i want to thank all those of you in advance for reading and or responding to my post. thx....
Please take a look at the attached diagram, and let me know in your view would you perfer DHCP to be supplied by a Cisco device or Windows Server 2003?
i currently have two Cisco 1841 VPN routers with a WIC-2T card each whihc will be connected to a T1 line. (not connected yet)
i will be purchasing two Cisco 2960 or two Cisco 3560 depending on the out come of this thread.
i am not to clear on things as of yet, but my final goal is to have the following capabilities:
1. be able to use any workstation\laptop from iether south or north sites with no problems or opsticles
2. be able to connect a laptop via Cisco VPN software to the network and access data as if i was physically located at either site.
i've worked with big corporations where DHCP is provided by Cisco hardware rather than Window Servers, so i am not to sure which way to go or even if its possible.
I have looked at your drawing and wonder about one thing in it. Your labeling suggests that you regard the 2960 as a DHCP router. The 2960 is a switch as is the 3560.
I think that you could accomplish your objectives with DHCP from either a Cisco or from a Windows server. Some people make that decision based on what hardware they have already available or what they might need to purchase. I also know some people who would rather have a separate DHCP server to effectively separate duties and functions within the network while other people prefer to consolidate functions where they can. Both approaches have valid advantages.
I will note that accomplishing your objective 1 will depend on your implementation of DHCP (and proper configuration of the network). Your objective 2 depends on configuration of the VPN and does not depend on DHCP.
Its always preferable to have a separate DHCP server on the network. Win 2003 provides a host of option to implement & manage DHCP. Also Troubleshooting is easy in 2k3.You can configure your DNS server for DHCP if needed.
Check the link, for the benifits you get in 2k3 DHCP. http://www.computerperformance.co.uk/w2k3/services/DHCP_Home.htm
Do tell me if it helped.
If you go with Server 2003 for your DHCP server, that is one more service that you could eliminate from running on your server thus increasing performance slightly on your Servers. Also if you ever decide to implement Cisco IP Telephony in said network, you can utilize your 2960/3560 L3 switch for building VLANs and setting up trunking. From here you can put DHCP on each VLAN, one for phones and one for PCs and if you so desire build VLANs by zone or department based on your organization size.
I would like to suggest that instead of placing a Firebox X in place to instead, standardize on your equipment and go with Cisco. There are a number of Cisco ISR Routers or ASA models that you should consider as a possible alternative. That way if you do decide to possibly expand to a Cisco IP Telephony solution that you can utilize a Cisco related product to trunk on.
Also why purchase a WIC-2T card with 1 T1? Are the sites connected via Point-to-Point? If you need a VPN, you will need to either setup your Firebox or your 1841 for VPN capabilities.
Thank you for the replies, thank you again... please note the changes in blue on the new uploaded image.
the idea will be to have both North and South connected with point-to-point VPN over a T1 line.
1. having physical router distribute ip addresses instead of the server will have what effect on both servers as they will be a DNS server on each site?
2. will there be "difficult" settings when configuring the Cisco (1841 & 3560)?
3. does anyone have default recommended step by step command line or GUI settings that would be the "ideal" settings for fast\reliable\secure and smooth connectivity?
4. Here is my thought in process flow:
from www via VPN
4.a www --> 1841(VPN) --> firewall --> windows network
4.b workstation --> windows network --> firewall --> 1841(VPN) --> www
5. i would want clients within the windows network or www to not know that they are using data from iether site? i may have this idea wrong, but please do enlighten me....
i hope that this thread and images may help many of those who read it and are in the same boat as i am... novise.....
thank you again
just downloaded the following pdf, hopefully it will answer many questions or prompt me for different questions to ask...thx ..
"Windows Networking Design Implementation Guide"
You should not need a VPN connection over a Point-to-Point T1 line as it terminates at each of your sites (technically it terminates at your ISP's telecom equipment usually located at a remote central station in your city then terminates to your other site's central station and then the other location) and it does not go straight out to the Web. If you are using a Data T1 line instead of a Point-to-Point and doing a split tunnel VPN configuration, be sure that you check with your provider to see if they will block that traffic (usually don't, but you don't want to find out the hard way.) Also you will be asked by your ISP provider for your T1 lines whether or not you are provided with a router or you provide the router. In some cases you may want to be provided a router because then you aren't at fault for configuring your router how you like it but not necessarily how they like it. Usually the ISP will only provide a router.
Also are you looking at content filtering or just firewalling your traffic?
okay so i currently do not have the T1 line, so what exactly should i be asking my ISP for in order to be able to see my two networks seemlessly?
if it is as simple as asking for a point-to-point connection, are there different types?
VPN would be for user to be able to logon to the network from remote locations and be able to authenticate to the domain.
so apart from the Cisco 1841 router, i would still need to have the ISP provide me with a router of there choice?
1. i want to be able to block traffic coming unless its from a remote vpn client
2. i want to be able to block "bad" websites from being reached by users
3. i want to be able to block DOS, DDOS, PAD, port scanning, spoofing attacks, address space probes
Here is what I would do:
Create an RFP on what you need and publish the RFP. You will then get a better response on what you need.
In my opinion, for a cheaper solution, obtain a T1 internet circuit for North and South and setup a split tunnel VPN to connect the sites and provide an internet connection for both sites. I would then setup each router for North and South to allow Remote Access VPN for any other users that need to VPN to either site. On each router you will need routes that allow the VPN Pool for each site to communicate amongst one another. From there, you can find an IOS version that will do content filtering for your router/firewall choice, whether it is the 1800 ISR series or an ASA with CSC. This whole setup provides for all of the functionality you need.
wow, there is so much to read....
i thank you for your opinion, it is tremdously valuable to me. i thought perhaps, i would read the entire manual that came with the 1841 and then perhaps write a moch config steps, and see if i am heading in the right direction.
thank you so much again. i think this thread can be closed, but i will open a new one when i am ready to post my sequence of moched commands.
hope this is a good idea..