Solved

Internet Service for Branch Office

Posted on 2013-01-11
9
472 Views
Last Modified: 2013-02-06
Hello Experts,
I am trying to come up with a good network design for my company's branch office.

Currently we have a main office with 800 users and branch office will have 30 users.
I have connected these two sites with Point to Point Wireless Bridge. Hence, the users are in same domain. The branch has a Cisco Switch configured with vlans and routing any traffic to the main office.

My major requirement.
I want to have branch office with a separate  and dedicated internet connection and simultaneously having access to the main office application. I want to have it this very securely, fast and optimum.

Our main office has Router in the edge, then ASA firewall and internal network.

What is the best solution to achieve this ?
0
Comment
Question by:cciedreamer
9 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 38767894
Get another ASA and install it at the branch office. configure either a static route or dynamic routing on the branch office switch to point at the new asa for internet-bound traffic. This assumes your branch office switch is a layer 3 switch and is being used as the gateway for the office.

Chances are you can get away with an ASA5505 Sec Plus so the cost won't be too high.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 38768039
First of all I appreciate your response.

What if get ADSL Cisco Router, connect to specific vlan and configure policy routing ? How about that ?

Samir
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 38771694
Any updates.
0
3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

 
LVL 25

Expert Comment

by:Fred Marshall
ID: 38772408
It's not clear to me why you are using/mention VLANs at the branch office.  So, I will ignore that for now.

I would strongly recommend keeping the configurations as much the same as makes sense to do.  Only important cost differences might change this view.  

So I would get another ASA of the same type if that's affordable and interface it to an ADSL modem in the branch office.

Apparently now you have the wireless link (or something connected to it) as the internet gateway for the branch.  This has to be changed of course.  

Now you have to deal with intersite routing.  When you say the sites are on the same domain, did you mean on the same subnet?  You have two choices it seems to me:

1) run broadcast traffic over the link.
2) use different subnets between offices.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 38792514
Sorry for the delay in response.
I would simplify my case. Currently I have connected the two buildings ( Main Office and Remote Site Office) with Point to Point Wireless Bridge. At remote site office I have layer 3 switch configured with 2 VLAN's for the staff and default static route to the wireless bridge at main office. The staff are taking domain services,application and internet service ( using main proxy server of main office).
Now I am thinking to segregate the internet services for the remote service.I want to provide them a DSL router to have there own internet access and at the same time having domain and application services from the main office.

Thanks.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 38847859
You don't need a firewall at the branch office, just a router to connect the branch to Internet. What is the proxy server at the main site used for, and do you plan on providing that same functionality at the branch? You would need another proxy server at the branch. Just basic static routing is all you need.
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 38848182
Kevin may have picked up on something here that I have missed so I will try and choose my words carefully but I would not countenance any Internet connection that doesn't have a firewall in the middle of it.

I am guessing that the purpose of the change is to reduce the load over the 'bridge' by directing Internet traffic from the 'branch office' out of its own, local Internet connetction.

If this assumption is correct then an obvious question needs answering:
If the main site connection required a proxy and a firewall/router to be installed in order to protect the internal network then surely the same argument holds true for putting in another internet connection. as it will need to be protected to the same level.

Secondly, if you are introducing another Internet connection, I would also assume that you have considered the new options available such as failover/resiliency i.e. if the main internet connection ever failed, you could redirect the main site over to the new Internet connection for a short period until it was fixed. Again though, you would want the same level of protecxtion on the new Internet connection as on the primary.

Use of a proxy.pac file or equivalent would allow automated configuration of the clients based on source ip to the local Internet connection nearest to them (building A or building B).

Default gateway settings/dhcp scope will also configure the clients to point to the nearest Internet connection by default and static routes can be introduced so that internal building-to-building traffic (inter-domain) continues to use the 'bridge' as normal.

Keith
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
integration of incident management and linking to CMDB 1 42
access vs trunk with voice vlan 2 44
Palo Alto Networks: Truly No Hit Count? 2 44
cisco sg 200 trunking 4 26
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question