Network routing and VPN for a few offices

Unanswered Question
Aug 15th, 2008
User Badges:

Alright I've got another network that I need to “fix”. Its a little bit more than I am used to so I could use some input.


I am designing a office network that will be connecting up to 10 offices. Lucky for me the starting point will be a new office with no employees. So I get to start from scratch. Here's the plan


All offices will be running there own DCs, DHCP, IIS, etc and will have a max of 3 servers in each location. I will have a Catalyst 2960 and a 2600 router in each office. A few of the offices will have a 3821 or 2800 router in addition to the 2600. The remaining offices will have some sort of Netgear VPN router. I'd like to run EIGRP through out the network, but I'm not sure how well it will work. I understand that the POS Netgear VPN routers will be out of the loop but the other offices using the 2900 should be fine.


Each office will be on its own subnet and all offices will have VPN connections to all others. As you can probably see my frustrations is going to be routing, hence the want for EIGRP (or any other, just my personal preference). So can you tell I'm only just starting with Cisco? Gotta say, Cisco is far more interesting than working with Microsoft.


Here is an Example of one of the offices. They all look about the same.



So what's your suggestion?




Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Fri, 08/15/2008 - 09:37
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello William,

a good solution will be DMVPN dynamic multipoint VPN that allows to run EIGRP over special multipoint GRE tunnels protected by IPSec.

It allows creation of dynamic spoke to spoke tunnels.

But it isn't so easy to configure.




So as a starting point you can think of:


use two routers at the HUB central office


the internal router will have 10 GRE tunnels each will terminate at the remote side router


the public Internet facing router will have 10 IPSec tunnels that will go to the remote ends


Remote ends will have configured both a GRE tunnel and an IPSec tunnel

over the GRE tunnel you will run EIGRP.

This is needed because IPSEC is good on carrying unicast IP addresses so the GRE will allow to support EIGRP.


We do so for some remote sites for our customer.


You need to see if you have MTU problem or not and several other aspects.


as a starting point look at how to make internet access with NAT coexist with an IPsec VPN connection


http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml




Hope to help

Giuseppe





willsadventures Fri, 08/15/2008 - 10:16
User Badges:

WOW! Not going to be easy! LOL Am I correct when thinking that EIGRP over a public address with VPN is not a good idea? Any other idea that would be easier for say someone who just got their CCNA

tdrais Fri, 08/15/2008 - 10:44
User Badges:
  • Blue, 1500 points or more

All depends on how your traffic flows. You could only configure tunnels to one main site and then only put in the tunnels between the other sites that passed significant traffic. The sites that did not talk to each much would have to pass via the main site.


This is in effect what DMVPN does. All the traffic will pass thought the main site until DMVPN has completed bringing up a direct connection between the 2 remote sites.


If you really have any to any for 10 sites it will take you less time to figure out DMVPN than to build all those tunnels on all those routers.

Giuseppe Larosa Fri, 08/15/2008 - 12:01
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello William,

it's not a security question to avoid to run EIGRP on public ip addresses.

IPSEC has the capability to work well with unicast traffic and uses ACLs to define on both sides what has be encrypted and reverting source and destination what to expect to receive encrypted.

The GRE tunnel provides you a virtual LAN where to run EIGRP that uses multicast hellos. From IPsec point of view it sees GRE packets with a given source and a given destination and this makes it happy.

Another basic reason is that EIGRP can build an adjacency only if all IP addresses are in the same subnets so it is not possible to use EIGRP between public addresses that span over the internet.

A GRE tunnel provides this logical common subnet that makes happy EIGRP.


However, as Tim suggests if you really need any-to-any connectivity you can go to DMVPN because otherwise building a full mesh of point-to-point GRE tunnels inside IPSec is really time consuming: they are 10*9/2 =45 !


My suggestion is to start with point-to-point to take confidence in a lab setup.


Actually there is a newer feature called GET = Group Encrypted Transport but I don't know it, and could be unsupported on your routers.



Hope to help

Giuseppe

Actions

This Discussion