We currently have two sites, a central HQ with central DC and a Collocation facility which is connected to the DC over the WAN via IPSEC VPN over the Internet. The colo facility really is serving up some backup services, backup MX, backup DNS, etc. currently and really does not really offer any services that users at the HQ site need to access. The two sites are connected via L3 IPSEC VPN across the Internet links which are currently TDM 10MB links at both sites. The building that the DC is in is not a very good place for a DC as it does not have backup power,etc. We are considering moving the entire DC to the colo facility to take advantage of the backup power and such that it offers. If we do this we are going to have users at the HQ accessing all their tools and applications at the collocation facility. This presents some obvious performance issues.
I would like to get some ideas of what others are doing to get somewhat LAN-like performance across the WAN for users with remote access to a central DC. Some ideas we had are to:
1. Get additional BW and continue to use the L3 VPN between sites over the Internet and then get WAAS/WAN optimizer solutions at both ends (WAAS---->FW<----IPSEC TUNNEL---->FW---->WAAS)
2. Get dedicated TDM BW between sites with WAN optimizers at both ends
3. Go with an MPLS/VPLS solution with an IPSEC tunnel between the sites
Just wanted to take a quick poll on what others are doing to get something like this done. Thanks in advance for replies.
Try to design redundancy in network link Multihoming design on both sites. The bandwidth & WAAS depends on your requirement. If you are planning to got for any Wan Optimizer then you can minimize bandwidth. Both investments doesn't make any meaning.
Design should be redundant at any point of time, It may be using MPLS VPNs or Site to site IPSec VPNs or Point to Point links.
DC (colo facility) & HQ should have minimum 2 links for redundancy & if possible 3 rd also for extra backup.
This is true that on WAN it is hard to get LAN performance, After moving DC to colo facility you have to do the QOS to prioritize the business applications which are frequently used by HQ users for smooth performance for business application.
These are the some points,which i can share with you. I also done same thing to get the results.
May be it will help you...
Yes thanks for the reply. Understand about the redundant links and any design would be fully redundant. We currently have dual links out of both sites but the current BW is not going to be able to handle the traffic effectively. The latency is what worries me the most. Do you have any experience with using Cisco WAAS appliances to optimize the site to site performance? What kind of results did you get? Was the performance good enough to support your applications? With the IPSEC option is there any issue with optimizing the traffic before it moves across the IPSEC tunnel? Just trying to get a real-world idea of how effective WAAS is and how much it can help get your applications working. I understand it all depends on the traffic, applications, etc. and I am not really looking for a definitive "do this and it will work" type answer. Were a very small shop with roughly 50 employees total which use CIFS shares, IMAP, Web applications, etc. Agreed on the QoS piece as well which is something else I am looking at as part of this project. Any information anyone has regarding the effectiveness of WAAS as well as solutions they have implemented to get this type of performance out of WAN links would be a great help. Thanks again for the reply.
You're correct to be worried about latency. I haven't worked with Cisco's WAAS products, but have with other vendor's.
You'll never get 100% LAN performance across a WAN, however such products can help (sometimes much). As you note, a lot depends on the application. (Much also depends on the product and sometimes correctly configuring it.)
IPSec shouldn't create any truly new problems. However, WAAS/WAFS products can push a WAN link "harder" then similar "native" traffic using the WAN. I.e., you might want to insure the IPSec tunnel devices can deliver the performance required. (NB: sometimes the opposite is true too, i.e. there's a bandwidth reduction.)
Do insure WAAS is upstream of IPSec tunnel (as you noted in your original post).