Solved: WAN alternatives

NInja Black · ‎06-23-2014

Hi experts,

We have Primary and backup ISPs at all of our 4 locations. We have a office LAN (ENS) setup by Comcast for interconnectivity between sites.

I know VPN is the best solution but How else can I get WAN kind of connectivity between these sites.

adamtodd16 · ‎06-24-2014

Are you wanting to have MPLS and VPN hosted on a single device? Can theoretically be done, but it's not going to be flawless. Would require some OSPF and floating routes to get it to work properly.

Are you having issues with the MPLS network? Is this why the need for the Internet backup solution?

What type of edge devices are you using? Have you considered scrapping MPLS and moving towards 2 Internet connections and using iWAN with GetVPN? Or simply using IP SLA tracking over the 2 business internet links.

Don't mean to move away from the initial question, but there may be a better option to allow you to achieve what you're looking for.

View solution in original post

adamtodd16 · ‎06-24-2014

Okay, great.

We are on the same page now. This can all be done through your ASA, assuming you have backup connections at the branch offices.

You can setup your ASA as a VPN concentrator (DMVPN, EZ, IPSec - Static or Dynamic) and establish a tunnel between your core and the branch.

With this you can use several different technologies to do what you want.

As a side note - we have moved away from MPLS, gone with 2 business class internet circuits at each end, put two routers at each site and setup iWAN / DMVPN. The cost savings of cancelling the MPLS network has more than covered the cost of purchasing additional devices. This makes the setup a bit easier and gives us the same redundancy at a 1/4 of the cost. I know this isn't an "answer" to your question :)

View solution in original post

adamtodd16 · ‎06-23-2014

Why not use VPN?

e.ciollaro · ‎06-24-2014

Not sure I understood, if you want to know which technology you can use I think the most common, at least in my country, are: Internet VPN, MPLS or leased line. Which is the best depend on you requirements: availability, cost, ...

NInja Black · ‎06-24-2014

We do have an MPLS setup from our provider Comcast (ENS-Ethernet Network Service) for inter connectivity between our branches. My concern is, if the ENS link fails we loose connection to all other sites. I wanted to setup site-site VPN but can I configure it as a secondary option?

adamtodd16 · ‎06-24-2014

Easiest solution (and one I use in these cases) - slap in an 800 series router with some SLA and HSRP. if primary link / router goes offline, 800 series will send the traffic across tunnel.

Doesn't have to be an 800, but nice cheap solution.

NInja Black · ‎06-24-2014

That looks a lot of hardware considering 4 locations.

Why not VPN as secondary option? Is it possible to have it as secondary?

adamtodd16 · ‎06-24-2014

Are you wanting to have MPLS and VPN hosted on a single device? Can theoretically be done, but it's not going to be flawless. Would require some OSPF and floating routes to get it to work properly.

Are you having issues with the MPLS network? Is this why the need for the Internet backup solution?

What type of edge devices are you using? Have you considered scrapping MPLS and moving towards 2 Internet connections and using iWAN with GetVPN? Or simply using IP SLA tracking over the 2 business internet links.

Don't mean to move away from the initial question, but there may be a better option to allow you to achieve what you're looking for.

NInja Black · ‎06-24-2014

MPLS is being done on Comcast end. I have to visibility. I has thinking of setting up VPN on our ASAs. We never had an issue with the ENS network in the past 2 years. Just thinking of a backup link.

I already have the SLA tracking setup between the 2 ISPs. ISP failover is fine. Site-site is what I am thinking of.

Will look into "iWAN with GetVPN".

I am open to all options. Thanks very much for your insight.

adamtodd16 · ‎06-24-2014

Okay - maybe we should back up a little bit. I'll make some assumptions and you can fill in the blanks.

HQ:

You have an L3 Switch or Router behind an ASA

Branch:

You have L3 Switch or Router

Branch Connects to HQ via MPLS

ASA Provides Internet Access for all sites.

ISP 1 goes down for Internet, so ISP 2 provides Internet.

So your plan:

If MPLS goes down - outside sites connect to ASA through VPN Tunnel (on either ISP 1 or 2)

Is this correct? Just want to make sure I am reading it all right.

NInja Black · ‎06-24-2014

Exactly. Minor differences though

HQ: Router 3925>ASA5515>L3 switch

Branches: Router 3925>ASA5515>Layer 2 switches

Branches Connects to HQ via MPLS.

Router provides Internet Access for all sites. Connected to both ISP boxes

ISP 1 goes down for Internet, so ISP 2 provides Internet.

So my plan:

If MPLS goes down - outside sites connect to ASA through VPN Tunnel (on either ISP 1 or 2)

adamtodd16 · ‎06-24-2014

Okay, great.

We are on the same page now. This can all be done through your ASA, assuming you have backup connections at the branch offices.

You can setup your ASA as a VPN concentrator (DMVPN, EZ, IPSec - Static or Dynamic) and establish a tunnel between your core and the branch.

With this you can use several different technologies to do what you want.

As a side note - we have moved away from MPLS, gone with 2 business class internet circuits at each end, put two routers at each site and setup iWAN / DMVPN. The cost savings of cancelling the MPLS network has more than covered the cost of purchasing additional devices. This makes the setup a bit easier and gives us the same redundancy at a 1/4 of the cost. I know this isn't an "answer" to your question :)

NInja Black · ‎06-26-2014

Thats exactly the answer to my question.

Thanks Todd. You are awesome!

NInja Black · ‎07-01-2014

Hey Adam. Quick Question. Does using DMVPN or any of the VPN techs you mentioned, will they have huge packet ovreheads and eat bandwidth?

adamtodd16 · ‎07-02-2014

If no traffic is passing (ie: users pulling data, etc.), then barely any.