The branch offices establish network relationships with the switching nodes and with the main office - this must be allowed by the appropriate rules. In addition, either all conceivable network relationships must be stored individually or the networks have to be defined such that all required network relationships can be allowed with a single rule. This is possible if, for example, the IP addresses in the networks have the following structure:
- Central network 10.1.1.0/255.255.255.0
- Switching nodes 10.x.1.0/255.255.255.0
- Branch offices 10.x.y.0/255.255.255.0
Using the following VPN rule in the VPN gateways at the main office permits all required network relationships, i.e. all remote sites from the 10.x... range of addresses can establish connections to all gateways:
- Source 10.0.0.0/255.0.0.0
- Destination 10.0.0.0/255.0.0.0
Because branch offices communicate with the main office via the intermediate level of the switching nodes, corresponding VPN rules must also be created in the switching nodes. If communication with other sub-nodes and branch offices is also to be made possible, all of the required network relationships are permitted with the following VPN rule in the switching nodes:
- Source 10.x.0.0/255.255.0.0
- Destination 10.0.0.0/255.0.0.0