dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
861
share rss forum feed

vincentkable

join:2013-01-27

4 edits

[HELP] Cisco h/w to replace lot of tomato routers and linux serv

We have offices/datacenters spread internationally. (California/Chicago/Singapore/London/Kolkata/Mumbai)

Currently the offices are using tomato routers and linux servers for the following services:
1. Multi wan with failover and load balancing
2. Real time b/w usage
3. Application traffic view
4. QOS: 300+ polycom 650 voip phones. Couple of asterisk servers
5. NAT
6. Site to site vpn between 20 locations (offices+datacenters)
6a. Selective routing of VPN traffic
6b. H/W accelerated crypto
7. Remote workers accessing the network using VPN client.

The current infrastructure requires a lot of custom scripts to manage. Asus RT N16 routers running tomato have to be rebooted often. The load balancing and failover on linux requires us to maintain custom code.

We want something more robust, reliable and easily manageable.

After reading this forum for 2 days I have made these hardware deployment choices:
A. 4 Offices with 50+ users Cisco 3845-3U
B. 2 Offices with 10+ user: Cisco 3825-2U
C. 2 Offices with less than 10 users: Cisco 2811-1U (Chosen over Cisco 1841 since Cisco 2811 is rack mountable)
D. 50+ Working from home: Cisco 881-desk (For Skype / Polycom 650 VOIP QOS. Just loading software vpn client on remote workers laptop results in too many qos problems with VOIP)
E. 1 Data center: Cisco 3825 (For VPN)

This is the first time we will be deploying cisco gear. We have 10+ years of linux experience but no cisco experience.

In the hardware choice we have consciously decided to stay a generation behind the current cisco products to save on cost.

Here are my questions:
1. Does the above hardware choice look ok ? Do you have alternative suggestions ?

2. The current plan is to buy the cisco gear from ebay / craigslist. Is that ok ?

3. To reduce complexity is it a good idea to use Cisco 3825 2U in all offices and data centers ?

Please feel free to ask me questions to get better understanding of the physical offices etc.

Tx,



phantasm11b
Premium
join:2007-11-02

Re: [HELP] Cisco h/w to replace lot of tomato routers and linux

What are the bandwidth requirements for each office? What services do you need? How about firewalls, are you going to run Linux with IP Table for that purpose? What type of network traffic? Web and email only? WHat type of WAN connection?

Also, as for buying on craiglist/ebay. Be careful. You'll want smartnet for hardware/software support and some of that gear may not be eligible.


vincentkable

join:2013-01-27

2 edits

What are the bandwidth requirements for each office?
Each of the 4 offices with 50+ people will have 4 dsl/cable multi vendor connections of 3Mbps up/down. These are offices in remote locations and single connection of larger b/w is not available.

The smaller offices have 2 dsl/cable incoming b/w 3Mbps up/down

The data center in Fremont, CA is 100 Mbps

What services do you need?
Refer to point 1 to 7 at the beginning of my first post.

How about firewalls, are you going to run Linux with IP Table for that purpose?
I would prefer that the cisco gear ran the firewall.

What type of network traffic? Web and email only?
web + email + voip + skype + ssh

WHat type of WAN connection?
Mix of cable and dsl connections.

You wrote
"Also, as for buying on craiglist/ebay. Be careful. You'll want smartnet for hardware/software support and some of that gear may not be eligible."

The cost difference between new and used gear is 1 to 10. I think I will hire a consultant to teach/help me configure the devices.
For hardware support I might just buy some extra units. To replace when faults are discovered.

Tx,


HELLFIRE
Premium
join:2009-11-25
kudos:17
reply to vincentkable

said by vincentkable:

Currently the offices are using tomato routers and linux servers for the following services:
1. Multi wan with failover and load balancing
2. Real time b/w usage
3. Application traffic view
4. QOS: 300+ polycom 650 voip phones. Couple of asterisk servers
5. NAT
6. Site to site vpn between 20 locations (offices+datacenters)
6a. Selective routing of VPN traffic
6b. H/W accelerated crypto
7. Remote workers accessing the network using VPN client.

All options are doable by the hardware you are initially looking at. To clarify further on points 2, 3, and 6a,

For 2 and 3, are you looking for SNMP-based monitoring? Netflow?

For 3 specifically, again are you looking into what Netflow can do, or are you talking application inspection / web
filtering capabilities? Be aware that ISR routers are VERY limited in web filtering capabilties -- better to
get a seperate device / appliance to do this with.

For 6a, presuming you are referring to split tunnel and nonsplit tunnel VPNing, or something like DMVPN?

For the data center, I'd probably stick to the 3845 rather than the 3825, simply because it's going to be
a headend for all your traffic, and for add'n growth room.

Your 100Mbp pipe, is that a Committed Information Rate, or Burstable rate? Is the provider handing
you a fiber connection or pulling a RJ-45 cable to your equipment? If the former, you may have to budget
for additional hardware modules (ATM / POS / serial / NM-x or xWIC cards) for the connectivity. I'd also
budget for extra VPN accelerator cards -- you may want to check out Cisco's VPN performance guide
here.

For VPN, are you looking for IPSec / client based connectivity, or SSL VPN? Be aware that the latter also
carries its own licencing (per seat / user-based) and configuration issues that you'll have to budget and
plan for.

said by vincentkable:

2. The current plan is to buy the cisco gear from ebay / craigslist.

Be aware no smartnet gets you a) no support from Cisco TAC beyond what is available on their website and/or
what you can crib from the internet, and b) no IOS software. You'll likely need Advanced Security minimum loaded
onto all your gear to do what you're asking to do, so if you get gear without that level of IOS, you're SOL. Also,
be aware that ebay / craigslist gear carries its own issues of DOA / faulty gear as well. See the old saying of
"you get what you pay for," but if you're comfortable with your risk level, go for it

Just my 00000010bits.

Regards


tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1
reply to vincentkable

depending on the number of terminations/tunnels at the d/c side of things -- it may be worthwhile to pick up something a little bigger.
c7200vxr can be had on grey market for cheaper -- even with an g1 or g2 npe.
the next step up would be an asr1000.

»www.cisco.com/en/US/prod/collate···iew.html

above doc is a good vpn reference on scalability of higher end platforms.

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."


aryoba
Premium,MVM
join:2002-08-22
kudos:4

1 edit
reply to vincentkable

Cisco 1800, 2800, and 3800 series routers are phasing out. For new deployment, 1900, 2900, and 3900 series routers are the norm.

If this is for enterprise-type deployment (especially for global data centers and offices), buying from craiglist or ebay should never cross your mind. Find Cisco resellers with global presence that can help you getting the lowest price quotes and being able to provide local Cisco solutions to those international offices and data centers to minimize shipping costs, taxes and duties (not to mention the bureaucracy challenge which varies among countries).


aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to vincentkable

said by vincentkable:

What are the bandwidth requirements for each office?
Each of the 4 offices with 50+ people will have 4 dsl/cable multi vendor connections of 3Mbps up/down. These are offices in remote locations and single connection of larger b/w is not available.

The smaller offices have 2 dsl/cable incoming b/w 3Mbps up/down

The data center in Fremont, CA is 100 Mbps

What services do you need?
Refer to point 1 to 7 at the beginning of my first post.

How about firewalls, are you going to run Linux with IP Table for that purpose?
I would prefer that the cisco gear ran the firewall.

What type of network traffic? Web and email only?
web + email + voip + skype + ssh

WHat type of WAN connection?
Mix of cable and dsl connections.

Best and long-term solution for such global network is MPLS since IPSec VPN over some broadband connections simply is unreliable.

aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to vincentkable

said by vincentkable:

The cost difference between new and used gear is 1 to 10. I think I will hire a consultant to teach/help me configure the devices.
For hardware support I might just buy some extra units. To replace when faults are discovered.

When it comes down to cost, you need to consider which one is more expensive; infrastructure cost or business continuity risk/cost in addition to energy, money, talents, training time, support spent for maintenance, reliability, and scalability.

Have you considered Managed VPN/MPLS services from global ISP? When you are small company and/or are low on budget, such services might be the best solution since they will handle all of infrastructure build, maintenance, and support.


tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1
reply to aryoba

said by aryoba:

Best and long-term solution for such global network is MPLS since IPSec VPN over some broadband connections simply is unreliable.

but at times -- impractical.
i work with a customer who has facilities in locations that are considered "rural" -- but feed large population centers that would be otherwise unserviced by their vertical.
they provide 40meg cir ip-vpn circuits to each facility. there was an extreme challenge in even getting localized ip-vpn circuits for those sites (granted, vpn provider was clec providing services over ilec infrastructure). at times, mpls isn't possible -- especially if you're in an area where 3g/4g services provide connectivity.
in these instances, dmvpn or traditional ipsec are the only way to go. by using routers, rather than asa devices -- its possible to gre-o-ipsec (though i believe that in recent code [8.4+], its possible to run gre on asa as well), which allows for running a routing protocol over to provide dynamic updates and reachability.

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."

cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:8
reply to aryoba

Best and long-term solution for such global network is MPLS since IPSec VPN over some broadband connections simply is unreliable.

To some remote parts of the world, perhaps. I doubt an MPLS VPN would be any more stable than an over-the-internet IPSec VPN in those places. (it all goes over the same pipes.) The key here is to make sure your internet is provided by the same company globally. (where possible)

I have IPSec VPNs going all over the place, and they work fine... even 'tho they aren't through the same provider anymore. (4k$ DS3 vs. 2k$ 100M metro-e... no contest.)

cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:8
reply to vincentkable

In the hardware choice we have consciously decided to stay a generation behind the current cisco products to save on cost.

I understand the cost motivation, however, that penny pinching is going to bite you on the ass almost immediately. The ISR G1's are near their end of life. As such, very shortly, you will not get software support for them, and hardware support will be questionable. (pay attention to the last date of attachment... the last day you can buy a new support contract.)

Note: We've had equipment under contract that Cisco could not replace. (old 2920 -- fixed configuration cat 5002) Their answer was to refund our support contract. (no, they wouldn't give us anything newer, or even loan us something to replace it. They found one in a lab several days later and sent it to us.)