Network Management Strategies for the CIO
I am intending to set up a VPN between two offices and also for mobile users to connect to the main office. Would you recommend using a leased line between the two offices as well as the existing WAN connection (256K), or increasing the bandwidth of the WAN and then VPN over the DSL link, thus combining the Office - Office VPN as well as the external VPN? Currently, we have 50 users at the main office and 10 at the remote office.
Requires Free Membership to View
Sharing one link across all users (site-to-site and mobile) is probably going to be a more economic solution, because you are more likely to fully utilize available bandwidth (vs. having two separate links and splitting traffic over them in a fixed manner). However, there are other factors to consider here:
- What are your quality of service requirements for site-to-site traffic? If you plan to run high-throughput or latency-sensitive applications on your site-to-site VPN, you may prefer using a dedicated WAN link with guaranteed services levels for that traffic. Alternatively, you could purchase VPN gateways with traffic shaping capabilities that let you dedicate a portion of a single WAN link's capacity to the site to site tunnel, and the remainder to mobile VPN users.
- What are your availability requirements for site-to-site traffic? A single WAN link is always going to leave you at greater risk for failure than redundant WAN links. But keep in mind that purchasing two WAN links won't necessarily give you double capacity unless your VPN gateways are capable of load sharing between those links (active/active rather than active/passive configuration).
- Would separate WAN links create a more secure, manageable topology? Your VPN gateway will give you the ability to segregate traffic to/from VPN tunnels over a single WAN link by configuring separate security policies for site-to-site and remote user traffic. But if remote users need to access entirely different resources than your site-to-site VPN, you may just find it easier to keep these VPNs physically separate. For example, if remote users only need to access one email server, you might find it easier just to plant an entry-level VPN gateway in front of that server, with its own WAN link and no other internal connectivity. On the other hand, if remote users need to access many destinations at both sites, it is more efficient to bring mobile traffic into the same VPN gateway that directs traffic for your site-to-site VPN.
This was first published in January 2005
Join the conversationComment
Share
Comments
Results
Contribute to the conversation