In hub-and-spoke, all offices will have one VPN tunnel to your HQ's VPN gateway. Use this topology if most offices...
need to communicate only with HQ and rarely/never with each other, or if you'd like to centralize all traffic control and monitoring at your HQ.
In full-mesh, every office will have one VPN tunnel to every other office and HQ. Use this topology if offices need to communicate with each other frequently, at high volume, or if you don't want inter-office communication to depend on HQ availability.
For each topology, you'll need to deploy a VPN gateway at every office and at your HQ. Start by looking at VPN options associated with whatever DSL router/firewall you already have at each location. It's very possible that existing routers/firewalls can be used as IPsec VPN gateways. Consult product documentation to determine available VPN features and options.
If your offices use a mixture of router/firewall products, you'll need to ensure that all seven support a common subset of VPN protocols and security options. That can be a bit harder, but not impossible -- again, consult your vendor for FAQs or tech support notes that provide instructions on how to pair with other vendor VPN gateways.
If you are unable to use your existing DSL routers/firewalls as VPN gateways, you may want to purchase new security appliances to be installed between each DSL router and office network. Security appliances are sold in many sizes and prices, so you'll need to consider how much traffic you'll be sending between offices. In particular, you may want a new security appliance for your HQ if you use hub-and-spoke VPN topology, since that "hub" becomes a potential bottleneck and must perform well, with sufficient availability.
Although it is old now, you might find it useful to read this VPN RFP series that I wrote for ISP-Planet. That RFP illustrates site-to-site VPN configurations similar to the one that you are trying to create, and discusses requirements you should consider. The RFP is written from the point of view of an ISP offering managed VPN services. In fact, purchasing site-to-site VPN services is another option you may want to consider. For recent examples of managed VPN services and features, see this annual MSSP survey that I conducted in December 2004.
Dig Deeper on Branch office network design
Related Q&A from Lisa Phifer
As the remote workforce increases, network managers and users might opt to set up two concurrent VPN connections from the same remote device. But ... Continue Reading
Is there a difference between a wireless access point vs. a router? Yes -- while the two wireless devices are related, they meet different needs in a... Continue Reading
Learn the differences between site-to-site VPNs vs. remote-access VPNs and find out about the protocols, benefits and the data security methods used ... Continue Reading