point2point vs vpn

[helsknight]

All you network engineers out there...

What is the advantages and disadvantages of switching over from a point to point t1s to vpn?

Current setup up, 3 offices with a mesh t1 connecting all three location to a offsite datacenter where the firewall is located. All three location passes through this firewall on a single t1 at the vendor. Internet dl/ul isn't as important as transfers between sites.

New setup, 2 offices will have their own t1 straight to a the web. One will have a dsl. They'll have their own firewall and communication via vpn.

The reason for the switch is for potential cost savings. My concerns are there any vpn overhead to consider? Will there be a speed bottle neck? Especially with all the added encryption and encapsulation? Are there anything concerns I should be addressing? Your input is appreciated.

Hels

 

[FWHATER]

It all depends. Who is managing the vpn between sites ? You or is it a vpn provider ? We have a Nokia managed by a 3rd party with ROBO gateways and connectivity works just fine. I must admit, some users complain because they are coming out of a dsl modem to the internet, but on the whole, as long as encryption, preshared secrets and encryption domains are set up correctly, there shouldn't be a problem. One thing though. Windows 2003 Server will have rpc problems over a site to site vpn unless you apply a Microsoft patch and edit the registry.

 

[helsknight]

Thanks for the reply fwhater.

I guess I'll be managing the vpn between sites. These will be Watchguard firebox x boxes. I can see the dsl office complaining already but the cost saving is significant. Right now they have a half t1. I was hoping to also see a speed increase if they switch to a business dsl 2M/512K which is a quarter of the price of the half t1.

Thanks for the tip with Server 2003.

Anyone have any experience with Watchguard fireboxes?

 

[JOAMON]

Just remember that there is usually a difference in uptime and support with DSL service versus dedicated T1 business class service. I am more of a fan of the hub and spoke. We have all location going p2p to core location and then from there to the internet. I only have to firewall one location and have guaranteed bandwidth between facilities and to the internet. VPN over internet works best with the correct hardware. Need to consider the number of users and the amount of data especially if you are sending and voip over the circuit and may need to get equipment with VPN encryption hardware built in instead of just software driven.

 

[amorielljr]

You should look at an MPLS service. This would give you a full mesh topology and you only need to pull one T1 into each office (including the datacenter). I currently manage a 300+ node MPLS WAN and it's great. VPN is good too, but I wouldn't use DSL or cable. I would use an internet T1 instead. As Joamon said uptime for DSL isn't usually as good as a T1 and most ISPs over subscribe their DSLAMs (for DSL). Also you can't guarantee QOS across the internet.