Branch office VPN connetion backup via 3G

Similar Messages

• Advise on using Branch office server as backup

  Hello and thanks for assistance,
  The site in question has four physical servers and two virtual servers. They have the following major functions. Server A is a DC/DNS server as well as hosting DFS files. Server B holds exchange server 2012A and the replica partner for DFS, Server C 
  has two virtual servers installed. First one is exchange 2012B and second one is the antivirus server. Server D is a DC and a witness server. It also holds WSUS. Backup is taking as long as 12 hours. I had an idea of moving Server C and D offsite and configuring
  them as branch office servers using VPN. Then all data including mail will be offsite and eliminate the need for backups. All servers of course have RAID1 so my concern really is not hardware related but disaster recovery in the event of fire, flood, ect.
  I know this idea may be full of holes but that is why I am posting this for your opinions. There are about 50 workstations in the network. The client is very dependent on the network.
  Thanks
  Ronald C. Pope

  Hi Ronald,
  Of course you can create offsite Exchange server and DC. The connection performance may be an issue as you must use site-to-site VPN incase you need a failover.
  Both topics are discussed a lot in Exchange and DC forum:
  Advice for Offsite DC
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/237d8767-4004-448d-883d-ccb596b4da61/advice-for-offsite-dc
  Onsite and Offsite Exchange 2010 Failover?
  http://social.technet.microsoft.com/Forums/exchange/en-US/6cfdfa81-9a4a-499d-a0dd-96b6b8d07bdc/onsite-and-offsite-exchange-2010-failover
  If you have any feedback on our support, please send to [email protected]

• VPN CLient TO access HO through BRanch office

  We have a branch office using cisco 1841 , which makes vpn to HO (ASA 5505)
  , both (1841 and asa )have VPN CLient Configured .we need Branch office VPN software client users to Connect to HO netword.i have tried but iam missimg out some where. I've attached some configs of both devices.can any one help ASAP.

  Here is the URL for the Configuring and Managing Connection Entries for the VPN follow the steps for configuration which will help you :
  http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_user_guide_chapter09186a008015e271.html

• Branch Office DC Demand Dial VPN connection keeps failing

  here is me issue
  Our Branch Office DC is connected to Main Office DC with a Demand Dial Connection in RRAS Everything is connected fine for a little bit then its like the connection just gives out, it stays connected but i cannot ping the branch office DC with the local
  IP from the Main Office or access any network shares on it. When this happens i have to disconnect the server at the remote office and wait for it to reconnect im currently baffled as there are no Error LOGS to help me along and there doesnt seem to be anything
  that would be causing the issue for now until i get some answers as to what is going on i opened a command prompt on the DC here at the main office and i typed "ping 10.141.70.25 -t100" to monitor the connection more or less and when i see it timeout
  i reconnect it, i also have the networking tab open in task manager to monitor the LAN and RAS (Dial-In) Interface  the LAN doesnt seem too active but the RAS Interface does its got a constant network utilization of 0.28% and the Demand Dial interface
  on the remote office DC has a Utilization of 0.38% (Server Just disconnected as i was typing this and the utilization on the VPN connections on both servers went through the roof) heres the troubleshooting i have tried so far
  1. Rebooted both office DC`s at the same time
  2. Rebooted the branch office DC alone (this helped a little because the connection is staying active longer without fail)
  3. looked through all RRAS configuration on both servers to see if theres any mistakes by any other administrators (None Were Found)
  4. Used wireshark to see if there was anything interfering or that would cause this to happen (Nothing found)
  5. manually connected to the server in multiple ways like accessing network shares and remote management via MMC and manually making the servers replicate to see if any of that was causing issues and it wasnt
  My thoughts: im starting to think it may be a switch or something causing the connection issue at the branch office because the main office has all new routers and switches and just recently got a 100.00MBPS connection but nothing was affected for a good
  month so im not thinking it is the new connection or anything at the main office if theres something im overlooking here please let me know if some ipconfig /all results are needed i can provide them
  Viper Technologies Computer Repair Putting The Venomus Bite Back In Your Computer We Are Located In Antigonish ,NS Canada Check Us Out HTTP://WWW.VIPERTECHNOLOGIES.TK

  Hi,
  Are there any error messages on the event log ?
  Meanwhile, it is more network issue, i think you may ask in network forums:
  http://social.technet.microsoft.com/Forums/en-US/home?forum=winserverNIS
  Regards.
  Vivian Wang

• How take Branch offices backup centrally through DPM 2012 Server

  Hi
  I have one HQ and 200 branch offices. I want to take the backup of 200 branch offices centrally through DPM 2012 server.
  To achieve this solution what procedure i have to follow. Shall i go with one DPM server at HQ or i have to configured each DPM server at branch offices.
  I have 3 MBS link in each offices.
  Thanks and Regards Deepak

  I'm not sure there is a simple, easy answer.  It depends on what you want to achieve via the DPM protection.  My two cents is to have your DPM servers for the branch offices running at your HQ location so your backups are "offsite".  This
  will protect you in the event a branch office is lost.  All protection elements except for BMR are pretty efficient with DPM and you can compress the traffic from your branch locations.
  You can have multiple DPM servers at HQ and balance your server protection load across that farm.
  You may want to have a DPM server at a branch location that protects some of your HQ servers to provide an offsite backup for HQ resources.
  Be careful with BMR backups across WAN links.  The BMR sends the entire BMR backup every time.  And the BMR backup can include multiple drives if you happened to have installed applications on something other than the system drive (C:).  You
  can get a list of all the drives that will be included in the BMR backup by running this command on a server: "wbadmin start backup -allcritical -backuptarget:\\localhost\c$".  Just hit CTRL-C after it shows you the drives that will be included.
  You'll need to run the DPM backup across a private link or via site-to-site tunnels.  I don't recommend trying to do a DPM backup with a firewall between the two sites.  I'm sure it could be done...but I don't recommend it.
  Rob

• Branch office dial backup design

  I'm having more trouble with this than I think I should.
  I have 10 small branch offices connected to the home office via frame-relay -- it's purely hub-and-spoke, with no PVC's between branch offices, everything goes to the central office. I'm trying to set up a POTS dial scenario to replicate this. Each branch has a 26xx with a two-port serial card, two analog modems and two POTS lines. The central office has an ISDN PRI terminating in a 3725 with MICA modems.
  I can get a branch router to dial on one or both lines (multilink ppp), and the 3725 receives the call. CHAP negotiation works. Where I'm having trouble is in the IP routing. I've tried countless combinations of numbered and unnumbered interfaces, dialer-based ip pool on the 3725, EIGRP and/or floating static routes, etc., etc. Nevertheless, I can't get correct ip routes established, and I feel like I'm banging my head against the wall now. None of the edsign docs I can find on the Web site directly address my scenario in a way I can understand. Any suggestions?

  This is my config for our 3640.
  interface Group-Async1
  ip unnumbered Serial1/0:23
  encapsulation ppp
  no ip mroute-cache
  dialer in-band
  dialer idle-timeout 1200
  dialer map ip 170.1.1.16 name bri01rt01ec
  dialer-group 1
  async mode interactive
  peer default ip address pool default
  ppp authentication pap chap ca
  ip route 192.168.16.0 255.255.255.0 172.17.1.6-----our PIX
  ip route 192.168.16.0 255.255.255.0 170.1.1.16 200---Ip address of modem that dials in from 1750.
  This config looks fine to me..what does everyone think?

• Join remote computers in a branch office over vpn(GRE)

  Hi
  I have a problem with joining computers located in a branch office described in the following, It would be grateful if anyone help me.
  I have a FG1240B firewall as edge firewall in my network and a FG60C in branch office, these firewalls can see each other with assigned IPs, in the other hand I established a GRE tunnel between them to increase security and making direct site to site connection.
  The tunnel interfaces have it's own IPs. Routes between two LANs are created and computers in branch can see HQ's servers such as DC and Additional DC, it should be noted all services are opened to two side and even branch's computers can resolve records in
  DNS and open https web servers and ... .
  But I face the problem when i want to join computers to domain, after entering the credentials it returned error message as "the network path was not found" . For solving this problem I found that the TCP ports 139 and 445 (that refers to user
  and computer authentication) could not establish connection to DC while all services are open in origin and destination, even DNS service is passed and when I issue the netstat command in branhce's computer, I noticed connection to DC is established in SYN_sent
  step and it couldn't step forward to SYN_ack and SYN_RCVD . it is worth to mention that all these logs information were seen in the branch and there is no join query in the firewall 1240B
  I know this problem should answered in firewall forums but I asked this question here because i hope anyone can help me :-/
  thank you in advance for replying

  Hi,
  You can use a wireshark or network monitor capture to see if any traffic is being blocked/stopped somewhere along the path, when trying to join domain. You do not need WINS. Have you enabled DNS debugging logs on the DC/DNS serversin the hub site and
  watched if the client from branch site reaches the server?
  Regards,
  Calin

• Clients Not seeing DHCP server at branch office or not accepting ip offers (NO LOG REPORTS KIND OF IN THE DARK)

  Hi there i am having an issue that has popped up recently i have a DC at a branch office that is connected to the main office DC via a Persistent Demand Dial connection in RRAS. Everything was working properly according to me until i found out that the Network
  Admin who manages the branch office network failed to notify me that client machines weren't getting IP addresses from the DHCP server. This server was recently installed and wasn't fully implemented till about a week ago when i configured the Demand Dial
  connection in RRAS up until that point it just had a regular old VPN connection to the main office while we worked out the kinks with a few things. the things ive tried so far to get DHCP working are as followed
  1.Rebooted the branch office server (MULTIPLE TIMES)
  2. Uninstalled the DHCP Role and re-installed it....To my surprise 1 client managed to get a ip on its lan adapter after DHCP was re-installed but nothing else
  3. Disconnected the connection between the main office DC and the Branch office DC as i figured the main office DC DHCP server might be interfering with the branch office DC DHCP Server but nothing happened 
  4. Unauthorized and Reauthorized the main office DHCP server and the branch office DHCP server nothing changed
  5. sifted through multiple log files on both servers and found noting in fact DHCP logs are empty on both servers
  6. restored backups of the DHCP servers from when they were working
  7. came here cause im out of ideas and im pulling my hair out
  here are the current statistics from the problem server
  Start Time: 7/12/2014 2:02:10PM
  Up Time: 1Hours, 18 Minutes, 41 Seconds
  Discovers: 90
  Offers: 90
  Requests: 2
  Acks: 13
  Nacks: 0
  Declines: 0
  Releases: 0
  Total Scopes: 1
  Total Addresses 253
  In Use 2 (0%)
  Available: 251 (99%)
  Id like to add that RRAS was getting IP addresses from the problem server up until the point i uninstalled the role and re-installed it
  heres is a ipconfig /all from the problem server
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : MNB-DC
     Primary Dns Suffix  . . . . . . . : VTEACR.LOCAL
     Node Type . . . . . . . . . . . . : Hybrid
     IP Routing Enabled. . . . . . . . : Yes
     WINS Proxy Enabled. . . . . . . . : No
     DNS Suffix Search List. . . . . . : VTEACR.LOCAL
  PPP adapter Remote Router:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Remote Router
     Physical Address. . . . . . . . . :
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv4 Address. . . . . . . . . . . : 10.141.70.25(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.255
     Default Gateway . . . . . . . . . :
     DNS Servers . . . . . . . . . . . : 10.141.70.10
     NetBIOS over Tcpip. . . . . . . . : Disabled
  Ethernet adapter Local Area Connection:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
     Physical Address. . . . . . . . . : 00-16-35-AB-D3-05
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     Link-local IPv6 Address . . . . . : fe80::d9e:daa4:34dd:db44%10(Preferred)
     IPv4 Address. . . . . . . . . . . : 10.141.80.102(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Default Gateway . . . . . . . . . : fe80::226:5aff:feb7:5b3c%10
                                         10.141.80.1
     DNS Servers . . . . . . . . . . . : ::1
                                         10.141.80.102
     NetBIOS over Tcpip. . . . . . . . : Enabled
  PPP adapter RAS (Dial In) Interface:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : RAS (Dial In) Interface
     Physical Address. . . . . . . . . :
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv4 Address. . . . . . . . . . . : 169.254.238.243(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.255
     Default Gateway . . . . . . . . . :
     DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                         fec0:0:0:ffff::2%1
                                         fec0:0:0:ffff::3%1
     NetBIOS over Tcpip. . . . . . . . : Disabled
  Tunnel adapter Local Area Connection* 8:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : isatap.{427DF66B-3B30-40B1-B67E-B5587465C
  394}
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Local Area Connection* 9:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
     Physical Address. . . . . . . . . : 02-00-54-55-4E-01
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Local Area Connection* 11:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : isatap.ziricom.com
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Local Area Connection* 12:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : isatap.VTEACR.LOCAL
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Local Area Connection* 13:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : isatap.{BE201060-A9B9-404A-8361-F8FFB82F5
  6F6}
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Local Area Connection* 14:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter #5
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Local Area Connection* 15:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : isatap.VTEACR.LOCAL
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Local Area Connection* 16:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter #7
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Local Area Connection* 19:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : isatap.ziricom.com
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  if anymore information is needed please let me know i have full access to everything on the network so its not a problem and i am able to remotely access the branch office DC and all computer and switches at any time of the day
  Viper Technologies Computer Repair Putting The Venomus Bite Back In Your Computer We Are Located In Antigonish ,NS Canada Check Us Out HTTP://WWW.VIPERTECHNOLOGIES.TK

  Hi,
  Does this issue occur on one client or multiple?
  Please check this article:
  http://technet.microsoft.com/en-us/library/cc757164(v=ws.10).aspx#BKMK_5
  Regards.
  Vivian Wang

• OSPF design for branch offices across MPLS

  Hello fellow networking engineers,
  I want to implement OSPF in our network. We have multiple branch offices, all linked to an MPLS backbone.
  I know that in order to get linked areas, I would need to setup GRE tunnels between them, but I want to avoid static/manual configurations as much as possible. With multiple sites, it would become cumbersome to create a mesh real fast.
  Is running OSPF independent areas at each site, and simply redistributing over eBGP a valid solution? This will host voice and data, and will failover to VPN connection (Cisco ASAs) if the MPLS goes down.
  For the VPN backup links, I thought of two options. Either simply using the default route to send everything to the ASA in case of MPLS "death", or inject routes using IP SLA...
  Any input would be appreciated.

  Marc
  You don't GRE tunnels to link your areas if that is what you want to do.
  If the SP supports it then you can exchange your OSPF routes between areas and they will still be seen as inter area routes rather than OSPF externals which they would if you simply treated each area as isolated from each other.
  In effect the MPLS network becomes an OSPF super backbone area and your main site would also be part of the backbone area with all your other sites having an area each.
  You still redistribute your OSPF routes into BGP but with some extra configuration on both your CEs and the SP PE devices.
  Like I say you would need to check with your SP but it is possible.
  Whether or not you need or want it I don't know.
  Your other option is as you have proposed to treat each OSPF area as an isolated one and simply redistribute into OSPF at each CE. Then within each site all non local routes would be seen as OSPF external routes.
  Either way in terms of backup I would keep it simple and use a default route at each site pointing to the ASA device. I can't see what you gain from IP SLA because if the main MPLS link goes down at any site the only other path they have out is via the ASA so there is nothing really worth tracking.
  The only other thing I would mention is remote site to remote site traffic. If there is any then presumably with your VPN tunnels you would be doing a sort of hub and spoke where the hub is the main site so you may need to think about traffic coming in from one VPN tunnel and going out to another VPN tunnel on the main site ASA.
  This would only really be needed if two or more sites had to use their backup links at the same time.
  In terms of which is better ie. OSPF inter area across the MPLS cloud or OSPF externals I can't really say to be honest. With the MPLS networks i have worked on we ran EIGRP and simply treated each remote site as an isolated AS.
  If you are already running OSPF then you may want to preserve your existing areas so it would make sense to go with the inter area option.
  If it is a new setup then I don't really know the pros and cons of either so can't really comment.
  Perhaps others may add to the thread with their thoughts.
  Jon

• Branch Office CME design Verification

  Hi All,
  Please refer to the attached network diagram.
  I need to verify this can be implemented and would work.
  We have a branch office moving to a new location and they intend to keep their existing CME (for business reasons),  provided by their local service provider with ISDN line for calls to the PSTN. This is managed by the service provider and we have no access to it. However we would like to grant them connectivity to the existing corporate voice network via an IP VPN connection, which shall be put in place soon. This will enable  the branch make site to site calls within the corporate network
  With a SIP trunk between the internal and external CME, I intend to make all the phones register with the Call Manager, however on the call manager , set a route pattern for calls going out to the PSTN from this branch back to the internal CME and this will then be matched by a SIP dial peer  directing the call to the external CME out to the PSTN.
  My worry is with the delay  that might be introduced when making a PSTN call as the internal CME has to first contact the call manager in order to know where to send the call.
  So my questions are as follows,
  1. Is this solution feasible especially in terms of delay? If not,
  2. Are there any other ways to achieve the same scenario
  Thanks,
  Yomi

  Are the phones at the branch office going to register to the Internal CME? If so, all configuration for outbound dialing will be done on the Internal CME, not on UCM. ie. dial-peer on the Internal CME for outbound dialing. For phone connectivity back to UCM, you will have a SIP trunk between UCM and internal CME and that is perfectly acceptable. You "might" see some quality degradation but that is to be expected from Internet based WAN connectivity. If your RTT delay is greater than 150ms, then you might see some quality issues.

• Branch office PSTN call routing

  Customer had HQ and Branch office with 512 MPLS line, in HQ alone they had E1 trunk, in branch office for calling PSTN the call should travel via MPLS to HQ, and the branch PSTN call terminated in HQ only,   is it a good design or better we need to add ISDN line in branch level to terminate the PSTN call.

  Balamurugan:
  1) I think it is possible. My R&S skills are oxidized but you can have MPLS VPN configured and use frame-relay as a serial encapsulation where you will be able to configure RTP header compression.
  2) RSVP over MPLS: yes. But as Marwashawi said, I prefer to work with the LLQ QOS for voice traffic. For that you will need to agree that with your service provider.
  Rad Baver
  BALAMURUGAN SINGARAM escribió:Thanks for the reply, branch to branch they are using 512 KBPS with VPN tunnel, g729 codec is used in between HQ and branch, the issuse is voice quality between the branche and HQ, the ping round trip delay is more than 250 MS [ no packet drops ], QOS is applied in switch and CUCM level, could you please light me do we can fine tune more on WAN interface level.1) do it possible to use header compression on MPLS cloud2) do it possible to enable "RSVP" in MPLS link.Could you please light me on how to enable RSVP & Header compression on MPLS link.

• Branch office setup with L3 switch and router with IOS security

  Hello,
  I am in the process of putting together a small branch office network and I am in need of some design advise. The network will support about 10-15 workstations/phones, 3-4 printers, and 4-5 servers. In addition we will eventually have up to 25-30 remote users connecting to the servers via remote access VPN, and there will also be 2-3 site-to-site IPSec tunnels to reach other branches.
  I have a 2911 (security bundle) router and 3560 IP Base L3 switch to work with. I have attached a basic diagram of my topology. My initial design plan for the network was to setup separate VLANs for workstation, phone, printer, and server traffic. The 3560 would then be setup with SVIs to perform routing between VLANs. The port between the router and switch would be setup as a routed port, and static routes would be applied on the switch and router as necessary. The thought behind this was that I'd be utilizing the switch backplane for VLAN routing instead instead of doing router-on-a-stick.
  Since there is no firewall between the switch and router my plan was to setup IOS firewalling on the router. From what I am reading ZBF is my best option for this. What I was hoping for was a way to set custom policies for each VLAN, but it seems that zones are applied per interface. Since the interface between the router and switch is a routed interface, not a trunk/subinterface(s), it doesn't seem like there would be a way for me to use ZBF to control traffic on different VLANs. From what I am gathering I would have to group all of my internal network into one zone, or I would have to scrap L3 switching all together and do router-on-a-stick if I want to be able to set separate policies for each VLAN. Am I correct in my thinking here?
  I guess what I am getting at is that I really don't want to do router-on-a-stick if I have a nice switch backplane to do all of the internal routing. At the same time I obviously need some kind of firewalling done on the router, and since different VLANs have different security requirements the firewalling needs to be fairly granular.
  If I am indeed correct in the above thinking what would be the best solution for my scenario? That is, how can I setup this network so that I am utilizing the switch to do L3 routing while also leveraging the firewall capabilities of IOS security?
  Any input would be appreciated.
  Thanks,
  Austin

  Thanks for the input.
  1. I agree, since I have only three to four printers, they need not be in a separate VLAN. I simply was compartmentalizing VLANs by function when I initially came up with the design.
  2. Here's a little more info on the phone situation. The phones are VoIP. The IP PBX is on premise, but they are currently on a completely separate ISP/network. The goal in the future is to converge the data and voice networks and setup PBR/route maps to route voice traffic out the voice ISP and data traffic out the other ISP. This leads up to #3. 
  3. The reason a router was purchased over a firewall was that ASA's cannot handle routing and dual ISPs very well. PBR is not supported at all on an ASA, and dual ISPs can only be setup in an active/standby state. Also, an ASA Sec+ does not have near the VPN capabilities that the 2911 security does. The ASA Sec+ would support only 25 concurrent IPSec connections while the 2911 security is capable of doing an upwards of 200 IPSec connections.
  Your point about moving the SVI's to a firewall to perform filtering between VLANs makes sense, however, wouldn't this be the same thing as creating subinterfaces on a router? In both cases you are moving routing from the switch backplane to the firewall/routing device, which is what I am trying to avoid.  

• New Branch Office - High Security

  Hello
  we plan to have 5 branch offices each with around 40 users. All branches will be in different geographical locations. Best Security needs to be implemented in all branches. All services email, SAP, Portals are hosted in the HeadOffice Datacenter. Each Branch will have dedicated internet 5MB for Voice and DATA
  Guidelines for security  -
  ensure users cannot insert usb or cd on laptops /desktops
  laptops/desktops are allowed to access restrictive internet from Office
  Outside Laptops / Tablets not allowed to connect to network but allowed internet via wireless using Guest
  to access internet from home or Cafe users needs to connect to office VPN and then access from local Internet server (Proxy)
  vendors proposed following ;-
  3921 router for branch
  ASA 5510 for branch
  3945 router for HeadOffice ( VPN )
  Filtering - Web Washer - Mcafee
  Experts can advice what hardware will best fit on branches, what other devices I need to achieve the above goals
  Thanks
  Vishal

  Hello Vishal,
  I would recommend the following:
  For Branches:
  1-  Cisco : 2921 : Voice Licensed (you dont need a higher end above this series for 40 users).
  2-  Cisco ASA 5510: (This will be your Security appliance at each branch).
  For Head Quarter:
  1-  Cisco ASA 5520: (This Will be Your HQ Security Appliance).
  2-  Cisco 3925 or 3945 router (Voice Licensed).
  For Your Security Guidelines, here is my answers:
  ensure users cannot insert usb or cd on laptops /desktops
  FOr this purpose, you Can disable the administrative privelege on the Notebooks and PCs for All users and remove the software driver for thier USPs.
  laptops/desktops are allowed to access restrictive internet from Office
  FOr this Purpose, I would recommend using Cisco IronPort WebFiltering, it Can be easily Integrated with your Active Directory and Enforces all Filtering Policy you would require.
  Outside Laptops / Tablets not allowed to connect to network but allowed internet via wireless using Guest
  For this Purpose, I would recommend deploying Wireless LAN Controller at your HQ to have benefit and full advantage of managing your Wireless Infrastructure.
  to access internet from home or Cafe users needs to connect to office VPN and then access from local Internet server (Proxy)
  FOr this Purpose , I would also say Your Best Option is to have Remote Access VPN & (VPN Client) deployed at all employee's Notebook. Though, You Can have another Option which to have SSL-VPN deployed at your HQ, but this will have additional cost as its added value featured licensed per number of users.
  Let me Know if this answers your Question Or if you require additional assistance.
  Regards,
  Mohamed

• To make a new site or not? (for branch office with small number of people)

  We have a main office, with our DC (DC01) and a single site (SiteHO), and we are about to open up a new branch office in another city.  This branch office is connected to the head office via a 5 Mbps MPLS network.  The branch office will have around
  5-7 domain joined workstations, and the people there will require access to the existing file and exchange servers in the head office. 
  I was thinking about not adding a RODC in the branch office and not creating another site in AD for the branch office either.  My thinking is that since the number of users is relatively low, it doesn't warrant having a new RODC and site.  The
  traffic generated by the 5-7 user logon activities will be minimal, and the local profiles are stored on the workstations (no roaming profiles), so there shouldn't be much WAN link impact.  Obviously I would have to add the subnet from the branch office
  to the SiteHO site. 
  Can anybody think of something wrong with my reasoning?

  I think the dedicated line has a little to do with AD since its used both to authenticate the users and move the data.
  I am not sure what bandwith you get from an internet provider in your location, but for example you might get a 100Mb internet connection from an ISP. A VPN tunnel over a 100Mb internet connection I am guessing is faster then a 5Mb guaranteed MPLS link.
  The advantage of MPLS is that you can have QoS policies for voice and video traffic.
  If users move 'very large files' perhaps a local file server might be an good option. DFS replication can save a lot of bandwidth in that case. And then you would have 'local resources' in the branch and in case of wan failure the users will not be able
  to access the local file server resource. So you would need a secondary DC in that location.
  And if they are moving the files think (and check) the impact on the MPLS, because authentication requests go through that link, Exchange traffic (RPC MAPI) goes through that link so these might be affected. For example, lets say you have 2GB mailboxes.
  All Outlook users use OST files. One user's profile gets corrupted and needs to be rebuilt. The Outlook client sets up a fresh OST copy of the mailbox so now its downloading a 2GB mailbox copy over a 5Mb MPLS while some other user is moving a 'large file'.
  By local resources I am referring to file servers, printers, applications in the branch location that require AD authentication. Authentication works with both VPN and MPLS and in case the wan/vpn is down users can even log in with
  cached credentials.
  Hope it helps.
  http://mariusene.wordpress.com/

• Branch Office VOIPs do not register.

  Hi:
  I've been breaking my head on this for a few weeks and nothing seems to be working.
  I have three PIX 515e, one at each office.
  ALL VOIPs are Polycom 300IP phones.
  We have a main office (called PB) with 15 VOIP phones.
  We have a branch office (called JAX) with 2 VOIP phones.
  We have a branch office (called JADE) with 2 VOIP phones.
  All site VOIPs must register with a hosted PBX outside of all three offices (called TN).
  All 15 VOIPs at PB are registering and working with TN.
  Only one of two VOIPs at JAX is registering with TN.
  No VOIPs at JADE are registering with TN.
  VPN Tunnels are up and functioning between PB and JAX and PB and JADE. Able to ping both ways and users in both branch sites are able to map folders to our servers.
  I have opened UDP 5060 (SIP) on all interfaces. It seems there is initial conversation between TN and JAX and JADE but receiving following errors at both branches.
  Pre-allocate SIP for secondary channel blah blah blah and followed immediately with a
  Teardown UDP connection blah blah blah
  I have attached configs for all three PIX 515e boxes (edited for security).
  Could somebody take a gander at this and help me out. I'm at a complete loss.
  Thank you so much in advance and have a great day!

  Thank you for the feedback and suggestion GTG! I went ahead and posted it on the "security" bb and I'm going to look into SIP inspection.
  Can you please MOVE this thread to the Security section and delete the duplicate post you've created?
  Here's the link to your duplicate post:  https://supportforums.cisco.com/thread/2260989