08-12-2016 11:28 AM - edited 03-05-2019 04:29 AM
Hi Guys,
Looking for a technology to make 10-20 Branch Office Private LANs (each with a unique RFC 1918 /24) and a Data Center Private LAN "appear" to be directly connected. For example Office A with Computer 192.168.101.X could get DNS and authenticate to a Domain Controller in the Data Center at 192.168.1.Z.
The bandwidth at each Branch is about 10M terminating on a 2811. The LAN has between 5-10 computers without a local domain controller. The existing technology uses static VPN tunnels built on Firewalls behind the 2811. A Public /29 CIDR block is routed to the 2811 for the Firewall's Public IP.
* Is DMVPN on the Branch 2811s be a good fit to displace the Firewalls in this scenario?
* If No, why and what would be better?
*With DMVPN configured on the 2811s, is it possible to simultaneously configure SSL VPN and EasyVPN to allow remote access to any Branch LAN for remote staff?
*Would it be possible - assuming bandwidth was not an concern - to run some type of Virtual Desktop from the Data Center to the Branches through the DMVPN?
*If a 2811 is acceptable at the Branch Offices, what platform would be recommended for the Data Center? The bandwidth available to it would be 100M.
Thanks!
Greg
Solved! Go to Solution.
08-14-2016 06:58 PM
Hi Greg,
A DMVPN is a good solution for you provided you have the bandwidth; which is sounds like you do. You can do this with any one of the 2800 series routers. The thing to keep in mind is that VPN traffic takes a lot of processor time to encrypt and decrypt the packet. Each of the 2800 series routers do have a VPN module that will help offload this from the main CPU.
The 2811 at the branch office should easily handle the duties of the 5 - 10 users. I have a very similar config to what you want with 8 remote offices through a DMVPN. Most of the branch offices are terminated on a 2811.
I also have IPSEC or SSL VPNs at the remote sites; these can be run simultaneously. In the config of the DMVPN you can choose whether or not you want to route that VPN traffic between the DMVPN spokes.
Running RDP connections between the locations will easily flow through the DMVPN. Certainly speed of other services (file/printer shares) is going to be dependent on bandwidth. If you want to authenticate remote offices to corporate domain controllers this traffic should be taken into account also.
I would start with a 3800/3900 series router at the data center; this should easily handle the traffic you are suggesting and leave room for growth.
I've attached a simple config with IPSEC/SSL VPN remote users for you. Hope this helps!
Regards,
Sam
08-14-2016 06:58 PM
Hi Greg,
A DMVPN is a good solution for you provided you have the bandwidth; which is sounds like you do. You can do this with any one of the 2800 series routers. The thing to keep in mind is that VPN traffic takes a lot of processor time to encrypt and decrypt the packet. Each of the 2800 series routers do have a VPN module that will help offload this from the main CPU.
The 2811 at the branch office should easily handle the duties of the 5 - 10 users. I have a very similar config to what you want with 8 remote offices through a DMVPN. Most of the branch offices are terminated on a 2811.
I also have IPSEC or SSL VPNs at the remote sites; these can be run simultaneously. In the config of the DMVPN you can choose whether or not you want to route that VPN traffic between the DMVPN spokes.
Running RDP connections between the locations will easily flow through the DMVPN. Certainly speed of other services (file/printer shares) is going to be dependent on bandwidth. If you want to authenticate remote offices to corporate domain controllers this traffic should be taken into account also.
I would start with a 3800/3900 series router at the data center; this should easily handle the traffic you are suggesting and leave room for growth.
I've attached a simple config with IPSEC/SSL VPN remote users for you. Hope this helps!
Regards,
Sam
08-15-2016 08:32 AM
Awesome. Thanks, Sam!
I really appreciate your thorough and complete response to my request for assistance. Thank you for sharing your valuable experience. I feel better now about investing time into the DMVPN design.
Regards,
Greg
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide