Hub and Spoke VPN config questions.

jamesp1983

What's going on everyone? I am designing a network for a company right now that has 5 sites that are located all over the east coast. I want to have a hub and spoke VPN config using ASAs. Which model should I use at the hub? Suggestions are greatly appreciated.

mikem2te

jimmypizzle83 wrote: »

What's going on everyone? I am designing a network for a company right now that has 5 sites that are located all over the east coast. I want to have a hub and spoke VPN config using ASAs. Which model should I use at the hub? Suggestions are greatly appreciated.

I would say any of the ASA range should do the job based on the info you have given - more info would be nice though-

Assuming each site is connected to the tinternet, what are the connection methods & speed?

Is all the traffic flow between the spokes and hub or is there interspoke traffic as well - would a partial mesh topology help or hinder?

Do you have a requirement for high availability on the ASA / tunnels?

SysAdmin4066

Go with the most expensive solution they will allow for, whatever is the most feature rich, future proof solution. Any of the ASAs would be "capable", so you cant go wrong there. I think the biggest driver there is what can you afford to spend.

ilcram19-2

get routers instead of ASA you have more options dmvpn, gre/ipsec are more scalable than regular ipsec vpns

networker050184

How about an MPLS VPN service? With five sites, I'd just go that route so you don't have to worry about IPSEC VPNs over the internet.

ColbyG

networker050184 wrote: »

How about an MPLS VPN service? With five sites, I'd just go that route so you don't have to worry about IPSEC VPNs over the internet.

This or DMVPN.

ilcram19-2

networker050184 wrote: »

How about an MPLS VPN service? With five sites, I'd just go that route so you don't have to worry about IPSEC VPNs over the internet.

In that case i rather get a router, ASA is just a firewall have alot of limitations for qos, routing, and all the good stuff plus the router they all come with a vpn accelatator build-in now, and IOS firewall, IOS IPS, content filtering. I would look in to the ISR models and they are cheaper than an ASA

kalebksp

ilcram19-2 wrote: »

get routers instead of ASA you have more options dmvpn, gre/ipsec are more scalable than regular ipsec vpns

+1 For site to site, routers are more flexible.

networker050184

ilcram19-2 wrote: »

In that case i rather get a router, ASA is just a firewall have alot of limitations for qos, routing, and all the good stuff plus the router they all come with a vpn accelatator build-in now, and IOS firewall, IOS IPS, content filtering. I would look in to the ISR models and they are cheaper than an ASA

I wasn't saying to use any specific piece of equipment, just that an MPLS VPN solution, while more expensive, cuts down the administrative and technical over head of IPSEC VPNs.

ilcram19-2

networker050184 wrote: »

I wasn't saying to use any specific piece of equipment, just that an MPLS VPN solution, while more expensive, cuts down the administrative and technical over head of IPSEC VPNs.

That would depend alot of what kind of mpls vpn youll be using overlay or peer to peer, they are the most common mpls vpn deployments. i rather save that money i;ve never seen a strong reason to go for mpls vpns, with then new vpn technologies you can create you own mpls network speacially for 5 sites.

networker050184

ilcram19-2 wrote: »

That would depend alot of what kind of mpls vpn youll be using overlay or peer to peer, they are the most common mpls vpn deployments. i rather save that money i;ve never seen a strong reason to go for mpls vpns, with then new vpn technologies you can create you own mpls network speacially for 5 sites.

Yes you can, but you are forming that network over the public internet. Then for routing you will need tunnels which bring their own set of issues. An IPSEC VPN has its purposes, but simple site to site connectivity can be established with a much better solution.

I'm not really sure what you mean by overlay or peer to peer. Maybe some terminology I've never heard. Have a link?

ilcram19-2

MPLS/VPN Architecture Overview > Case Study: Virtual Private Networks in SuperCom Service Provider Network

The overlay VPN model, most commonly used in a service provider network, dictates that the design and provisioning of virtual circuits across the backbone must be complete prior to any traffic flow. In the case of an IP network, this means that even though the underlying technology is connectionless, it requires a connection-oriented approach to provision the service.

From a service provider's point of view, the scaling issues of an overlay VPN model are felt most when having to manage and provision a large number of circuits/tunnels between customer devices. From a customer's point of view, the Interior Gateway Protocol design is typically extremely complex and also difficult to manage.

On the other hand, the peer-to-peer VPN model suffers from lack of isolation between the customers and the need for coordinated IP address space between them.

kalebksp

MPLS VPNs are peer to peer (you could create an overlay with MPLS but nobody would do that without a specific need). I don't intend this to be offensive, but you don't seem to have a strong understanding of MPLS VPNs. If you don't see the benefit of and MPLS VPN over an IPSec VPN you must work in an environment with low reliability and control requirements.

MPLS and IPSec VPNs each have their place, it depends on your requirements.

ilcram19-2

i guess u are forgetting what a VPN really is, by having a virtual circuit or a point to point link you already have you vpn there, and yo cannot tell me than thats not what an overlay vpn, mpls vpn overlay are just dedicated private links which thats what i've seen the most in europe and US deployments, peer to peer vpn are mostly created from site to site. Most of the mpls vpn network that i've seen are overlay vpn since they required connectivity to multiple sites over the same virtual circuit.

kalebksp

ilcram19-2 wrote: »

i guess u are forgetting what a VPN really is, by having a virtual circuit or a point to point link you already have you vpn there, and yo cannot tell me than thats not what an overlay vpn, mpls vpn overlay are just dedicated private links which thats what i've seen the most in europe and US deployments, peer to peer vpn are mostly created from site to site. Most of the mpls vpn network that i've seen are overlay vpn since they required connectivity to multiple sites over the same virtual circuit.

I don't understand what you're saying.

networker050184

ilcram19-2 wrote: »

i guess u are forgetting what a VPN really is, by having a virtual circuit or a point to point link you already have you vpn there, and yo cannot tell me than thats not what an overlay vpn, mpls vpn overlay are just dedicated private links which thats what i've seen the most in europe and US deployments, peer to peer vpn are mostly created from site to site. Most of the mpls vpn network that i've seen are overlay vpn since they required connectivity to multiple sites over the same virtual circuit.

Not to be a jerk man, but either there is a language barrier or we are talking about two different things. The overlay vs peer to peer thing is VPNs in general and not something specific to MPLS VPN. I really don't think you completely understand the concepts and uses of MPLS VPNs. I'll leave it at that.

networker050184

kalebksp wrote: »

I don't understand what you're saying.

Yeah, what he said.

ColbyG

ilcram19-2 wrote: »

i guess u are forgetting what a VPN really is, by having a virtual circuit or a point to point link you already have you vpn there, and yo cannot tell me than thats not what an overlay vpn, mpls vpn overlay are just dedicated private links which thats what i've seen the most in europe and US deployments, peer to peer vpn are mostly created from site to site. Most of the mpls vpn network that i've seen are overlay vpn since they required connectivity to multiple sites over the same virtual circuit.

The closest thing to the average (full mesh) MPLS VPN is DMVPN. All sites have connectivity to each other without going through the hub site. Using traditional IPSEC VPNs or even GRE/IPSEC tunnels (no DMVPN) isn't much of a comparison to a normal MPLS VPN deployment. The difference in administrative overhead is huge.

If the OP doesn't want to pay for an MPLS VPN, but wants full mesh connectivity, DMVPN is the best option. If you want hub and spoke, there are a lot of options.

ilcram19-2

networker050184 wrote: »

Not to be a jerk man, but either there is a language barrier or we are talking about two different things. The overlay vs peer to peer thing is VPNs in general and not something specific to MPLS VPN. I really don't think you completely understand the concepts and uses of MPLS VPNs. I'll leave it at that.

Thats what i said so neither vpns are specific to ipsec or gre/ipsec, i said that a point to pont link or a frame relay link are VPNs also. MPLS vpns specially overlay vpns are dedicated private links. i dont think you have any clue now if that didnt make sense to you. thats how most of the deplyments in the US and Europe are done specially when they are connecting multiple sites over the same private mpls link.
"the scaling issues of an overlay VPN model are felt most when having to manage and provision a large number of circuits/tunnels between customer devices"

ilcram19-2

ColbyG wrote: »

The closest thing to the average (full mesh) MPLS VPN is DMVPN. All sites have connectivity to each other without going through the hub site. Using traditional IPSEC VPNs or even GRE/IPSEC tunnels (no DMVPN) isn't much of a comparison to a normal MPLS VPN deployment. The difference in administrative overhead is huge.

If the OP doesn't want to pay for an MPLS VPN, but wants full mesh connectivity, DMVPN is the best option. If you want hub and spoke, there are a lot of options.

I agree on that But, the spokes depends 100% of the hub if the hub goes down there wont be dynamic tunnels anymore, having gre/ipsec tunnels to each site it will be alot of configuration on each router but you wont be depending on the HUB ,also i've seen alot of people that would like to take care of how the traffic path is managaged and prefer the traffic to go to the hub first the to reach the other spokes and they change the delay on the spokes to fix that having all traffic going to the hub first becasue they dont have control over the dmvpn tunnel being created,

kalebksp

ilcram19-2, MPLS VPNs don't have a hub nor do they use dedicated private links. The layer 2 connectivity may be provided over something like T1 (or pretty much any other circuit), but the endpoint of that link is the ISPs router. Traffic is kept separate by using VRFs. MPLS VPNs allow any router in the VRF to talk to any other router in the VRF (that's a simplification of how it actually works). As I said before MPLS VPNs are not an overlay VPN.

SysAdmin4066

networker050184 wrote: »

How about an MPLS VPN service? With five sites, I'd just go that route so you don't have to worry about IPSEC VPNs over the internet.

That's an even better idea, Sprint MPLS is damn good and fairly cheap.

ilcram19-2

kalebksp wrote: »

ilcram19-2, MPLS VPNs don't have a hub nor do they use dedicated private links. The layer 2 connectivity may be provided over something like T1 (or pretty much any other circuit), but the endpoint of that link is the ISPs router. Traffic is kept separate by using VRFs. MPLS VPNs allow any router in the VRF to talk to any other router in the VRF (that's a simplification of how it actually works). As I said before MPLS VPNs are not an overlay VPN.

i never said there was a hub on an mpls vpn, we were talking about DMVPN. and the you contradict yourself . sayin that they arent dedicated private links but then u say "The layer 2 connectivity may be provided over something like T1 (or pretty much any other circuit), but the endpoint of that link is the ISPs router." what is that call?, and MPLS or the label tagging protocol doesnt run at layer 2, it adds a extra header between layer 2 and layer 3 aka layer 2.5 were it adds the tag. or if you can explain what you talking about? becasue no one seems to know what they are saying or give some sort of explanation,

kalebksp

ilcram19-2 wrote: »

i never said there was a hub on an mpls vpn, we were talking about DMVPN.

I see that, I misread.

ilcram19-2 wrote: »

you contradict yourself . sayin that they arent dedicated private links but then u say "The layer 2 connectivity may be provided over something like T1 (or pretty much any other circuit), but the endpoint of that link is the ISPs router." what is that call?

You have to have some sort of connectivity to the ISP, right? It could be anything T1, Metro Ethernet, DSL, 56K DDS, etc.

When someone says "dedicated private link" they are generally referring to a link from one of their sites to another one of their sites. The customer routers talk to each other directly at L3. In MPLS the customer router talks to the ISP router at L3.

ilcram19-2 wrote: »

and MPLS or the label tagging protocol doesnt run at layer 2, it adds a extra header between layer 2 and layer 3 aka layer 2.5 were it adds the tag.

I'm aware, but you still need layer 2 connectivity, right?

ilcram19-2

kalebksp wrote: »

I see that, I misread.



You have to have some sort of connectivity to the ISP, right? It could be anything T1, Metro Ethernet, DSL, 56K DDS, etc.

When someone says "dedicated private link" they are generally referring to a link from one of their sites to another one of their sites. The customer routers talk to each other directly at L3. In MPLS the customer router talks to the ISP router at L3.



I'm aware, but you still need layer 2 connectivity, right?

what!!! and i think you still need 1 and 3 connectivity lol im done here

ColbyG

wat...?!

kalebksp

ColbyG wrote: »

wat...?!

That wasn't aimed at me was it? I'm pretty confident in my explanation, but if I got something wrong I'd like to know.

networker050184

kalebksp wrote: »

That wasn't aimed at me was it? I'm pretty confident in my explanation, but if I got something wrong I'd like to know.

I'm pretty sure thats not at you.....

kalebksp

networker050184 wrote: »

I'm pretty sure thats not at you.....

Cool, sometime I have to double check that I haven't gone bonkers...

ColbyG

kalebksp wrote: »

That wasn't aimed at me was it? I'm pretty confident in my explanation, but if I got something wrong I'd like to know.

No sir, definitely not aimed at you.