The following topics are key to understanding the Router MC
.
Hub-and-spoke Topology
In a hub-and-spoke VPN topology, multiple
remote devices, or spokes, communicate securely with a central device, or a
hub. A separate, secured tunnel extends between the centralized hub and each of
the individual spokes.
VPN Settings and Policies
In the Router
MC, VPN configurations are divided into the items listed in Figure
.
Device Hierarchy and Inheritance
The Router MC provides a default
two-level device hierarchy in which all devices are contained within a global
group. The Router MC provides for the creation of device groups which makes
management of a large number of devices easier. VPN configurations can be
defined on multiple devices simultaneously.
Policy inheritance in the
device hierarchy is implemented in a top-down fashion. The global group is the
highest-level object.
All devices in the device inventory inherit VPN
configurations defined on the global level. All the groups inherit VPN
configurations defined on a device group level and devices contained within
that group, and override any global configurations inherited from higher-level
for those devices. VPN configurations defined on an individual device level
apply to that device only, and override any configurations inherited from
higher-level objects in the hierarchy.
Activities
An activity
is a temporary context, within which VPN configuration changes are made to
specific objects. These can be global, device groups, or devices. The activity
must be approved before its configuration changes are committed to the Router
MC database, at which point they are ready for deployment to the relevant
devices or files. Before making any configuration changes, administrators must
create a new activity or open an existing activity. An activity can be opened
by only one person at a time but can be accessed by several people in sequence.
Therefore, before the activity is approved, another user can open it and make
further configuration changes to the selected objects.
Jobs
A
job is a deployment task in which administrators specify the devices to which
VPN configurations should be deployed. The Router MC generates the CLI commands
for the devices specified in the job, based on the defined VPN policies. These
commands can be previewed before deployment takes place. Within the context of
the job, administrators can specify whether to deploy the commands directly to
the devices in the network or to a file.
Building
Blocks
Building blocks in the Router MC refer to network groups and
transform sets. Building blocks are reusable, named, global components that can
be referenced by multiple policies. When referenced, a building block is
incorporated as an integral component of the policy. If a change is made to the
definition of a building block, this change is reflected in all policies that
reference that building block. Building blocks aid in policy definition by
eliminating the need to define that component each time a policy is defined.
For example, although transform sets are integral to tunnel policies,
administrators can define several transform sets independently of the tunnel
policy definitions. These transform sets are always available for selection
when creating tunnel policies, on the object on which they were defined and its
descendants.