Zero-Touch Deployment Remote Office solution?
wbailey at satelliteintelligencegroup.com
Fri Jan 18 19:48:04 UTC 2013
I wrote to him privately.. But will post on the list too.. Meraki is pretty rad for doing just this.
>From my Android phone on T-Mobile. The first nationwide 4G network.
-------- Original message --------
From: PC <paul4004 at gmail.com>
Date: 01/18/2013 11:34 AM (GMT-08:00)
To: Matthew Craig <matcraig at nmsu.edu>
Cc: nanog at nanog.org
Subject: Re: Zero-Touch Deployment Remote Office solution?
I handle this a different way. I'm not saying it's the easiest solution,
but its very scalable to many thousands of endpoints.
I take a small router and I set the "WAN" side to DHCP. I use
client-intiated L2TP tunnels w/ ipsec protection to build a tunnel to the
The beauty of this is:
1) It works on any internet connection. NAT and dynamic IPs are not a
problem. Since it's all UDP encapsulated and client intiated, they just
need to supply internet access via DHCP.
2) It's stateful. The username/password defined on the remote client
decides what IP block is routed to the client. All configuration is done
from the head end based on the radius file. Routed IP blocks. Access
lists. DNS settings. You name it. A report off the IP list data file
builds the radius file. If PPP/IPCP and virtual-templating can do it, you
4) It supports all your standard routing protocols, and multicast, if
5) The only thing needing provisioning on the remote side is
username/password. Configs are pre-seeded with a "special"
username/password that provides enough access for the head office to login,
change it to the final value, and reload.
Now, I know there's several more mainstream solutions than this, and while
this removes technical complexity from the branch office, it does add some
to the headquarters.
If you're looking for a more out of the box solution, Cisco has an EZ-VPN
solution, amongst others.
On Fri, Jan 18, 2013 at 10:41 AM, Matthew Craig <matcraig at nmsu.edu> wrote:
> We have a bunch of small remote offices where we deploy cheap routers with
> VPN tunnels back to the central office. This is a very static process with
> high overhead… we have to manage each remote router separately, and the
> offices do not have tech personnel that can handle local office issues.
> We're looking for a more centrally managed and automated "zero-touch"
> remote office solution, like the Cisco Virtual Office, where the local
> non-clueful people don't have to do much.
> Does anyone have any experience / feeback for this Cisco Virtual Office
> solution or have recommendations for alternative solutions.
> - Matt
More information about the NANOG