WAN Design question

Unanswered Question
Feb 23rd, 2009

I would like to get your thoughts about this one...

In addition to our corporate network which is currently routed via EIGRP, we also have about 50 remote sites ranging from 3 to a max of 10 people. These offices require both access to the Internet as well as access to corporate resources and we are looking for a way to establish and standardize this type of connectivity. MPLS is obviously out of the picture so VPN over the Internet is what came up.

I was thinking of introducing some device (either ASA5505, C870, C2800) at each location and establish a site-to-site VPN to head office thereby granting access to corporate resources. Another requirement in the remote offices is wireless thus the reason why the Cisco870 was favorable.

Any thoughts?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
pkpatel Mon, 02/23/2009 - 11:57

I agree. DMVPN is the way to go using Cisco 870 series with appropriate IOS. It is really scalable, so adding new sites are not time consuming at all.

If you go with ASA firewall, you will end up doing point to point tunnels. Everytime a new sites need to be added, you will need to adjust config on your hub. Not only that, it will also require greater bandwidth at Hub site.

With DMVPN, adding new sites does not require changes on your hub device. Also, full-mesh network will reduce bandwidth need at Hub compared to Point-to-point tunnels.

Joseph W. Doherty Mon, 02/23/2009 - 12:07

Using a VPN over the Internet could work very well.

If you continue to use EIGRP, you might want to configure the remote sites as stubs.

Do keep in mind if you share the Internet link for both VPN and local Internet access, corporate network performance will usually be somewhat uncontrollable. (If you don't share the link, I've found you can obtain performance often like frame-relay, if the equipment used has the needed software features.)

If providing local Internet access, insure your selected solution offers sufficient security (e.g. FW feature set). (Remote Internet security breech may expose your whole corporate network via the VPN.)

With regard to using single box to also provide wireless, probably reduces cost, but also places "all your eggs in one basket". Also, be very careful in selecting wireless security features since, again, VPN can open your whole corporate network to a remote site's wireless AP.


This Discussion