OSPF design for branch offices across MPLS

Similar Messages

• To make a new site or not? (for branch office with small number of people)

  We have a main office, with our DC (DC01) and a single site (SiteHO), and we are about to open up a new branch office in another city.  This branch office is connected to the head office via a 5 Mbps MPLS network.  The branch office will have around
  5-7 domain joined workstations, and the people there will require access to the existing file and exchange servers in the head office. 
  I was thinking about not adding a RODC in the branch office and not creating another site in AD for the branch office either.  My thinking is that since the number of users is relatively low, it doesn't warrant having a new RODC and site.  The
  traffic generated by the 5-7 user logon activities will be minimal, and the local profiles are stored on the workstations (no roaming profiles), so there shouldn't be much WAN link impact.  Obviously I would have to add the subnet from the branch office
  to the SiteHO site. 
  Can anybody think of something wrong with my reasoning?

  I think the dedicated line has a little to do with AD since its used both to authenticate the users and move the data.
  I am not sure what bandwith you get from an internet provider in your location, but for example you might get a 100Mb internet connection from an ISP. A VPN tunnel over a 100Mb internet connection I am guessing is faster then a 5Mb guaranteed MPLS link.
  The advantage of MPLS is that you can have QoS policies for voice and video traffic.
  If users move 'very large files' perhaps a local file server might be an good option. DFS replication can save a lot of bandwidth in that case. And then you would have 'local resources' in the branch and in case of wan failure the users will not be able
  to access the local file server resource. So you would need a secondary DC in that location.
  And if they are moving the files think (and check) the impact on the MPLS, because authentication requests go through that link, Exchange traffic (RPC MAPI) goes through that link so these might be affected. For example, lets say you have 2GB mailboxes.
  All Outlook users use OST files. One user's profile gets corrupted and needs to be rebuilt. The Outlook client sets up a fresh OST copy of the mailbox so now its downloading a 2GB mailbox copy over a 5Mb MPLS while some other user is moving a 'large file'.
  By local resources I am referring to file servers, printers, applications in the branch location that require AD authentication. Authentication works with both VPN and MPLS and in case the wan/vpn is down users can even log in with
  cached credentials.
  Hope it helps.
  http://mariusene.wordpress.com/

• Which is better for Branch Office Cisco ASA or Cisco 1900 router for Branch Office?

  Which is a better solution ?
  Using ASA55XX or 1900 series router for WAN and Internet access for 25 - 100 users?

  Without knowing more about the environment and what the real requirements are, it is difficult to give a really good answer. If your main concern is effective stateful inspection of traffic entering and leaving the site then the ASA is optimized for that. If you want redundancy (active/active or active/standby) then the ASA is better for this. There are other potential requirements which may make the router the better choice:
  - what is the connection to the Internet? If it is Ethernet then either ASA or router will do fine. But if it is something other than Ethernet then you may need the router.
  - is there a need for services such as Policy Based Routing? These are available on the router and not on the ASA.
  - is there a need for load balancing on outbound traffic? This is available on the router and not on the ASA.
  - will there be a need to do routing on the inside network? The range of available options is wider on the router than on the ASA.
  - is there a need to run a routing protocol with the Internet provider? The usual choice for this is BGP and that is available on router and not on ASA.
  So consider these criteria as you make your choice. Or provide more detail about your environment and what your real requirements are and we may be able to give better advice.
  HTH
  Rick

• CSCtx91035 - ATA 187 unregister from CUCM for branch offices

  This bug concerns the ATA 187. Fixed release should be 9.2(3)SR1 BUT not available for ATA 187 (Cisco IP Phone 6900 series !???).
  We have the same problem here with our client in Belgium. When is the fixed release available for the ATA 187 please ?
  Thanks in advance.
  Best regards
  Mike

  Hey Mike,
  Great Question. This bug has actually already been fixed.
  The fixed release 9.2(3)SR1 is only available through TAC. You would have to open a case via phone or visit cisco.com.
  Other known Bugs that you could ask TAC about are:
  CSCtz22064 - ATA-187 hear Ring Back Tone with Directed Call Park unexpectedly
  CSCtq85079 - ATA187 will crash if port2 keeps tftp downloading
  CSCua01061 - ATA187 reset when there're mutiple ARP Reply
  CSCua51467 - ATA187 memory leak
  CSCty43474 - ATA 187 Allows telnet access on port 32000
  CSCtz67038 - Cisco ATA 187 Analog Telephone Adaptor Remote Access Vulnerability
  CSCub39248 - ATA 187 is not obtaining IP address from VLAN configured on its Eth port
  CSCuc82525 - ATA187 units requires a reload to regain connectivity to CUCM
  CSCuc14110 - ATA187 Sends empty SIP packet causing SIP ALG problems
  CSCud88926 - ATA 187 provides its uptime instead of local time to analog phones.
  CSCud74510 - Non secure ATA 187 not registering to SRST, if secure SRST checked
  CSCuh49249 - ATA-187 Crashes in SRST mode when called via ISDN BRI
  CSCuj59548 - ATA 187 don't honor configured Renewal(T1)
  I hope this helps!

• Branch Office Communication

  Hi,
  Supposingly we have many branch offices with good internet speed but no dedicated bandwidth between individual locations.
  We need to enable VoIP calling using Internet, can we use any skype product to tie all standalone EPABX system for branch office communications. 
  Can we have SIP trunks on skype gateway from each location and enable interoffice calling.
  Please suggest

  Hello Rahul,
  I see you are asking about connecting your offices together for calling and comminucations.
  Well,  Connecting the offices together will require a Communication Server of some sort.  Manufacturers like Nortel, Avaya, Cisco, and many others have these type of devices available to accomplish the "link" between your offices, as long as the equipment is all compliant with the Communication Server.   I suggest you contact a local agent for these manufacturers and have them take a look at what you have. They will provide you with a quote to get you connected.
  As for Skype, making and receiving calls is a snap for us.  We provide these services 24/7. We can get you connected in miinutes and have you making cheap calls all day long.  The cost just depends on where in the world you are calling.  Our "minutes" bundles are very cost effective to use.  And, all of your incoming calls are free. All you would need, would be a Skype Online Number, a Managed User for the Skype Clients that want to call you, and SIP Channels to connect to your PBX to talk on.
  That's pretty much it.  I hope this helps you in your research to get your offices connected and to start using Skype.  I have provided  a few links for you to look at below.
  http://www.skype.com/intl/en-us/business/skype-connect/
  http://www.skype.com/intl/en-us/business/skype-manager/
  http://download.skype.com/share/business/guides/skype-connect-rates.pdf
  http://skypeconnect.voxygen.com/#stage1
  Thank You for considering Skype and using the Skype Community Forums.
  Regards,
  Victor S.
  Skype Enterprise Support

• Invoic & GSVERF IDocs with Head & Office Branch office relationship

  Hi ,
  We have maintained Head office & branch office relationship in vendor master.
  Based on this master data set up, all accounting documents are getting posted to Head office account. Currently we are facing the below issue:
  We have created purchase order for Branch office vendor (Eg. B) and as required accounting document is getting posted to Head office vendor(Eg. H). We are using Idoc Msg type 'Invoic' for this invoice verificaiton and using Idoc msg type 'GSVERF' to send acknowledgement for that Invoice.In this case, Acknowledgement IDoc has been getting transmitted to Head office vendor (H) and not the Branch vendor (B) who
  has originally sent the Invoice.
  Kindly let me know whether it is possible to forward acknowledgement vendor to branch account instead of Head office.
  Thanks
  Hari

  Moved from SAP ERP Sales and Distribution (SAP SD) to SAP ERP Financials
  G. Lakshmipathi

• Install windows server 2012 DC on Branch office

  Hi ALL,
  i am planning to install a secondary DC on our branch office where currently they are on different domain and forest. our head office is currently on windows server 2008 R2 std, where forest and domain functional level are on windows server 2003. our headoffice
  domain name is:- (corpoffice.org) and branch office domain is:- ssl (its a single level domain on windows server 2003).
  am thinking to upgrade our headoffice DC to windows server 2012 r2 and the same i wanted to do for branch office as well.
  i need some guidance how to proceed with this DC setup as both vlan network is different and all the client settings are different. am getting few query like
  1. should i upgrade my headoffice DC first before i setup the branch office DC.
  2. how the branch office client will communicate to new DC.
  any suggestion and guidance would really helpful.
  Thanks
  srini

  Hi
  You will need to make sure all the ports are open for traffic to move between both DC's. Also need to check that you dont have replication problems, IE, slow link. First step would be to see if you can ping the HO DC from the branch, then once you have established
  that you have all the ports open and your VLAN is routing traffic correctly then you can start with your DC setup.
  You can first upgrade your DC, look at this blog: 
  http://blogs.technet.com/b/kevinholman/archive/2013/09/25/upgrading-domain-controllers-to-windows-server-2012-r2.aspx
  Hope this helps. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Recommended Design for WAAS in both Data center and Branch Offices

  Hi All,
  I need to purchase different appliances for WAAS, but before I decide what to purchase, I need to know exactly how I am going to put these devices so that I can know which one to purchase and how the designs will be.
  My environment is as follows:
  I have two core routers (ASR 1000 series) at Data center, two 6509 switches (expecting to insert the ACE module, and FW module) and the I have access switches which connects servers.
  At the branch offices, I am expecting to place ASR1000 series also.
  Now, I need to know the recommended designs for these WAAS appliances so that, I can know in advance what to purchase(i.e. how many WAAS CM, Core WAE, and Edge WAE).
  Any input will highly be appreciated.
  Thanks,

  If you purchase the Standard Edition, your license supports:
  One installation of Cisco Security Manager on one Windows-based server.
  The configuration or management of 5 devices (in the Standard-5 option) or 25 devices (in the Standard-25 option). This excludes Catalyst 6500 and 7600 Series devices and their associated service modules.
  If you purchase either the Standard-5 or Standard-25 license, you cannot purchase an incremental device license. Your license is fixed at either 5 or 25 devices.

• Branch office Exchange 2010 Role base administration control for branch site administrator

  Dear sir,
       Customer has a Exchange 2010 Main and Branch office environment:
  - Main office Exchange 2010 CAS x2 +HTS & Mailbox x2  (Server1,2 & Server 3,4)
    (Main office administrator:domain1\administrator) - DAG1
  - Branch office Exchange 2010 CAS+HTS x2 & Mailbox with DAG x2 (Server5,6 & Server7,8
     (Branch Administrator: domain1\badmin) - DAG2
       Customer would like to know what is the role which permission should grant / delegate for ID: badmin in order to manage Exchange server 5,6,7,8 ?  (with manage user account and performance in DAG2 failover & branch exchange server)
  Regards,
  Joe Tam

  Dear Brian,
     I have try in my lab to scale down into 2 x Server in 1 AD Single Domain And Single Forest.  It still have many unexpected behaviour, can you please suggest whether it is a design or bug of Exchagne 2010 SP1?
  Procedure:
  ============================================================================
  Exchange 2010 Role Delegation Problem: (Single AD, Single Site)
  Environment:
  Server: Windows 2008 R2 AD x1 + (CAS+HTS+Mailbox) Server x1
  AD Server: AD1
  Exchange2010 Server : EX2010 (with SP1) – Member Server Joined to testdomain1.net
  Domain Name: testdomain1.net (NETBIOS: TESTDOMAIN1)
  In AD,
  Login as domain administrator: Testdomain1\administrator
  1. Create an Organization Unit OU1.
  2. Create User User1 under OU1
  3. Delegate User1 to allow create user in OU1
  Select all item in “Delegate the following common tasks:
  In Exchange 2010 Server,
  Login as domain administrator: Testdomain1\administrator
  1. Rename existing database name to HKDB1
  2. Create a new database AUDB1 in EX2010 Server:
  AUDB1 Create Done.
  Assign testdomain1\User1 as Exchange 2010 local administrators group.
  Logoff Testdomain1\administrator and Login Testdomain1\User1
  Open Exchange EMC: (Failed, because no user management roles is grant).
  Logoff Testdomain1\User1, Login Testdomain1\Administrator
  Open Exchange 2010 PowerShell:
  Delegate User1 to allow perform recipient management in HKDB1 only:
  ====================================================================
  New-ManagementScope "HKDBSCOPE" -DatabaseRestrictionFilter {Name -Eq 'HKDB*' }
  $RoleGroup = Get-RoleGroup "Recipient Management"
  New-RoleGroup "HKDBRecipientManagement" -Roles $RoleGroup.Roles -CustomConfigWriteScope "HKDBSCOPE"
  Add-RoleGroupMember “HKDBRecipientMANAGEMENT” -Member User1
  ====================================================================
  Result:
  In Exchange 2010 Server, logon as domain user: Testdomain1\User1
  Open Exchange Management Console: (User1 able to open EMC now)
  Perform Create User User2 in OU1 with Mailbox located in HKDB1
  Mailbox Creation Failed because it cannot match the Database name = HKDB*
  Logoff Testdomain1\User1, Login Testdomain1\Administrator
  In Exchange Management Shell, enter:
  Set-ManagementScope "HKDBSCOPE" -DatabaseRestrictionFilter {Name -Like 'HKDB*' }
  Logoff Testdomain1\administrator, Login Testdomain1\User1
  Open Exchange Mangement Shell and Create User2 again.
  Create user successfully.
  Perform create User User3 in OU1 with Mailbox located in AUDB1
  User3 Creation Failed because it is not meet the Database restriction of User1 – Like HKDB*
  Logoff Testdomain1\User1, Login Testdomain1\Administrator
  Open Exchange Management Console, create User3 in AUDB1
  Create User3 in Users Container, by administrator ID.
  Logoff Testdomain1\administrator, Login Testdomain1\User1
  Perform mailbox remove of User2
  User2 mailbox remove successfully.
  Perform deletion of User3
  Mailbox User3 Remove Successfully.
  Why User3 is allowed to deleted mailbox which is located in by using delegated of User1?
  Moreover, it found that User3 properties can also be changed by using User1. Why?
  Does it mean delegation cannot handle delete operation?
  In Active Directory User and Computer: User2 is deleted successfully by using User1 ID.
  In Active Directory User and Computer: User3 is also deleted successfully by using User1 ID.

• Internet Access through TMG for all HO & Branch office

  Dear Experts!,
  I am new to the Forefront TMG 2010. Have requirement to implement internet access.
  Head office : 192.168.11.x/24 (192.168.11.1 is the TMG server)
  Branch Office 1: 192.168.12.x/24
  Branch Office 2 : 192.168.14.x/24
  Branch Office 2 : 192.168.16.x/24
  Forefront TMG 2010 standard edition.
  Having 3 NIC's two have different ISP network addresses and one has 192.168.11.1.
  Branch office are connected using MPLS network, the requirement is all branch site internet must be accessed through TMG 2010 server which is homed in Head Office. How to achieve ?
  What needs to be done in external firewall and in TMG for enabling internet access.
  Thanks!
  Regards, Ganesh, MCTS, MCP, ITILV2 This posting is provided with no warranties and confers no rights. Please remember to click Mark as Answer and Vote as Helpful on posts that help you. This can be beneficial to other community members reading the thread.

  Hi Ganesh,
  Hope this helps
  1 - If you wish to give internet as Proxy to users.
  Ensure the Below subnet is able to reach TMG Internal Interface that is 192.168.11.1
  Subnet
  Branch Office 1: 192.168.12.x/24
  Branch Office 2 : 192.168.14.x/24
  Branch Office 2 : 192.168.16.x/24
  Configuration
  Enable Proxy in TMG and configure Proper Ports as per your requirements
  On the Client IE – Ensure you put Proxy IP as TMG and Port configured in TMG configuration.
  Enable a Rule
  Access Rule
  Source : Internal
  Destination : External
  Ports : HTTP / HTTPS
  Users : Authenticated Users
  2 As normal Internet as Gateway to users
  You need to request your MPLS provider to change the Default Route of below subnet to 192.168.11.1. By doing this, all the internet request from the below subnet to internet will hit TMG.
  Subnet
  Branch Office 1: 192.168.12.x/24 Default Route 192.168.11.1
  Branch Office 2 : 192.168.14.x/24 Default Route 192.168.11.1
  Branch Office 2 : 192.168.16.x/24 Default Route 192.168.11.1
  IF you have any L3 Switch then you can also make Default gateway as L3 for all the subnet and from L3 device point it to TMG
  Enable a Rule
  Access Rule
  Source : Internal
  Destination : External
  Ports : HTTP / HTTPS
  Users : All Users ( Important )
  Two ISP
  In network Rules : You need to use NAT
  You will have a Rule which NATS internal to  External
  On external - Choose which ISP interface should be used  and Apply NAT rule

• Synchronizing multiple Mac Mini Server Open Directories across branch offices

  Greetings from Central Asia -
  The non-profit that I work with has been undergoing a long-overdue IT upgrade and we recently purchased some Mac Mini Servers (still running Snow Leopard Server) to act as the core of our network across our 3 offices in 3 different cities.
  We have employees moving between offices regularly, so I'm hoping to find a way to synchronize our user database between our head office and our branch offices instead of creating separate databases in each location.  We use RADIUS and pfSense with a CaptivePortal for controlling who has internet access as well as have file shares, so keeping user database management to a minimum is an ideal.
  I come from a mostly Microsoft Domain background with regards to these things so I'm not entirely sure where to start.  Hopefully some hopeful folks here will steer me in the right direction!
  I have a (mostly) unrelated question though - OS X Server seems to have two separate user databases - the "local" DB and the LDAP/OpenDirectory DB.  Is there a way to make these function together? When creating users and assigning them to groups, which is best practice to use? How do I give an LDAP/OD user login rights to the server?
  Thanks in advance,
  Tim

  I would prefer to keep the two databases seperate, with the local database providing a few specific users with access when OD is inaccessable.
  The local database is basically a self-hosted LDAP server. 
  The local and OD databases do function with the appearance of one single user account presentation at login and for typical operations, too.
  Do keep all of the usernames unique; the local users, as well as the OD users.
  For your configuration, the usual pattern here is one or more open directory replicas in each lobe of the network.
  These replicas then coordinate with the master copy among themselves.  You'll have one distributed copy, but the lobes won't be tied to authentication across what may or may not be an entirely stable network; users authenticate off the local replica.
  There are also folks that use Microsoft Active Directory as the back-end for Mac OS X, as well; there are various means to this end, including what is known as the magic triangle configuration.
  As for learning more about OD, I'd read the Snow Leopard Server Open Directory administration documentation as a starting point.  The Lion Server documentation is thin.
  The Mac Enterprise Mailing List archives can also be enlightening; that's probably the most concentrated source of information on more complex management environments.

• Branch Office CME design Verification

  Hi All,
  Please refer to the attached network diagram.
  I need to verify this can be implemented and would work.
  We have a branch office moving to a new location and they intend to keep their existing CME (for business reasons),  provided by their local service provider with ISDN line for calls to the PSTN. This is managed by the service provider and we have no access to it. However we would like to grant them connectivity to the existing corporate voice network via an IP VPN connection, which shall be put in place soon. This will enable  the branch make site to site calls within the corporate network
  With a SIP trunk between the internal and external CME, I intend to make all the phones register with the Call Manager, however on the call manager , set a route pattern for calls going out to the PSTN from this branch back to the internal CME and this will then be matched by a SIP dial peer  directing the call to the external CME out to the PSTN.
  My worry is with the delay  that might be introduced when making a PSTN call as the internal CME has to first contact the call manager in order to know where to send the call.
  So my questions are as follows,
  1. Is this solution feasible especially in terms of delay? If not,
  2. Are there any other ways to achieve the same scenario
  Thanks,
  Yomi

  Are the phones at the branch office going to register to the Internal CME? If so, all configuration for outbound dialing will be done on the Internal CME, not on UCM. ie. dial-peer on the Internal CME for outbound dialing. For phone connectivity back to UCM, you will have a SIP trunk between UCM and internal CME and that is perfectly acceptable. You "might" see some quality degradation but that is to be expected from Internet based WAN connectivity. If your RTT delay is greater than 150ms, then you might see some quality issues.

• Branch office dial backup design

  I'm having more trouble with this than I think I should.
  I have 10 small branch offices connected to the home office via frame-relay -- it's purely hub-and-spoke, with no PVC's between branch offices, everything goes to the central office. I'm trying to set up a POTS dial scenario to replicate this. Each branch has a 26xx with a two-port serial card, two analog modems and two POTS lines. The central office has an ISDN PRI terminating in a 3725 with MICA modems.
  I can get a branch router to dial on one or both lines (multilink ppp), and the 3725 receives the call. CHAP negotiation works. Where I'm having trouble is in the IP routing. I've tried countless combinations of numbered and unnumbered interfaces, dialer-based ip pool on the 3725, EIGRP and/or floating static routes, etc., etc. Nevertheless, I can't get correct ip routes established, and I feel like I'm banging my head against the wall now. None of the edsign docs I can find on the Web site directly address my scenario in a way I can understand. Any suggestions?

  This is my config for our 3640.
  interface Group-Async1
  ip unnumbered Serial1/0:23
  encapsulation ppp
  no ip mroute-cache
  dialer in-band
  dialer idle-timeout 1200
  dialer map ip 170.1.1.16 name bri01rt01ec
  dialer-group 1
  async mode interactive
  peer default ip address pool default
  ppp authentication pap chap ca
  ip route 192.168.16.0 255.255.255.0 172.17.1.6-----our PIX
  ip route 192.168.16.0 255.255.255.0 170.1.1.16 200---Ip address of modem that dials in from 1750.
  This config looks fine to me..what does everyone think?

• Branch Office for Webtogo Apps

  Does Branch Office support Webtogo Apps? This would help with initial download times if a sync could be made to a Branch Office machine and then have local downloads by clients.

  I have a web-based Java servlet application. My application size is about 50MB of data/code and I would like to know if a Branch office configuration would help with sync times? Meaning, a central server would perform the sync with many Branch office machines located remotely. Then local clients would log into branch office machine and be able to access the web-based application and go offline if wanted.
  I installed a Branch Office machine but the Control Center does not have ability to create or manage Users or access to applications. Did I miss something?
  Thanks for your input,
  John

• SPA8800 and SRST for small branch office?

  Hi All,
  Need some help. I have a central site that will be running Cisco BE 5000. I have a small branch office I would like to place IP phones in so we can just dial an extension to call each other. The branch will have its own connection to the PSTN with a couple of POTS lines from the phone company.
  So I am wondering how I can connect branch and HQ for intra-office calling and let the branch office use their PSTN connection for their local calls. I would think I could place a gateway such as the SPA8800 in the branch and connect the PSTN lines to it.
  My concern is, what happens if I lose the WAN connection between HQ and branch? Then the branch could not make any calls right? I know a little about SRST and how that solves the issue of losing WAN connection with the central Call Manager site, but I what I don't understand is SRST something that can run on a device like the SPA8800 or do I need an ISR router in the branch that can run SRST if I want the branch to be able to make phone calls without a connection to HQ?
  Thanks for any help!                  

  u may but any plane wireless device and run it in bridge mode (shouldd run by default i beleive). Then connect one of its lan port to any one of the lan ports available on the DPC3829 thing.
  you are correct in what you want to do, and it can be done no problem.
  Regards
  Please mark answer as correct if it helps.