dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
535

Frank_IT
Premium Member
join:2003-11-01
Montreal

Frank_IT

Premium Member

[Other] Multi-Sites VPN

Good day,

I'm managing a network of 8 sites (store, main office, plant) using VPN

Right now, the previous IT guy had connected all store and plant to the main office and it use OSPF. So if the main site die, no one will be able to reach others sites.

Should it be better to "interconnect" each sites together rather than having one main point ?

Thanks

Frank
Bink
Villains... knock off all that evil
join:2006-05-14
Colorado

Bink

Member

If the sites don't need to connect to one another, the interconnectivity is unnecessary overhead. If they do, then the main office is a single point of failure and addressing this would be ideal.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to Frank_IT

MVM

to Frank_IT
Depends how the VPN and OSPF was set up.

Without a diagram and configs, we can only speculate on a) how it was set up, b) what, if any, redundancy was set up, and c) you haven't indicated whether there is a specific (business)
need for redundancy.

Off the top of my head though :

- if VPN was set up as hub to spoke topology, with the main office as hub, then potentially
that is a single point of failure.

- if VPN was set up in a (partial) mesh topology, there may be some redundancy... problem
is the number of connections needed for a full mesh is n(n-1)/2, so in your case that'd
be 28 links / tunnels to manage.

- is OSPF set up point to point between the 8 sites? Or in some other fashion? Are you able
to tell?

My 00000010bits

Regards

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav to Frank_IT

Premium Member

to Frank_IT
Why not a hub to spoke scenario where the hub had a dual wan for redundancy and a second router (often called high availability - or fall back) in the mix in case the primary router failed.

Frank_IT
Premium Member
join:2003-11-01
Montreal

Frank_IT to HELLFIRE

Premium Member

to HELLFIRE
Click for full size
There is the way it is now.

There is redundancy right now, at least.. not any that is working LOL.
There is a need for redundancy, as 6 of the sites are retail store

for the OSPF.. i dont know. I just know there is a loopback interface that is used by the OSPF :S
aguen
Premium Member
join:2003-07-16
Grants Pass, OR

aguen to Frank_IT

Premium Member

to Frank_IT
Who is/are the ISP(s) for all of the locations? I'm seeing possibly 4 different ones but the actual details would possibly be helpful.

Frank_IT
Premium Member
join:2003-11-01
Montreal

Frank_IT

Premium Member

said by aguen:

Who is/are the ISP(s) for all of the locations? I'm seeing possibly 4 different ones but the actual details would possibly be helpful.

It's videotron, a cable provider here in Montreal
aguen
Premium Member
join:2003-07-16
Grants Pass, OR

aguen to Frank_IT

Premium Member

to Frank_IT
Ok, question; not knowing the physical layout of the Videotron network, other than several of your locations seem to share the same subnet 69.70.x.x - 24.37.x.x and then 2 loners, what's the likelihood of getting them to set you up on a P2P for all of your locations?

Frank_IT
Premium Member
join:2003-11-01
Montreal

Frank_IT

Premium Member

We had looked that, but it's 4x the price of the internet connection..
aguen
Premium Member
join:2003-07-16
Grants Pass, OR

aguen

Premium Member

Yeah, but how would it compare to the hardware costs and maintenance for an all VPN setup?
P2P may be more expensive in some respects but it would potentially make your network more reliable.

Frank_IT
Premium Member
join:2003-11-01
Montreal

Frank_IT

Premium Member

Maybe, but for the next 3 years it's not an option... contract with isp.
aguen
Premium Member
join:2003-07-16
Grants Pass, OR

aguen

Premium Member

said by Frank_IT:

Maybe, but for the next 3 years it's not an option... contract with isp.

I've read some of the posts about the various ISP's "Up" there but that contract thing is absurd.

Frank_IT
Premium Member
join:2003-11-01
Montreal

Frank_IT

Premium Member

For business it's different than residential :S
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to Frank_IT

MVM

to Frank_IT
Thanks for that diagram.

As aguen See Profile mentions, you could look into ISP-level redundancy : eg. MPLS / dual carrier option.
Don't know of any providers offhand in your area, but if redundancy is important to you, I'd explore
that option. Depending on your budget, just the hub site could have this, or you could extend it
to the hub and all spoke sites as well...

For the OSPF, I'm taking a WAG* that 192.168.4.0/24 is Area 0, and everyone just announces their
subnet / loopback. Offhand, I can't say what more redundancy you could do in this. Not sure about
your (business) needs but again, my WAG* is that if a store site went down, other than the pissed
off userbase there, the hub site and plant would still hum along, correct?

Definately though, it's doable to do redundancy at the hub site as follows :

- dual carrier

- 2x physical VPN / router devices

- VRRP address or x.x.x.x addressing on VPN / router device #1 and y.y.y.y addressing on VPN / router
device #2 that the spoke sites point to.

Don't know if you're looking for some way of doing your VPN without going through the hub site, say
192.168.12.x talking to 192.168.7.x without having to go through 192.168.4.x first...

My 00000010bits

Regards

*Wild A** Guess
LittleBill
join:2013-05-24

1 recommendation

LittleBill

Member

if your using ospf, you would need connections on all branch sites to other branch sites, then ospf would work, as of right now its worthless

Frank_IT
Premium Member
join:2003-11-01
Montreal

Frank_IT

Premium Member

okay,

or, except that I will have many tunnel to manage, connecting each site/store to each other can be a possibility ?
LittleBill
join:2013-05-24

LittleBill

Member

yea it would be a crapload tunnels

Frank_IT
Premium Member
join:2003-11-01
Montreal

Frank_IT

Premium Member

yeah, 8 on each site.

The hic is that my manager dont want to invest on that, as he doesnt understand the need. But I see it when my user show it to me

I'm just trying to find a way to do it, without any "investment" (except my time) without using the hardware we use in the store (old fortigate, that are setted with 3des as it doesnt support aes), and that my direct manager (that is in maternity leave) didnt realize that upgrading the internet connection speed, that we had need to upgrade those router :S So i will be using small pc with pfsense.. that why i'm asking all that
AsherN
Premium Member
join:2010-08-23
Thornhill, ON

1 recommendation

AsherN

Premium Member

said by Frank_IT:

yeah, 8 on each site.

The hic is that my manager dont want to invest on that, as he doesnt understand the need. But I see it when my user show it to me

I'm just trying to find a way to do it, without any "investment" (except my time) without using the hardware we use in the store (old fortigate, that are setted with 3des as it doesnt support aes), and that my direct manager (that is in maternity leave) didnt realize that upgrading the internet connection speed, that we had need to upgrade those router :S So i will be using small pc with pfsense.. that why i'm asking all that

It's simple. I manage a multi site network. All come to the main location. Some go to each other. Depends on need.

In your case, do the store need to be able to get to one another all the time? What is the cost to the business if the hub is down and 2 stores can't see each other? Is it convenient to check stock? Can a phone call do the same in the unlikely event of HO being down?

It comes down to cost vs maintenance headache.

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav to Frank_IT

Premium Member

to Frank_IT
In general a hub and spoke makes more sense when the majority of vpn traffic is between the satellite sites (spokes) and the main site (hub). If you have a lot of traffic between sites, then your hub has to be robust enough (ie enterprise vice prosumer) to handle it (multiple sessions), including having a large enough ISP connection (and probably more than one), and of course the single point of failure issue.

It not, it may make more sense for some satellite sites that have the majority of traffic with each other to have multiple tunnels (to another site and to the hub).
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to Frank_IT

MVM

to Frank_IT
said by Frank_IT:

I'm just trying to find a way to do it, without any "investment" (except my time)

Before you go doing anything, do you have any documentation and/or gotten the configs on the whole thing? The diagram
you provided is just a 50K foot view, but before you start ripping things apart and redesigning, I'd make sure you
understand and know how its put together...

...sure all of us have a story or two of something we broke apart (accidentally or deliberately) and had to put back
together... without the directions HOW to do this.

Wasn't a fun time for me, I can say...

My 00000010bits

Regards

Frank_IT
Premium Member
join:2003-11-01
Montreal

Frank_IT

Premium Member

Dont worry. I have a backup of each site config.

LazMan
Premium Member
join:2003-03-26
Beverly Hills, CA

1 recommendation

LazMan to Frank_IT

Premium Member

to Frank_IT
Asher's on the right track, in my opinion...

Do the sites actually need to talk "store to store" or are the applications/servers hosted at the main hub?

If all the applications depend on the main hub anyways, then p2p redundancy between stores doesn't buy you much, if anything.