Here's the deal:

In our WAN we have apr. 15 sites around the world. Today we have a
full mesh VPN network between the sites.

We are planning a redundant VPN net with a new FW at each site. I have
not figured out how to do this and the routing is a true nightmare.

Anyone have any ideas or thoughts around this problem?

Also, what is the "best practice" regarding VPN net? Star or Mesh?

Thanks for any replies,

BR
Bjornar

[ Post a follow-up to this message ]

Bj?rnar Eilertsen wrote:
> Here's the deal:
>
> In our WAN we have apr. 15 sites around the world. Today we have a
> full mesh VPN network between the sites.
>
> We are planning a redundant VPN net with a new FW at each site. I have
> not figured out how to do this and the routing is a true nightmare.
>
> Anyone have any ideas or thoughts around this problem?
>
> Also, what is the "best practice" regarding VPN net? Star or Mesh?
>
> Thanks for any replies,
>
> BR
> Bjornar

If 2 sites never directly connect to resources at each other then they
do not require a VPN link directly from one point to the other.

Much simpler to do a star configuration with specific point to point
exceptions between sites that actually will utilize the direct link with
site to site traffic.  In most network setups you do not truly need a
meshed configuration.  There are exceptions to this of course.  Lets say
you run video conferencing that utilized direct connections or VOIP
between all branches then it would make sense to minimize the delay and
bandwidth overhead of sending traffic in then out of a central point to
reach a remote office.  If however your applications are all hosted
centrally and the only inter branch direct connections are people using
an instant messenger then you will probably prefer the decreased
management burden of a star topology for your VPN network.

Also some of the common VPN hardware will run into simultaneous tunnel
limits around 30-50 tunnels unless it is some of the more expensive
gear.  If you are like most networks many of these sites are just small
offices with maybe a dozen sales staff with a few main operations with
the bulk of the traffic and staff.  You wouldn't want to dedicate very
expensive equipment capable of hundreds of tunnels just for a dozen
people.

--
WARNING!  Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)

[ Post a follow-up to this message ]

"Bj?rnar Eilertsen" <bjornar@vetromac.no> wrote in message
news:35544b6.0410080430.5f7d287f@posting.google.com...
> Here's the deal:
>
> In our WAN we have apr. 15 sites around the world. Today we have a
> full mesh VPN network between the sites.
>
> We are planning a redundant VPN net with a new FW at each site. I have
> not figured out how to do this and the routing is a true nightmare.

square law scaling rules always hurt.

you need a routing protocol so that you dont have to do resilience with
static routing.
>
> Anyone have any ideas or thoughts around this problem?

some of the manufacturers have noticed

- e.g. cisco routers now have a "feature" so that you set up a VPN on a
star basis, and they will negotiate and build direct dynamic tunnels when
there is a traffic flow between 2 edge boxes.

but its Friday pm - so cant remember what it is called....
>
> Also, what is the "best practice" regarding VPN net? Star or Mesh?

if it is a big issue go and rent a managed service so it becomes a telco
problem.....
>
> Thanks for any replies,
>
> BR
> Bjornar
--
Regards

Stephen Hope - return address needs fewer xxs

[ Post a follow-up to this message ]