like to know if anyone can point me in the right direction. I'm looking for a document that will descibe how to setup a hub and spoke VPN and using acl to control what is allowed vs what isn't allowed. Also I would like to know is it better in a hub and spoke configuration to apply the acl on the hub router or just the spokes. What I want to resctrict is the spoke routers sending port 80 requests to the hub router. If I place the acl on the outgoing interface of the spoke router, will this require a split tunnel or will the http request just go out to the internet. I'm thinking if I put and acl statement on the hub router to deny port 80 from the 4 spoke routers this would suffice. Do I also need to add an acl to this effect on each spoke routers. The only packets I want traveling over the vpn is the spokes mail, and remote access, am I to assume that dns requests should travel over the vpn also. Hopefully this will give a good idea what I'm attempting to do.