Branch office router recommendation

Similar Messages

• TMG 2010 to connect Branch Office

  We have TMG 2010 installed for proxy solution. Recently we opened new branch office but they are unable to internet through proxy. I have added the route add command in TMG Server.
  route add 10.24.84.0 mask 255.255.255.224 10.24.30.20 -p           - Branch 1
  route add 10.24.86.0 mask 255.255.255.224 10.24.30.20 -p                           - Branch 2
  10.24.30.20 is our core router IP...
  Is there any configuration required in core router and branch office router...Branch office users can access all server service except proxy solution.Please advice

  HI
  In your branch office,
  YOu need to ensure that internal Branch office subnet is able to reach TMG server. Need route to TMG networ from branch office on branch office Router,
  TMG should have route to reach Branch office network.
  Add branch office subnet as internal in TMG network range

• Branch office setup with L3 switch and router with IOS security

  Hello,
  I am in the process of putting together a small branch office network and I am in need of some design advise. The network will support about 10-15 workstations/phones, 3-4 printers, and 4-5 servers. In addition we will eventually have up to 25-30 remote users connecting to the servers via remote access VPN, and there will also be 2-3 site-to-site IPSec tunnels to reach other branches.
  I have a 2911 (security bundle) router and 3560 IP Base L3 switch to work with. I have attached a basic diagram of my topology. My initial design plan for the network was to setup separate VLANs for workstation, phone, printer, and server traffic. The 3560 would then be setup with SVIs to perform routing between VLANs. The port between the router and switch would be setup as a routed port, and static routes would be applied on the switch and router as necessary. The thought behind this was that I'd be utilizing the switch backplane for VLAN routing instead instead of doing router-on-a-stick.
  Since there is no firewall between the switch and router my plan was to setup IOS firewalling on the router. From what I am reading ZBF is my best option for this. What I was hoping for was a way to set custom policies for each VLAN, but it seems that zones are applied per interface. Since the interface between the router and switch is a routed interface, not a trunk/subinterface(s), it doesn't seem like there would be a way for me to use ZBF to control traffic on different VLANs. From what I am gathering I would have to group all of my internal network into one zone, or I would have to scrap L3 switching all together and do router-on-a-stick if I want to be able to set separate policies for each VLAN. Am I correct in my thinking here?
  I guess what I am getting at is that I really don't want to do router-on-a-stick if I have a nice switch backplane to do all of the internal routing. At the same time I obviously need some kind of firewalling done on the router, and since different VLANs have different security requirements the firewalling needs to be fairly granular.
  If I am indeed correct in the above thinking what would be the best solution for my scenario? That is, how can I setup this network so that I am utilizing the switch to do L3 routing while also leveraging the firewall capabilities of IOS security?
  Any input would be appreciated.
  Thanks,
  Austin

  Thanks for the input.
  1. I agree, since I have only three to four printers, they need not be in a separate VLAN. I simply was compartmentalizing VLANs by function when I initially came up with the design.
  2. Here's a little more info on the phone situation. The phones are VoIP. The IP PBX is on premise, but they are currently on a completely separate ISP/network. The goal in the future is to converge the data and voice networks and setup PBR/route maps to route voice traffic out the voice ISP and data traffic out the other ISP. This leads up to #3. 
  3. The reason a router was purchased over a firewall was that ASA's cannot handle routing and dual ISPs very well. PBR is not supported at all on an ASA, and dual ISPs can only be setup in an active/standby state. Also, an ASA Sec+ does not have near the VPN capabilities that the 2911 security does. The ASA Sec+ would support only 25 concurrent IPSec connections while the 2911 security is capable of doing an upwards of 200 IPSec connections.
  Your point about moving the SVI's to a firewall to perform filtering between VLANs makes sense, however, wouldn't this be the same thing as creating subinterfaces on a router? In both cases you are moving routing from the switch backplane to the firewall/routing device, which is what I am trying to avoid.  

• Recommended Design for WAAS in both Data center and Branch Offices

  Hi All,
  I need to purchase different appliances for WAAS, but before I decide what to purchase, I need to know exactly how I am going to put these devices so that I can know which one to purchase and how the designs will be.
  My environment is as follows:
  I have two core routers (ASR 1000 series) at Data center, two 6509 switches (expecting to insert the ACE module, and FW module) and the I have access switches which connects servers.
  At the branch offices, I am expecting to place ASR1000 series also.
  Now, I need to know the recommended designs for these WAAS appliances so that, I can know in advance what to purchase(i.e. how many WAAS CM, Core WAE, and Edge WAE).
  Any input will highly be appreciated.
  Thanks,

  If you purchase the Standard Edition, your license supports:
  One installation of Cisco Security Manager on one Windows-based server.
  The configuration or management of 5 devices (in the Standard-5 option) or 25 devices (in the Standard-25 option). This excludes Catalyst 6500 and 7600 Series devices and their associated service modules.
  If you purchase either the Standard-5 or Standard-25 license, you cannot purchase an incremental device license. Your license is fixed at either 5 or 25 devices.

• Branch office PSTN call routing

  Customer had HQ and Branch office with 512 MPLS line, in HQ alone they had E1 trunk, in branch office for calling PSTN the call should travel via MPLS to HQ, and the branch PSTN call terminated in HQ only,   is it a good design or better we need to add ISDN line in branch level to terminate the PSTN call.

  Balamurugan:
  1) I think it is possible. My R&S skills are oxidized but you can have MPLS VPN configured and use frame-relay as a serial encapsulation where you will be able to configure RTP header compression.
  2) RSVP over MPLS: yes. But as Marwashawi said, I prefer to work with the LLQ QOS for voice traffic. For that you will need to agree that with your service provider.
  Rad Baver
  BALAMURUGAN SINGARAM escribió:Thanks for the reply, branch to branch they are using 512 KBPS with VPN tunnel, g729 codec is used in between HQ and branch, the issuse is voice quality between the branche and HQ, the ping round trip delay is more than 250 MS [ no packet drops ], QOS is applied in switch and CUCM level, could you please light me do we can fine tune more on WAN interface level.1) do it possible to use header compression on MPLS cloud2) do it possible to enable "RSVP" in MPLS link.Could you please light me on how to enable RSVP & Header compression on MPLS link.

• Proper Configuration of DNS server for our new branch office

  Hi All,
  Our new office will setup a new branch office with a routed network link to our HO. In HO, we have 2 domain controllers configured as AD and DNS just for fail over scenarios.
  How will we configure the DNS server of our 3rd domain controller which we will placed in the new branch office. What would be the proper settings of DNS server integrated to AD to work well especially to have a successful replication and communication to
  the 2 DC's located in HO?

  Hi,
  If you have multiple DC's in that site i would recommend using any of the partner DC's IP addresses as preferred one and secondary DNS IP to pointing to itself. Dont use loopback addresses configure it with actual IP addresses.
  If you have only one server in branch office point itself as the primary DNS and HO DC as secondary and tertiary.
  Make sure that all clients in your branch site are pointing to the branch DC as primary DNS server.
  Regards,
  Rafic
  If you found this post helpful, please give it a "Helpful" vote.
  If it answered your question, remember to mark it as an "Answer".
  This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!

• New Branch Office - High Security

  Hello
  we plan to have 5 branch offices each with around 40 users. All branches will be in different geographical locations. Best Security needs to be implemented in all branches. All services email, SAP, Portals are hosted in the HeadOffice Datacenter. Each Branch will have dedicated internet 5MB for Voice and DATA
  Guidelines for security  -
  ensure users cannot insert usb or cd on laptops /desktops
  laptops/desktops are allowed to access restrictive internet from Office
  Outside Laptops / Tablets not allowed to connect to network but allowed internet via wireless using Guest
  to access internet from home or Cafe users needs to connect to office VPN and then access from local Internet server (Proxy)
  vendors proposed following ;-
  3921 router for branch
  ASA 5510 for branch
  3945 router for HeadOffice ( VPN )
  Filtering - Web Washer - Mcafee
  Experts can advice what hardware will best fit on branches, what other devices I need to achieve the above goals
  Thanks
  Vishal

  Hello Vishal,
  I would recommend the following:
  For Branches:
  1-  Cisco : 2921 : Voice Licensed (you dont need a higher end above this series for 40 users).
  2-  Cisco ASA 5510: (This will be your Security appliance at each branch).
  For Head Quarter:
  1-  Cisco ASA 5520: (This Will be Your HQ Security Appliance).
  2-  Cisco 3925 or 3945 router (Voice Licensed).
  For Your Security Guidelines, here is my answers:
  ensure users cannot insert usb or cd on laptops /desktops
  FOr this purpose, you Can disable the administrative privelege on the Notebooks and PCs for All users and remove the software driver for thier USPs.
  laptops/desktops are allowed to access restrictive internet from Office
  FOr this Purpose, I would recommend using Cisco IronPort WebFiltering, it Can be easily Integrated with your Active Directory and Enforces all Filtering Policy you would require.
  Outside Laptops / Tablets not allowed to connect to network but allowed internet via wireless using Guest
  For this Purpose, I would recommend deploying Wireless LAN Controller at your HQ to have benefit and full advantage of managing your Wireless Infrastructure.
  to access internet from home or Cafe users needs to connect to office VPN and then access from local Internet server (Proxy)
  FOr this Purpose , I would also say Your Best Option is to have Remote Access VPN & (VPN Client) deployed at all employee's Notebook. Though, You Can have another Option which to have SSL-VPN deployed at your HQ, but this will have additional cost as its added value featured licensed per number of users.
  Let me Know if this answers your Question Or if you require additional assistance.
  Regards,
  Mohamed

• Simulating small branch office in lab network

  Hi,
  I have to setup what seems to be a very basic configuration, but it doesn't work.
  In our lab there is a cluster of switches with a 3550 that does all the routing for vlans.
  I need to simulate a sort of a small branch office that has one connection
  to the outside world (the lab network).
  Here is my design:
  Vlan 230 (the internet)
  A port on 3550 is in vlan 230 and is connected to e0/0 (172.26.230.150) on 2611 router.
  e0/1 interface on a 2611 is (192.168.1.1).
  A PC is connected to e0/1 (192.168.1.12).
  From the router I can ping any host on vlan 230 and other vlans,
  I can also ping the pc connected to e0/1.
  However from the PC I can only ping 192.168.1.1(e0/1) and 172.26.230.150 (e0/0)
  Below is my configuration
  Thanks for your help.
  R2611-1#sh run
  Building configuration...
  Current configuration:
  version 12.0
  service timestamps debug uptime
  service timestamps log uptime
  no service password-encryption
  hostname R2611-1
  ip subnet-zero
  ip dhcp excluded-address 192.168.1.1 192.168.1.9
  ip dhcp pool 192.168.1
     network 192.168.1.0 255.255.255.0
     default-router 192.168.1.1
  interface Ethernet0/0
  ip address 172.26.230.150 255.255.255.0
  no ip directed-broadcast
  no ip mroute-cache
  no mop enabled
  interface Ethernet0/1
  ip address 192.168.1.1 255.255.255.0
  no ip directed-broadcast
  no ip mroute-cache
  ip classless
  ip route 0.0.0.0 0.0.0.0 172.26.230.1
  ip http server
  no scheduler allocate
  end

  You are not performing nat on the router.
  This is typically required on a box which provides internet connectivity.
  Probably the other hosts on vlan 230 have no route back to the pc on 192.168.1.1
  Configuring nat on the router will resolve this problem.
  regards,
  Leo

• Small branch office network

  We have a small branch office (7 users) that will be moving to a building that has a Wireless Residential Gateway (Model: DPC3829).  This device provides wifi for 2 other tenants on the same floor.  Can we connect another wireless router to this wireless residential gateway device and create our own SSID so that we don't have to use the wifi settings that the other 2 tenants connect to?  
  I've attached a picture of what the back of the DPC3829 currently looks like.  I am thinking I can plug that yellow network cable into another wireless router and create our own wireless network (obviously off of their internet connection) for our 7 users. 
  Thank you for your help.

  u may but any plane wireless device and run it in bridge mode (shouldd run by default i beleive). Then connect one of its lan port to any one of the lan ports available on the DPC3829 thing.
  you are correct in what you want to do, and it can be done no problem.
  Regards
  Please mark answer as correct if it helps.

• Branch Office + Pocket pc - Is this possible?

  Hi all,
  I'm trying to use Pocket PC with Branch Office, but I heard that that is impossible, Branch Office works only with desktop pc.
  Is this information true?
  Tks,
  Everson

  Hi Rekounas,
  Thanks for your attention.
  Okay, so are you trying to bring down the amount of bandwidth you use?- Yes
  For shared data, is it updateable?- Yes
  For initial syncs I always recommend the user is located where then have a good connection. Incremental syncs aren't nearly as intense so it usually only takes a few seconds or minutes depending on your application. But this usually doesn't take long.- I'll make some tests, because independ of branch office, the application must be developed.
  Tks,
  Everson

• Branch Office CME design Verification

  Hi All,
  Please refer to the attached network diagram.
  I need to verify this can be implemented and would work.
  We have a branch office moving to a new location and they intend to keep their existing CME (for business reasons),  provided by their local service provider with ISDN line for calls to the PSTN. This is managed by the service provider and we have no access to it. However we would like to grant them connectivity to the existing corporate voice network via an IP VPN connection, which shall be put in place soon. This will enable  the branch make site to site calls within the corporate network
  With a SIP trunk between the internal and external CME, I intend to make all the phones register with the Call Manager, however on the call manager , set a route pattern for calls going out to the PSTN from this branch back to the internal CME and this will then be matched by a SIP dial peer  directing the call to the external CME out to the PSTN.
  My worry is with the delay  that might be introduced when making a PSTN call as the internal CME has to first contact the call manager in order to know where to send the call.
  So my questions are as follows,
  1. Is this solution feasible especially in terms of delay? If not,
  2. Are there any other ways to achieve the same scenario
  Thanks,
  Yomi

  Are the phones at the branch office going to register to the Internal CME? If so, all configuration for outbound dialing will be done on the Internal CME, not on UCM. ie. dial-peer on the Internal CME for outbound dialing. For phone connectivity back to UCM, you will have a SIP trunk between UCM and internal CME and that is perfectly acceptable. You "might" see some quality degradation but that is to be expected from Internet based WAN connectivity. If your RTT delay is greater than 150ms, then you might see some quality issues.

• Branch Office Install

  Hello,
  My client is planning on deploying branch office and is hitting
  the limit of 16 concurrent users. They need about 20-25
  concurrent users.
  Can branch office me installed more than once on the
  same server? Is this a supported configuration?
  thanks in advance,
  mike

  Hi
  You will need to make sure all the ports are open for traffic to move between both DC's. Also need to check that you dont have replication problems, IE, slow link. First step would be to see if you can ping the HO DC from the branch, then once you have established
  that you have all the ports open and your VLAN is routing traffic correctly then you can start with your DC setup.
  You can first upgrade your DC, look at this blog: 
  http://blogs.technet.com/b/kevinholman/archive/2013/09/25/upgrading-domain-controllers-to-windows-server-2012-r2.aspx
  Hope this helps. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Branch Office will not host Microsoft services/servers - Sites and Subnets

  Hi,
  The scenario is the following:
  1 Domain. Windows 2012 R2.
  6 sites. 1 DC per site. 3 subnets per site.
  5 sitelinks.
  The sites diagram is the following:
  The branch office "SITE04" will not host any Microsoft service/server/PC. Network routing/flow scheme will not change (branch office SITE04 reamins routing traffic to/from SITE05 and SITE06).
  The questions are:
  Does the existing SITE04 subnets must be deleted?
  Does the existing SITE04 site must be deleted?
  Does the existing SITE04-SITE05 and SITE04-SITE06 site links must be deleted?
  if yes to any of the above questions?
  How to redesign the subnets/sites/site links?
  Thanks in advance!

  Thanks MrX for your response.
  The SITE04 branch office will not host Microsoft-based PCs/Servers/Services. SITE04 will be used for network traffic routing purposes and will host servers from another platform.
  Why to mantain SITE04 subnets?
  Thanks in advance!
  In this case, maintaining the subnets would be optional.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Branch office dial backup design

  I'm having more trouble with this than I think I should.
  I have 10 small branch offices connected to the home office via frame-relay -- it's purely hub-and-spoke, with no PVC's between branch offices, everything goes to the central office. I'm trying to set up a POTS dial scenario to replicate this. Each branch has a 26xx with a two-port serial card, two analog modems and two POTS lines. The central office has an ISDN PRI terminating in a 3725 with MICA modems.
  I can get a branch router to dial on one or both lines (multilink ppp), and the 3725 receives the call. CHAP negotiation works. Where I'm having trouble is in the IP routing. I've tried countless combinations of numbered and unnumbered interfaces, dialer-based ip pool on the 3725, EIGRP and/or floating static routes, etc., etc. Nevertheless, I can't get correct ip routes established, and I feel like I'm banging my head against the wall now. None of the edsign docs I can find on the Web site directly address my scenario in a way I can understand. Any suggestions?

  This is my config for our 3640.
  interface Group-Async1
  ip unnumbered Serial1/0:23
  encapsulation ppp
  no ip mroute-cache
  dialer in-band
  dialer idle-timeout 1200
  dialer map ip 170.1.1.16 name bri01rt01ec
  dialer-group 1
  async mode interactive
  peer default ip address pool default
  ppp authentication pap chap ca
  ip route 192.168.16.0 255.255.255.0 172.17.1.6-----our PIX
  ip route 192.168.16.0 255.255.255.0 170.1.1.16 200---Ip address of modem that dials in from 1750.
  This config looks fine to me..what does everyone think?

• Branch Office Access

  I use TMG as our companies Proxy as well as default gateway. I have recently installed 2 sonicwall tz105 devices, one located at our branch office and one located in our main office where the TMG server is located. The branch office uses this device for
  internet access and a vpn tunnel to our main office. (At one time I had a ISA server at the branch location and it was the vpn tunnel to our main but this is a small 2 man office and keeping the isa server up to date was becoming a pain.) The branch office
  has no problems accessing the main office. My problem is getting the main office to access the branch office. Right now if a client computer on the main network wants to access a server on the branch office the only way to accomplish this is to change the
  client computers gateway from the tmg server ip to the sonicwall ip. This was not a problem in the past when I had 2 isa or tmg servers at both locations because the rules would pass the traffic to the branch office. I have tried putting rules in the TMG server
  for traffic bound to the branch office network but nothing seems to work.
  Should I be using tmg rules to accomplish this or do I need to go a different route such as dns or routing.
  Thanks,

  HI Gray,
  Belwo are my suggestations.
  Ensure all the client Default gateway is pointing to TMG, If you have any L3 Switch Devices before TMG Internal Interface then on L3 point Default gateway to TMG Internal Interface and on all client make Gateway as L3 Switch.
  Create a network Subnet Set of Branch Office in TMG
  In TMG Networking, You need to have a route relationship
  Go to Networking, Create a new network Rule, From Branch Office Subnet to Internal as Route ( Not NAT). As route is bidirectional it will automatically route Internal to Branch Office
  On Access Rule, Create Two Rules, Internal to Office Subnet and Office to Internal and allow all outbound Ports
  Ensure, Your SonicWALL is Routing Traffic to Internal network to TMG External interface.