- What are your quality of service requirements for site-to-site traffic? If you plan to run high-throughput or latency-sensitive applications on your site-to-site VPN, you may prefer using a dedicated WAN link with guaranteed services levels for that traffic. Alternatively, you could purchase VPN gateways with traffic shaping capabilities that let you dedicate a portion of a single WAN link's capacity to the site to site tunnel, and the remainder to mobile VPN users.
- What are your availability requirements for site-to-site traffic? A single WAN link is always going to leave you at greater risk for failure than redundant WAN links. But keep in mind that purchasing two WAN links won't necessarily give you double capacity unless your VPN gateways are capable of load sharing between those links (active/active rather than active/passive configuration).
- Would separate WAN links create a more secure, manageable topology? Your VPN gateway will give you the ability to segregate traffic to/from VPN tunnels over a single WAN link by configuring separate security policies for site-to-site and remote user traffic. But if remote users need to access entirely different resources than your site-to-site VPN, you may just find it easier to keep these VPNs physically separate. For example, if remote users only need to access one email server, you might find it easier just to plant an entry-level VPN gateway in front of that server, with its own WAN link and no other internal connectivity. On the other hand, if remote users need to access many destinations at both sites, it is more efficient to bring mobile traffic into the same VPN gateway that directs traffic for your site-to-site VPN.
This was first published in January 2005