Background:
- The customer has headquarters in the US with over 30 branch offices across the United States and other countries.
- The customer has plans to open 10 more offices within the next 5 years.
- The customer has expensive WAN connections such as T1, T3 and various OCx connections between the sites and the headquarters.
- The remote sites in other countries, such as India, use a static VPN to connect to the headquarters over the internet.
- Customer needs to cut costs and reduce administrative overhead.
Our Solution:
Based on the customer requirements, VeeMost engineering team proposed a solution that dynamically establishes full-mesh secure VPN tunnels between all the sites, leveraging the internet as the WAN transport. This solution is termed Dynamic Multipoint VPN (DMVPN).
Dynamic Multipoint VPN (DMVPN) is a Cisco software-based security solution for building scalable enterprise VPNs that support distributed applications such as voice, video and data across any WAN transport. DMVPN is widely used to combine enterprise branch, remote workers and Extranet connectivity. Its main benefits are:
- On-demand fully meshed connectivity with simple hub-and-spoke configurations
- Automatic IP Security (IPsec) triggering for building spoke-to-spoke IPsec tunnels
- “Zero-touch” deployment for adding remote sites
- Reduced latency and bandwidth savings
- Reduced cost of connectivity by leveraging cheaper WAN solutions.
In essence, DMVPN will allow this customer to connect all their remote offices together using any type of connection. This means that we can use internet connections such as cable, DSL, etc, as the WAN medium as opposed to the more expensive options such as T1.
With DMVPN, our customer saved money by canceling all their point-to-point T1s and expensive WAN circuits. Using the internet, the remote sites established a DMVPN tunnel to the headquarters. DMVPN technology allows each remote site to dynamically build a secure VPN tunnel with other remote sites. We implemented a dual DMVPN hub topology to add redundancy to the design.
Network Hardware
The WAN architecture includes the following:
- Cisco ASR routers as the hub routers.
- Cisco ISR 4351 or 4331 at the remote sites, with connection to the internet via ADSL, Ethernet, 3G, or other cheaper WAN services. A DMVPN tunnel is established across the Internet, terminating into the head-end VPN routers at the Data Center in the headquarters.
- We deployed 2 routers at each remote location for redundancy purposes.
VeeMost followed Cisco recommended best practices guidelines
- Configured Next-Generation Encryption (NGE), using Galois/Counter Mode (GCM) Advanced Encryption Standard (AES) for high-speed authenticated encryption of transported data, SHA-2 for Hashing operations and Elliptic curve cryptography.
- Increased performance by using hardware-acceleration to minimize router CPU overhead, latency and jitter.
- Configured EIGRP routing protocol with route summarization for dynamic routing.
- Set up QoS service policies as appropriate on headend and branch router interfaces to help alleviate interface congestion issues and to attempt to keep higher priority traffic from drops.
Business Outcome
- Customer saved over $250,000 in wide area network costs by utilizing the internet as the medium to connect all their sites together.
- Our solution reduced administrative overhead by making it easy to bring a new site online while standardizing the process of doing so.
- VeeMost recommended, designed, planned, and implemented the entire solution with very minimal downtime, giving a much needed peace of mind to the customer.
- Our solution met current industry security standards and best practices, ensuring customer adhered to regulations.
- VeeMost currently manages the customer’s network via our Managed Services Agreement, allowing the customer’s IT department to focus on other issues.
Need help with your Network Design or Implementation? Contact us now
