Branch Location Over The Internet

Wed Aug 12 00:01:16 UTC 2015

DMVPN is very flexible, and is designed for this type of scenario. Cisco
definitely supports it. Not sure about Juniper, but its essentially mGRE +
NHRP. You can use IPSec to encrypt the tunnels, and if you require
spoke-to-spoke connectivity, there are some optimizations in Phase-3 DMVPN
that make it scalable. I would recommend using BGP as the routing protocol
in this type of setup as well. Newer versions of Cisco code support
"next-hop-self all", which will allow you to use iBGP between HQ and the
branches without having to complicate the config too much.

LISP is also a great solution. Its supported across the Cisco product line,
and there are other open source implementations. This really simplifies
your routing, as you can just rely on static default routes into the
"internet" at each branch, and allow LISP to take care of the rest. You can
also use encryption ontop of it.

Not sure why you think it would be ideal to have a Layer-2 solution...I
would personally stay away from it for this type of setup.

Regards,

Pablo

On Tue, Aug 11, 2015 at 2:21 PM, Colton Conor <colton.conor at gmail.com>
wrote:

> We have an enterprise that has a headquarter office with redundant fiber
> connections, its own ASN, its own /22 IP block from ARIN, and a couple of
> gigabit internet connections from multiple providers. The office is taking
> full BGP routes from tier 1 providers using a Juniper MX80.
>
> They are establishing their first branch location, and need the branch
> location to be able to securely communicate back to headquarters, AND be
> able to use a /24 of  headquarters public IP addresses. Ideally the device
> at the HQ location would hand out public IP address using DHCP to the other
> side of the tunnel at the branch location.
>
> We know that in an ideal world it would be wise to get layer 2 transport
> connections from HQ to the branch location, but lets assume that is not an
> option. Please don't flood this thread about how it could be an option
> because it's not at this time. This setup will be temporary and in service
> for the next year until we get fiber to the branch site.
>
> Let's assume at the branch location we can get a DOCSIS cable internet
> connection from a incumbent cable provider such as Comcast, and that
> provider will give us a couple static IP address. Assume as a backup, we
> have a PPPoE DSL connection from the ILEC such as Verizon who gives us a
> dynamic IP address.
>
> What solution could we put at the HQ site and the branch site to achieve
> this? Ideally we would want the solution to load balance between the
> connections based on the connections speeds, and failover if one is down.
> The cable connection will be much faster speed (probably 150Mbps down and
> 10 Upload) compared to the DSL connection (10 download and 1 upload). If we
> need more speed we can upgrade the cable modem to a higher package, but for
> DSL that is the max speed so we might have to get multiple DSL lines. The
> cable solution could always be used as the primary, and the DSL connection
> could only be used as backup if that makes things easier.
>
> If you were to do this with Juniper or Cisco gear what would you have at
> each location? What technology would you use?
>
> I know there is Pepewave and a couple of other software solutions that seem
> to have a proprietary load balancing solutions developed, but I would
> prefer to use a common Cisco or Juniper solution if one exists.
>
> There will be 50 users at the branch office. There is only one branch
> location at this time, but they might expand to a couple more but under 10.
>