, you could choose the Policy Type either to be a Site to Site VPN or Tunnel Interface. When the setup is simple and you wont add subnetworks into this VPN policy in future, I would suggest you to use Site to Site. Else if there is a requirement of adding more networks in future to the same VPN policy, proceed with the Tunnel Interface. This is the major difference between these two. Actually, our need is what differentiates the usage of these two policy types in SonicWall for VPN.

    Coming to the second part of your question, if you are planning to make the clients on the spoke to get IP address from the HUB SonicWall, you would be doing a DHCP over VPN policy instead Hub and Spoke. Hub and Spoke is where you mention the subnetworks directly on the VPN policy.

    Let me share the KB article for both the scenarios of Hub and Spoke, DHCP over VPN. Please take a look and feel free to let me know for any questions.


    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • djhurt1djhurt1 Newbie ✭

    @Saravanan


    I'm confused by your statement "Coming to the second part of your question, if you are planning to make the clients on the spoke to get IP address from the HUB SonicWall, you would be doing a DHCP over VPN policy instead Hub and Spoke."

    Why would getting an address lease from the hub firewall dictate I have to do DHCP over VPN policy instead of Hub and Spoke?


    Ideally we'd user an Ip helper and get Ip address from our internal DHCP server that sits behind our hub firewall. Hopefully that's possible?

  • TKWITSTKWITS Community Legend ✭✭✭✭✭
    edited July 2021

    It doesn't. Hub and spoke is a concept, not a technology. I think he misunderstood your question and assumed you don't have a dedicated DHCP server.

    You can use IP Helper policies to have DHCP clients obtain an address from your internal DHCP server that is at your main location.

    With regards to your July 1st post, your VPN tunnel type is up to you. Whichever fits your needs. If you have a simple network (which it seems like you do) you can just go with site to site. Using IKEv2 proposals in a VPN config will not prevent you from using IP Helpder policies for DHCP.

  • SaravananSaravanan Moderator
    edited July 2021

    Hi @DJHURT1,

    I see that you have a local DHCP server. In my previous comment, I have mentioned that "if you are planning to make the clients on the spoke to get IP address from the HUB SonicWall", so I missed noticing that you have a local DHCP server. In this case, yes you can do a IP Helper with Hub and Spoke scenario. Please let me know for any confusions or clarifications.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • ArkwrightArkwright All-Knowing Sage ✭✭✭✭

    AFAIK, you cannot export / import individual pieces of a config (address objects, access rules, etc.

    You absolutely can do this with the CLI. I use this semi-regularly to create the same address objects on multiple firewalls. It's also handy when making major changes to have a copy of the config I can paste back in if my changes don't work out.

  • djhurt1djhurt1 Newbie ✭

    With site to site VPN, what caveats will I run into with a couple sonicwaves at the remote site regarding Ip addressing and routing?

  • SaravananSaravanan Moderator

    Hi @DJHURT1,

    If it is just a site to site VPN between the offices with no DHCP over VPN imposed, then there is should be no effect on SonicWaves unless you make them to communicate over the Site to Site VPN tunnel. The impact is only on the communication part.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • djhurt1djhurt1 Newbie ✭

    There will be a switch behind the remote firewall naturally. Management would like the switch to be on a "management" Ip which is a subnet that already exists on the primary firewall. For example, 10.24.0.1 is the management subnet at the primary site that all other switches are on. The switch at the remote site needs to be on that same subnet however everything else will be on a 10.24.12.0/24 at the remote site. Is it possible to pass a single host Ip through the VPN along with the entire 10.24.12.0/24 network?

Sign In or Register to comment.