Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Upgrading a hub and spoke frame network with VPN - Best Practices


I am new to this forum, so bare with me. I am sure this discussion has come up many times before but I am going to ask again. I am including as much information as I can, in hopes that I will receive useful feedback.

In the last few weeks I have talked to at least three people that are well informed about designing VPNs, and each has given me different stories. Our small company is trying to make a final decision on the Cisco hardware to use for supplementing/replacing our hub and spoke frame relay networks. We want to maintain as much similarity to our existing environment as possible.

There are several requirements that must be met for the design. We must strive for 100% uptime, so a combination of fault tolerant / redundant hardware is desired. We must be able to implement failover links to overcome service outages.

We have approx. 8-10 remote sites, as well as 10-20 remote users that might need remote access. We run a pure IP environment using Microsoft servers and desktops. We have several applications that utilize MS terminal services. Each remote site use TS clients to connect to the main office for these apps. A few sites have their own file server/domain controller and do limited application/file sharing, but most servers are centrally housed. Lotus notes is used for email. Each site would require no more that T1 speed to the central office.

In researching this, I believe I have narrowed it to either an entirely router IOS based VPN or a combination of central concentrator and remote router based VPN.

I like the ability to use dynamic routing and floating static routes to determine link availability and to facilitate ISDN failover. This requires me to have routers at the remote sites running GRE tunnels. One other option would be to put a hardware VPN client in front of our existing remote routers to terminate IPSEC tunnels and use the internal router for GRE tunnel termination. Otherwise, I figured we would use 1720s with an ISDN BRI U card, a Serial card, and an IPSEC feature set.

All remote sites would terminate their IPSEC tunnels into a 3005 with an additional 3005 configured with HSRP. It's my understanding that lan-to-lan tunnels preclude load balancing these boxes? True? The concentrator would also serve well for the handful of remote users. GRE tunnels would extend inside the network to a central router and handle dynamic routing and network traffic. This router is also equipped with a PRI interface to handle ISDN dial back termination.

Now for a few questions.

1. I am curious about the need of adding an encryption slave to the remote routers. Will the 1720s handle the software encryption needed for 5 to 15 workstations at the remote sites?

2. Is the central concentrator the best choice for the central site, or should I go with an IOS based VPN router? This is where the biggest differences of opinion surface. I like its ability to also serve remote users, although the router can be configured to function similarly. What about capacity? Can the 3005 handle our needs or would an upgrade to a 3015 be in order? Cisco's direction is causing me some confusion as well. They recommend bringing the lan-to-lan tunnels into a central router, but with the release of their latest IOS, they have created the EzVPN client for just this scenario.

3. Are there other ways to provide for dynamic routing and link failover without using GRE tunnels? Will the concentrator handle some other type of dynamic routing? How do most companies handle the incompatibilities with some apps when the MTU is reduced?

4. Could this solution be expanded to allow for a fully meshed VPN network?

5. Am I completely crazy and need to approach this differently?

As you can see, we are not to complex in our requirements. There is undoubtedly a dozen ways to accomplish our goals, but I am looking for the most flexible and functional, yet cost effective solution.

For those who have read through this, I appreciate it and would welcome any thoughts, opinions, flames, recommendations that you have. This has truly been an adventure.

Thanks for your help.

Billy Dedek

Maxor Pharmacies


Re: Upgrading a hub and spoke frame network with VPN - Best Prac

This is unfortunately probably beyond the scope of this forum. You would be better served working directly with an SE in this instance, as they can provide options as well as pricing, which cannot be easily done here. A good place to look for your local SE is: