Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Need suggestions for large Hub & Spoke VPN.

Status
Not open for further replies.

izatech

IS-IT--Management
Oct 27, 2005
11
CA
Hi There,

I need some assistance in planning on what hardware to use for setting up a large HUB & Spoke VPN.

In a nutshell here's is what I have to deal with.

Head office location with a static IP address. This will be the HUB of the VPN. (Thinking of maybe using a "Sonicwall PRO 2040" for this)

About 20 locations (spokes) with dynamic IP DSL connections, that needs to be able to connect to the HUB for file transfers.

Head office needs to be able to connect to the stores to effect price changes and other stuff, and IT needs to be able to connect to stores to trouble shoot issues. (Thinking of using "sonicwall Total Secure10/Tz150" I think)

To complicate things further, techs out in the field need to be able to connect with their laptops from one location to another using the HUB as the go between, plus connect with a client to the head office or store from their homes.

Any recommendations?

I can supply a drawing of this if needed.

Thanks.
 
You need two VPN features/setup's point to point VPN and a remote access VPN. Need help where are you located ?
 
I know this can be done with Netscreen firewalls. Depending on your traffic loads you can use something like an NS-204 or the new SSG-520 at the hub and 5GTs at the spokes. To access the dynamic IPs at the spokes use a dynamic DNS service like dyndns.org to to resolve the DNS name or configure the spokes at the hub as a dynamic peer. Then enable VPN monitoring on the spokes to ensure that the spokes are always the initiator. Finally to allow a user at one spoke to access a user at another spoke you can configure this all as route-based VPNs and make sure all spokes have different subnets. Then be sure that the zone that all the tunnel interfaces reside have intrazone block disabled.
 
Routerkid1,

I appreciate the offer, and I will keep it in mind when the go ahead for this job is given... bean counters have now gotten involved and of course the whole process slows down.. lol.

Will the tunnels from the stores to the headoffice be difficult to keep open/up? considering that almost all the stores are dynamic IP dsl.

Also, Whatever units are used will be behind linksys routers. I have no control over that part of it. Does that add any wrinkles?

Do you think the tz150 and the pro 2040 can do this?

thanks

 
MaxPipeline,

I would normally agree with you max, unfourtunately the last company that was in there doing this was using the Juniper devices and really buggered everything up. This has really left a bad taste in their mouth as far as Juniper goes. I know that the junipers are pretty robost devices. I also believe that they can have a workzone and homezone type setup to allow seperate LANS. We shall see what is what once the bean counters are done tearing everything apart.

thanks




 
I would go with all Link Sys but Sonic Wall is good as well. Keeping the tunnel up should not be an issue with Dynamic DNS. I am in Dallas. I will check out Sonic Wall more and let you know...
 
SonicWall is for sure the best route! night and day with linksys.
I will reply more in a bit.


 
Well i've always been partial to Cisco equipment and I would go with a 2821 at the main office and put in 877 or 877W(wireless capable if needed) ADSL routers at the branch locations and scrap the Linksys. Setup the 2821 as an Easy VPN Server with the remotes as easy vpn clients. This is a pricy solution and probably not what you want but I never have been in favor of SOHO equipment in a business environment.
 
Well the TZ 150 and the pro 2040 is a great route.
Just make sure you have the Enhanced OS on the 2040 and enough Global VPN's to allow the techs to connect to it and access the spoke sites.

compared to price of cisco to SonicWall it's a no brainer.
We do a lot of Cisco over here , and make lots of money from it , but they have not even updated there pix for 5 years. and that was right from the horses mouth.
SonicWall has been on fire with all there new updates.
SonicWall is recognised as the Number one "unified" threat management system in the world.
So you made a great choice!




 
I think you will see the Cisco PIX phase out in the near future with the introduction of the new ISR routers that Cisco now has.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top