Hub and Spoke VPN config questions.
jamesp1983
Senior MemberMember Posts: 2,475 ■■■■□□□□□□
in CCNP
What's going on everyone? I am designing a network for a company right now that has 5 sites that are located all over the east coast. I want to have a hub and spoke VPN config using ASAs. Which model should I use at the hub? Suggestions are greatly appreciated.
"Check both the destination and return path when a route fails." "Switches create a network. Routers connect networks."
Comments
Assuming each site is connected to the tinternet, what are the connection methods & speed?
Is all the traffic flow between the spokes and hub or is there interspoke traffic as well - would a partial mesh topology help or hinder?
Do you have a requirement for high availability on the ASA / tunnels?
Previous : Passed Configuring Microsoft Office SharePoint Server 2007 (70-630)
Currently : EIGRP & OSPF
Next : CCNP Route
Next Up: CCIE R&S Lab
This or DMVPN.
In that case i rather get a router, ASA is just a firewall have alot of limitations for qos, routing, and all the good stuff plus the router they all come with a vpn accelatator build-in now, and IOS firewall, IOS IPS, content filtering. I would look in to the ISR models and they are cheaper than an ASA
+1 For site to site, routers are more flexible.
I wasn't saying to use any specific piece of equipment, just that an MPLS VPN solution, while more expensive, cuts down the administrative and technical over head of IPSEC VPNs.
That would depend alot of what kind of mpls vpn youll be using overlay or peer to peer, they are the most common mpls vpn deployments. i rather save that money i;ve never seen a strong reason to go for mpls vpns, with then new vpn technologies you can create you own mpls network speacially for 5 sites.
Yes you can, but you are forming that network over the public internet. Then for routing you will need tunnels which bring their own set of issues. An IPSEC VPN has its purposes, but simple site to site connectivity can be established with a much better solution.
I'm not really sure what you mean by overlay or peer to peer. Maybe some terminology I've never heard. Have a link?
The overlay VPN model, most commonly used in a service provider network, dictates that the design and provisioning of virtual circuits across the backbone must be complete prior to any traffic flow. In the case of an IP network, this means that even though the underlying technology is connectionless, it requires a connection-oriented approach to provision the service.
From a service provider's point of view, the scaling issues of an overlay VPN model are felt most when having to manage and provision a large number of circuits/tunnels between customer devices. From a customer's point of view, the Interior Gateway Protocol design is typically extremely complex and also difficult to manage.
On the other hand, the peer-to-peer VPN model suffers from lack of isolation between the customers and the need for coordinated IP address space between them.
MPLS and IPSec VPNs each have their place, it depends on your requirements.
I don't understand what you're saying.
Not to be a jerk man, but either there is a language barrier or we are talking about two different things. The overlay vs peer to peer thing is VPNs in general and not something specific to MPLS VPN. I really don't think you completely understand the concepts and uses of MPLS VPNs. I'll leave it at that.
Yeah, what he said.
The closest thing to the average (full mesh) MPLS VPN is DMVPN. All sites have connectivity to each other without going through the hub site. Using traditional IPSEC VPNs or even GRE/IPSEC tunnels (no DMVPN) isn't much of a comparison to a normal MPLS VPN deployment. The difference in administrative overhead is huge.
If the OP doesn't want to pay for an MPLS VPN, but wants full mesh connectivity, DMVPN is the best option. If you want hub and spoke, there are a lot of options.
Thats what i said so neither vpns are specific to ipsec or gre/ipsec, i said that a point to pont link or a frame relay link are VPNs also. MPLS vpns specially overlay vpns are dedicated private links. i dont think you have any clue now if that didnt make sense to you. thats how most of the deplyments in the US and Europe are done specially when they are connecting multiple sites over the same private mpls link.
"the scaling issues of an overlay VPN model are felt most when having to manage and provision a large number of circuits/tunnels between customer devices"
I agree on that But, the spokes depends 100% of the hub if the hub goes down there wont be dynamic tunnels anymore, having gre/ipsec tunnels to each site it will be alot of configuration on each router but you wont be depending on the HUB ,also i've seen alot of people that would like to take care of how the traffic path is managaged and prefer the traffic to go to the hub first the to reach the other spokes and they change the delay on the spokes to fix that having all traffic going to the hub first becasue they dont have control over the dmvpn tunnel being created,
That's an even better idea, Sprint MPLS is damn good and fairly cheap.
Next Up: CCIE R&S Lab
i never said there was a hub on an mpls vpn, we were talking about DMVPN. and the you contradict yourself . sayin that they arent dedicated private links but then u say "The layer 2 connectivity may be provided over something like T1 (or pretty much any other circuit), but the endpoint of that link is the ISPs router." what is that call?, and MPLS or the label tagging protocol doesnt run at layer 2, it adds a extra header between layer 2 and layer 3 aka layer 2.5 were it adds the tag. or if you can explain what you talking about? becasue no one seems to know what they are saying or give some sort of explanation,
I see that, I misread.
You have to have some sort of connectivity to the ISP, right? It could be anything T1, Metro Ethernet, DSL, 56K DDS, etc.
When someone says "dedicated private link" they are generally referring to a link from one of their sites to another one of their sites. The customer routers talk to each other directly at L3. In MPLS the customer router talks to the ISP router at L3.
I'm aware, but you still need layer 2 connectivity, right?
what!!! and i think you still need 1 and 3 connectivity lol im done here
That wasn't aimed at me was it? I'm pretty confident in my explanation, but if I got something wrong I'd like to know.
I'm pretty sure thats not at you.....
Cool, sometime I have to double check that I haven't gone bonkers...
No sir, definitely not aimed at you.