Hi all: First off, if there is a better place for me to post these questions, please point me in the right direction.
OK, my company has three offices, a main and two branches. Each branch is currently connected back to the main office via sperate point-2-point T1s. We use older 2811 routers to handle this traffic. We are now looking at implementing cable connections (read VPNs) for additional bandwidth and fail-over. BTW, all "internet" access flows from the branch offices back to the main office, so the cable connections in the branch offices will NOT act as "internet providers", only as VPNs.
I have spoken with a few consultants. They all seem to be recommending we replace our routers with 2900-series routers (with security) and place ASA firewalls in front of the cable connections. In the branch offices the 2900's would have two incoming lines; our P2P T1 and the VPN via the ASA. We can then do fail-over at the 2900's. But I would also like to do one more thing. If possible I would like to setup the traffic shaping so that some of our data (mostly SQL) would always go over the T1 unless we have a T1 failure, and all other traffic over the VPNs unless there is a cable feed failure.
I am out of my league with this, so your advise is appreciated. If there is a better way, please speak up. Chris.
If you want to use the cable link for backup only and want a more seamless and redundant failover, I'd recommend using two 2900s with HSRP. One of the 2900s would link to your WAN and have the higher HSRP priority, and the other would link to your cable modem and be setup with zones as a firewall. This way if your WAN router would suffer a hardware failure your 2nd 2900 would take over as the default gateway. The design suggested by the consultants that has an ASA lead to the 2900 would leave your users dead in the water should the 2900 lose power or suffer a hardware failure. You'd have to get someone to move the ASA inside cable to a switch and have it assume the IP address of the WAN router to use as a default gateway for your users. To influence which path your traffic takes use longer mask routes via the WAN for the SQL traffic and any other traffic you want to cross the WAN and use only a default route for the cable connection.
How much do you have to spend? If you want some decent redundancy against hardware failure, then 2 X 2900s would work. But in my experience, a network hardware failure is the least common cause of an outage. It's usually something external to the device; power, environmentals, upgrade, human error. So a 2nd router will give you hardware redundancy but don't waste that by plugging both routers into a power strip connected to a small UPS in a hot room.
I think the ASA is uneeded since the 2900 can handle a VPN tunnel back to your office and necessary security for an external connection. Just don't set up NAT and there won't be any 'internet' access for users through the cable link.
For choosing the path for the data, policy based routing will take care of this no problem. You can use the policy with an IP SLAs to check the next hop availability, using the other link if the primary desired path is down. You can also use SLAs with static routes to go from the cable connection to the T1 for the other traffic.
>> My question: what will be a bandwidth for you VPN connection per branch and in the main office?
The cable connections will be 3 Mb/s and 5 Mb/s at each branch, and 10 Mb/s at the main office.
As an aside, the the driving reason behind this work is our EMR system. We are rolling it out to our branch offices and they absolutely need redunancy. Eventually we plan on implementing TS or Citrix so we would replace the SQL traffic with RPC traffic. I want low latency, therefore the use of the T1s.
Surely newer router would be better for main office.
I insist on the point that SLA (availability + MTTR) should determine final design, because "business" should sign it's requirements and declare (to IT) what is the maximum outage it could tolerate (without significant impact).
Regarding SQL/Citrix: you need to be sure that T1 will be enough for your business traffic (T1 will isolate it from other unimportant traffic), but no more that 1.5M * (80%) could be sent over T1. Whenever T1 utilization hit 75-80%, latency (queuing delay) would grow up to 200ms, that would lead to performance degradation.
I agree that the 2811's can handle the traffic, but we only have the base IOS version. By the time we purchase the security level IOS, we are spending a good perecentage of new. Our 2811's are 7 years old, so they are due for retirement sooner than later.
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Hmm, the consultants you've spoken with, are they willing to sell you an ASA in front of a 2900 being used for VPN? I guess they might also ask whether you want a belt and suspenders to wear with your coveralls.
(Note: there's much that can be done to "harden" an Internet facing router that's only supporting a VPN tunnel. You can start by blocking all but the tunnel traffic from you VPN peer, disallowing source routing, and perhaps placing the external interface in its own VFR, )
From you later postings, a 2811 can handle 10 Mbps (duplex), so you should have enough performance capacity.
You can route certain traffic via certain path, but doing this manually is a bother.
In my experience, using the correct QoS techniques, Internet tunnels can perform about as well as dedicated private links, so you might even want to consider whether you even want to prefer the T1 path for any traffic.
OER/PfR can be used for dynamic best performing path selection and it can also dynamically load balance across different bandwidth links. (This might require an advanced feature set. On the subject of feature sets, an encrypted tunnel might also require an advanced feature set too.)
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...