Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
985
Views
0
Helpful
5
Replies

Setting up VPN between 3 sites | Cisco 1921/K9

Nolan.john.r
Level 1
Level 1

‎03-23-2015 07:46 AM

Greetings all!

I'm looking for some information in setting up data centers for a client, and since I've never set up VPN connections outside of Packet tracer, and one other test location (not successful due to hardware not playing nice), I'm in need of some help.

The client has three sites that we are trying to set up VPN connections between.  The Main Office has a Cisco 1921/K9 router, and the remote offices do not have VPN routers at their sites.  

Currently there's a VPN router at the Main Office that supports 20+ PC VPN tunnels to the Main Office, (we will be deleting this as it's very old) but with multiple computers connecting to the T1 line coming into the building, it's congesting traffic quite a bit over the T1.  *Note* I'm currently trying to find other service for the T1 replacement, but the local cable company isn't the best right now, my client also has a DSL link that I want to utilize for web traffic, and have integrated it ad/hoc into the network plan--I'll be using the T1 for a dedicated VPN link.

The ISP's for the three locations are Century Link for the T1,  COX Communications, and Comcast.  There is a max speed of ~50Mb/s down, and 5Mb/s up from COX, and Comcast, T1 has standard 1.55 up and down.

I do want redundancy between the VPN links in case one location goes down, the data servers will still be able to sync between the remaining locations.  We will be using Server 1012 R2 for the data, and there are printers located at the different locations that we will want to tie into the mix for remote printing if needed--which isn't really relevant to this question, but helpful to know.

I'd upload a Topology at this time, but am working remotely and don't have the time to upload proper topology pictures.

Finally, will I need extra security licenses to run the VPNs?  If so, can someone point me in the right direction?

 

Thank you in advance

 

Labels:
0 Helpful
5 Replies 5

adawa
Level 3
Level 3

‎03-23-2015 09:23 AM

Hello, Nolan. 

Sounds like you already have a security license for your 1921. Running multiple VPN also imposes additional processing load on your router. If you are using a public IP on your main office, you can easily create a VPN peer over your remote branches. I highly suggest getting an ASA to reduce the VPN load on your router and have additional security. 

Let me know if you have additional concerns as well. Kind regards. 

0 Helpful

Nolan.john.r
Level 1
Level 1
In response to adawa

‎03-23-2015 01:07 PM

I don't think there's a security license on the unit at this time.  It states that the feature for security isn't available when I'm in the Cisco Device Manager software.

There's only going to be about 4 sites total in this topology, and I'd rather stay away from the ASA hardware as much as I can, being that I'd rather keep with the bare metal CLI interface.  Initial data transfers are going to be done on site, and then the Servers will be shipped to the locations and installed, and there's a total of maybe 100 devices in the entire topology.  It could increase in the future, but that's forecasted to be about 5-8 years before they exceed 200 devices--coupled with the DSL link in the primary office having its own router, I believe the extra load on the CPU will be minimal.

Thank you for the response!  Do you know what license pack I'd need to acquire for the VPN?

0 Helpful

adawa
Level 3
Level 3
In response to Nolan.john.r

‎03-23-2015 01:20 PM

Hello, Nolan. 

Check out this ordering guide to help you which license you can get for your 1921. 

http://www.cisco.com/c/en/us/products/collateral/routers/1900-series-integrated-services-routers-isr/ordering_guide_c07_557736.html

Check table 20 to get security license for your 1921/K9. 

0 Helpful

Karsten Iwen
VIP
VIP

‎03-23-2015 10:53 AM

A 1921 with a security license can easily handle three VPNs (and more) on a connected T1.

Using an IOS-router is perfectly fine as it's much more flexible for Site-to-Site VPNs than an ASA. I would look into virtual Tunnel Interfaces (VTI). With these you can run a routing protocol through the VPNs which will make the redundancy implementation much easier.

0 Helpful

Nolan.john.r
Level 1
Level 1
In response to Karsten Iwen

‎03-23-2015 01:19 PM

Thanks for the response!

I prefer the Bare Metal CLI interface as well.  I will be looking into the VTI Technology as well, thank you!  The system will more than likely be set up to facilitate an Active Directory/Domain system, and integrate email into the service being provided.  My client hates gmail, and any other off-site email application, so building redundancy into email and data communications is a must, as well as being able to load balance between the servers when users access data and email would be very nice so that the Main Office isn't being hit with 100% of the load at all times.

When I was in the Cisco Device Management software configuring the router, it didn't show a license for the VPNs, so if you could point me in a direction for the VPN licenses for the 1921, that would be awesome :)

Thank you!

0 Helpful
Customers Also Viewed These Support Documents