VPN solution

Hello Cisco gurus!! I'd like your opinion/direction on a solution. I'm wanting to implement a vpn solution for a client. Basically i would like to standardize on Cisco equipment. Currently they have some no name brand routers between the two networks. Setup is a 10 station workgroup office (no dc) connected to a 40 station hdq (dc present). Right now they're traversing between the offices with a lackluster vpn solution. I'm going to propose to put a cisco device on both ends, drop a dc at the remote office (which currently does not have one), and try and set up a secure vpn between the two. Any suggestions on Cisco hardware for this. Speed is of great concern, however, they're currently using a T1 line at each office which also serves as their internet access to vpn across. From the surface (based on what I was told over the phone) it appears they only have a fractional T1, so along with other reccomendations, I'm considering an upgrade to at least a full T1. I'm old to IT and very new to Cisco, so your advice will be greatly appreciated.

Find more posts tagged with

Comments

garv221

keatron wrote:

Setup is a 10 station workgroup office (no dc) connected to a 40 station hdq (dc present). Right now they're traversing between the offices with a lackluster vpn solution. I'm going to propose to put a cisco device on both ends, drop a dc at the remote office (which currently does not have one), and try and set up a secure vpn between the two. Any suggestions on Cisco hardware for this. Speed is of great concern, however, they're currently using a T1 line at each office which also serves as their internet access to vpn across. From the surface (based on what I was told over the phone) it appears they only have a fractional T1, so along with other reccomendations, I'm considering an upgrade to at least a full T1. I'm old to IT and very new to Cisco, so your advice will be greatly appreciated.

I would go with a Cisco PIX 501 w/ upgraded user license for the 10 user office. At HQ I would install a PIX 506 as the Head End VPN connection & firewall. This setup is genius. Plus you can get the IPSEC VPN dialer for roaming clients. That VPN connection is steady & always works. Plus its Cisco, so you know its good.

I would mention getting rid of a partial T1 for the 10 user building. You can save money by getting SBC Business cable internet. Its 6MB with 4 or 5 Statics for like $60.00/month.....

If you decide to go with a PIX & have questions let me know, I can set these things up easily.

tunerX

A PIX is good if you are running ethernet but I would go with some 26XX XM with encryption AIMs, Firewall IOS, and wic 1 DSU modules. If they are using two different networks, with routing architectures, I would set up an IPSec/GRE tunnel interface for any traffic moving between sites. This gives the benefit of maintaining both networks independently, with separate routing. You should also look into queueing for the traffic between sites. Check the amount of traffic between them and types of applications/protocols. You can then specify that traffic to the internet will go unencrypted out the local router. Anything between the sites will be tunneled/encrypted and authenticated.

You could also recommend future upgrades. If they are using analog Key systems or a PBXs you could set up NM-HD-1V (or something else) with a DID card, and forward calls between sites over the Internet. If call volume between sites is high then you could save money. You will have to compare costs of the voice equipment, call hours /cost, and service costs. You can then calculate how long the upgrade will pay itself out and start saving costs based on the converged architecture.

garv221

Turner, I can tell you like the VOIP! If I remember correctly, you are studying that right now? How is that going?

tunerX

VoIP is pretty cool. I have a background in TDM based telephony where we had to overlay all of our data over our voice channels. The move to data first then voice is a total reversal but everything seems much easier, since it is consolidated. As a network engineer in my last position, we just started implementing VoIP, at a real slow pace. My new network engineering position is VoIP from the start so it should be really interesting.

I have two more tests for my CCVP, then I take the CCIE Voice written. I am going to take the IPTT test then then the GWGK test. After the Voice written I have to get back on track with the CCIE R&S Lab.

garv221

Those are some nice certs you are working on..Good Luck!

I have some Cisco VOIP phones laying around.. I don't know anything about it though...I need hands on to learn it...Some working phones would help me out ALOT...The old reverse engineering..

rossonieri#1

tunerX wrote:

A PIX is good if you are running ethernet but I would go with some 26XX XM with encryption AIMs, Firewall IOS, and wic 1 DSU modules. If they are using two different networks, with routing architectures, I would set up an IPSec/GRE tunnel interface for any traffic moving between sites. This gives the benefit of maintaining both networks independently, with separate routing. You should also look into queueing for the traffic between sites. Check the amount of traffic between them and types of applications/protocols. You can then specify that traffic to the internet will go unencrypted out the local router. Anything between the sites will be tunneled/encrypted and authenticated.

You could also recommend future upgrades. If they are using analog Key systems or a PBXs you could set up NM-HD-1V (or something else) with a DID card, and forward calls between sites over the Internet. If call volume between sites is high then you could save money. You will have to compare costs of the voice equipment, call hours /cost, and service costs. You can then calculate how long the upgrade will pay itself out and start saving costs based on the converged architecture.

i agree with tunerX to set up via GRE tunnel (IPSec is much too complicated) - but unfortunately it is now obsolete because many ISP has block the traffic passing through their network. and so does the analog VOIP. I think better to consult first with your ISP do they permit those kind of traffics.

tunerX

rossonieri#1 wrote:

i agree with tunerX to set up via GRE tunnel (IPSec is much too complicated) - but unfortunately it is now obsolete because many ISP has block the traffic passing through their network. and so does the analog VOIP. I think better to consult first with your ISP do they permit those kind of traffics.

IPSec is not that difficult. If you use mGRE with NHRP your configs will not be that complicated. You can create a dynamic mesh to all sites and add new sites with relative ease. Cisco calls this DMVPN and it was made to address the complexities of tunnel interfaces, GRE, and IPSec.