Site to Multiple Site VPN - Design Question

bvoorhes · ‎08-18-2001

We are currently working to build a VPN to our branch offices. This is to facilitate access to our main database servers. The servers are currently being accessed via serial ( 56k leased lines, mux, terminals ). We had thought to use DSL for all offices that support it, and probably use T-1's to those offices that don't.

We would like to use this VPN as an alternative to Frame Relay to the branch offices. Each branch office will have from 1 to 30 users, connected to a local LAN. We had thought to put a Router between the LAN and the DSL Modem. All traffic bound for the corporate servers would be routed over the VPN and out over the net back to the corporate router. It is essential that this VPN traffic be strongly encrypted. All other traffic we would bounce out normally over the DSL line. We do not want to install any software on the machines to accomplish this task ( ie its handled completely by the routers ), plus we will probably be using some kind of interim terminal concentrator device, rather than replacing the terminals immediately.

What would be a recommended configuration to accomplish this goal? Lets assume 10 branch offices, and the availability of multiple 1.1Mbps SDSL connections at corporate.

Thanks for any help you can give.

bstremp · ‎08-24-2001

I’d probably go with a 1700 DSL router at all the remote sites and load up the VPN IOS on them. For the main site, probably a 7100 or 3600. www.cisco.com/go/vpn is where you should start. The 1700’s could also handle firewalling for all the remote offices.

bvoorhes · ‎08-26-2001

Thanks for your help. There is some good information there. Do you know of any place that has a good cross-reference of Cisco capabilities, perhaps based on purpose of use. The Cisco stuff requires a huge amount of wading to get through ( which has taken me a little while.) Also, do you know of a good rule-of-thumb document on this sort of situation?

Thanks!

t-evens · ‎08-24-2001

Brain,

There are several options that exist. The questions are how much can you spend and what functions do you want to support? For instance, do you plan to have redundancy in the remote offices? If so, then you need to make sure that your design includes devices on the head and remote ends that support some type of dynamic routing. Ten remote offices requires at a minimum of ten tunnels. Do you have an idea as to have a full or partial mesh? That will change quite a lot in the equipment requirements. With ten offices and more than 1MB of BW, you will most likely want to look into hardware encryption, not software.

--Tim

bvoorhes · ‎08-26-2001

To answer your questions in order....

We need to have some form of redundancy at the branches. Most of our traffic will be bursty text based traffic ( consistent with heavily used telnet session equivalents ), email, and http traffic. If it is possible, should the DSL link at a branch roll over and play dead, we would like to be able to fallback to either dial-up modem or ISDN connections. If we did this, we would like to restrict all traffic except the database traffic, in an effort to keep database traffic at the highest level of service as possible.

It is not our intention that the branches ever be able to reach between each other. All corporate traffic should come back to the corporate servers. The databases will reside at the core of the network, with branched connecting directly in. We have pretty much decided to operate 2 networks at corporate, a server-traffic network for the databases, to which the branches will attach, and then a very similar setup as the bracnhes have to connect local corporate.

A nice pretty jewel would be to enable our few roadwarriors access to the databases via a dial-up connection.

Any thoughts?