sectel
asked on
DMVPN, Zone based FIREWALL, NAT, Dynamic routing protocol, design and implementation
Hello:
I have been asked to design and implement a mid scale VPN solution. I plan to use a hub and spoke design where:
My question relates to the order of implementation. Specifically what should be coded first and how do they interact. Can people please recommend a deployment order for the following.
Tips, suggestions and comments are welcome from users in this excellent forum.
I have been asked to design and implement a mid scale VPN solution. I plan to use a hub and spoke design where:
some spokes are corporate sites and others are connected via the inet.
WAN speeds vary between 5-20 Mb/s.
Not all spoke sites will be "on and connected" 24/7.
Some spokea that are far from the hub we need to communicate direcetly with one or more other spokes
.
iNet acces will be limited to the hub.
Split tunnel wan connections will not be permnitted on the spokes, but will be used on the hub for inet access
spokes will either have a hard router or some soft VPN client depneding on their size, uptime and number of users
My planned architecture is based on DMVPN phase 3 . This will allow
dynamic spoke creation
control over spoke to spoke communications
ability to limit iNet access through a main controlled gateway
simplification of the HUB as the number of spokes increases over time
I also need to usecontrol over spoke to spoke communications
ability to limit iNet access through a main controlled gateway
simplification of the HUB as the number of spokes increases over time
NAT so that we can isolate spokes and deploy a well planned LAN side address space
ZFW- Zone based firewall is planned to be implemented as various spokes and the hub will have services running
EIGRP is planned for the LAN side
BGP or static is planned for the WAN side
I am old school and tend to do all my configs with CLI and not use a gui or some wizards. Maybe this will be easier?ZFW- Zone based firewall is planned to be implemented as various spokes and the hub will have services running
EIGRP is planned for the LAN side
BGP or static is planned for the WAN side
My question relates to the order of implementation. Specifically what should be coded first and how do they interact. Can people please recommend a deployment order for the following.
DMVPN
NAT
ZBF
LAN -EIGRP
WAN-BGP
For my non-router based spokes, are there any preferred VPN clients that work well with DMVPN, easy VPN, Get VPN, NCP VPN client etc.NAT
ZBF
LAN -EIGRP
WAN-BGP
Tips, suggestions and comments are welcome from users in this excellent forum.
There isn't a specific order to set things up, the important thing is that you fully test it before deploying it. Once you have the hardware and network connection types selected, you can start planning the configs. Do you have a IP address/VLAN schema worked out?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
that looks good
ASKER
Good answer