Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

WAN alternatives

Hi experts,

 

We have Primary and backup ISPs at all of our 4 locations. We have a office LAN (ENS) setup by Comcast for interconnectivity between sites.

I know VPN is the best solution but How else can I get WAN kind of connectivity between these sites.

2 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

Are you wanting to have MPLS

Are you wanting to have MPLS and VPN hosted on a single device? Can theoretically be done, but it's not going to be flawless. Would require some OSPF and floating routes to get it to work properly. 

Are you having issues with the MPLS network? Is this why the need for the Internet backup solution? 

What type of edge devices are you using? Have you considered scrapping MPLS and moving towards 2 Internet connections and using iWAN with GetVPN? Or simply using IP SLA tracking over the 2 business internet links. 

Don't mean to move away from the initial question, but there may be a better option to allow you to achieve what you're looking for. 

New Member

Okay, great.We are on the

Okay, great.

We are on the same page now. This can all be done through your ASA, assuming you have backup connections at the branch offices.

You can setup your ASA as a VPN concentrator (DMVPN, EZ, IPSec - Static or Dynamic) and establish a tunnel between your core and the branch. 

With this you can use several different technologies to do what you want. 

As a side note - we have moved away from MPLS, gone with 2 business class internet circuits at each end, put two routers at each site and setup iWAN / DMVPN. The cost savings of cancelling the MPLS network has more than covered the cost of purchasing additional devices. This makes the setup a bit easier and gives us the same redundancy at a 1/4 of the cost. I know this isn't an "answer" to your question :) 

 

13 REPLIES
New Member

Why not use VPN? 

Why not use VPN? 

Silver

Not sure I understood, if you

Not sure I understood, if you want to know which technology you can use I think the most common, at least in my country, are: Internet VPN, MPLS or leased line. Which is the best depend on you requirements: availability, cost, ...

New Member

We do have an MPLS setup from

We do have an MPLS setup from our provider Comcast (ENS-Ethernet Network Service) for inter connectivity between our branches. My concern is, if the ENS link fails we loose connection to all other sites. I wanted to setup site-site VPN but can I configure it as a secondary option?

 

 

 

New Member

Easiest solution (and one I

Easiest solution (and one I use in these cases) - slap in an 800 series router with some SLA and HSRP.  if primary link / router goes offline, 800 series will send the traffic across tunnel. 

Doesn't have to be an 800, but nice cheap solution.

New Member

That looks a lot of hardware

That looks a lot of hardware considering 4 locations.

 

Why not VPN as secondary option? Is it possible to have it as secondary?

New Member

Are you wanting to have MPLS

Are you wanting to have MPLS and VPN hosted on a single device? Can theoretically be done, but it's not going to be flawless. Would require some OSPF and floating routes to get it to work properly. 

Are you having issues with the MPLS network? Is this why the need for the Internet backup solution? 

What type of edge devices are you using? Have you considered scrapping MPLS and moving towards 2 Internet connections and using iWAN with GetVPN? Or simply using IP SLA tracking over the 2 business internet links. 

Don't mean to move away from the initial question, but there may be a better option to allow you to achieve what you're looking for. 

New Member

MPLS is being done on Comcast

MPLS is being done on Comcast end. I have to visibility. I has thinking of setting up VPN on our ASAs. We never had an issue with the ENS network in the past 2 years. Just thinking of a backup link.

I already have the SLA tracking setup between the 2 ISPs. ISP failover is fine. Site-site is what I am thinking of.

 

Will look into "iWAN with GetVPN".

 

I am open to all options. Thanks very much for your insight.

 

 

New Member

Okay - maybe we should back

Okay - maybe we should back up a little bit.  I'll make some assumptions and you can fill in the blanks. 

HQ:

You have an L3 Switch or Router behind an ASA

Branch:

You have L3 Switch or Router

Branch Connects to HQ via MPLS

ASA Provides Internet Access for all sites.

ISP 1 goes down for Internet, so ISP 2 provides Internet. 

So your plan:

If MPLS goes down - outside sites connect to ASA through VPN Tunnel (on either ISP 1 or 2)

Is this correct? Just want to make sure I am reading it all right.

 

 

New Member

Exactly. Minor differences

Exactly. Minor differences though

 

HQ: Router 3925>ASA5515>L3 switch

Branches: Router 3925>ASA5515>Layer 2 switches

 

Branches Connects to HQ via MPLS.

 

Router provides Internet Access for all sites. Connected to both ISP boxes

ISP 1 goes down for Internet, so ISP 2 provides Internet. 

 

So my plan:

If MPLS goes down - outside sites connect to ASA through VPN Tunnel (on either ISP 1 or 2)

 

 

 

New Member

Okay, great.We are on the

Okay, great.

We are on the same page now. This can all be done through your ASA, assuming you have backup connections at the branch offices.

You can setup your ASA as a VPN concentrator (DMVPN, EZ, IPSec - Static or Dynamic) and establish a tunnel between your core and the branch. 

With this you can use several different technologies to do what you want. 

As a side note - we have moved away from MPLS, gone with 2 business class internet circuits at each end, put two routers at each site and setup iWAN / DMVPN. The cost savings of cancelling the MPLS network has more than covered the cost of purchasing additional devices. This makes the setup a bit easier and gives us the same redundancy at a 1/4 of the cost. I know this isn't an "answer" to your question :) 

 

New Member

Thats exactly the answer to

Thats exactly the answer to my question.

 

Thanks Todd. You are awesome!

New Member

Hey Adam. Quick Question.

Hey Adam. Quick Question. Does using DMVPN or any of the VPN techs you mentioned, will they have huge packet ovreheads and eat bandwidth?

New Member

If no traffic is passing (ie:

If no traffic is passing (ie: users pulling data, etc.), then barely any. 

466
Views
0
Helpful
13
Replies
CreatePlease to create content