Solved

Internet Service for Branch Office

Posted on 2013-01-11
9
468 Views
Last Modified: 2013-02-06
Hello Experts,
I am trying to come up with a good network design for my company's branch office.

Currently we have a main office with 800 users and branch office will have 30 users.
I have connected these two sites with Point to Point Wireless Bridge. Hence, the users are in same domain. The branch has a Cisco Switch configured with vlans and routing any traffic to the main office.

My major requirement.
I want to have branch office with a separate  and dedicated internet connection and simultaneously having access to the main office application. I want to have it this very securely, fast and optimum.

Our main office has Router in the edge, then ASA firewall and internal network.

What is the best solution to achieve this ?
0
Comment
Question by:cciedreamer
9 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 38767894
Get another ASA and install it at the branch office. configure either a static route or dynamic routing on the branch office switch to point at the new asa for internet-bound traffic. This assumes your branch office switch is a layer 3 switch and is being used as the gateway for the office.

Chances are you can get away with an ASA5505 Sec Plus so the cost won't be too high.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 38768039
First of all I appreciate your response.

What if get ADSL Cisco Router, connect to specific vlan and configure policy routing ? How about that ?

Samir
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 38771694
Any updates.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 25

Expert Comment

by:Fred Marshall
ID: 38772408
It's not clear to me why you are using/mention VLANs at the branch office.  So, I will ignore that for now.

I would strongly recommend keeping the configurations as much the same as makes sense to do.  Only important cost differences might change this view.  

So I would get another ASA of the same type if that's affordable and interface it to an ADSL modem in the branch office.

Apparently now you have the wireless link (or something connected to it) as the internet gateway for the branch.  This has to be changed of course.  

Now you have to deal with intersite routing.  When you say the sites are on the same domain, did you mean on the same subnet?  You have two choices it seems to me:

1) run broadcast traffic over the link.
2) use different subnets between offices.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 38792514
Sorry for the delay in response.
I would simplify my case. Currently I have connected the two buildings ( Main Office and Remote Site Office) with Point to Point Wireless Bridge. At remote site office I have layer 3 switch configured with 2 VLAN's for the staff and default static route to the wireless bridge at main office. The staff are taking domain services,application and internet service ( using main proxy server of main office).
Now I am thinking to segregate the internet services for the remote service.I want to provide them a DSL router to have there own internet access and at the same time having domain and application services from the main office.

Thanks.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 38847859
You don't need a firewall at the branch office, just a router to connect the branch to Internet. What is the proxy server at the main site used for, and do you plan on providing that same functionality at the branch? You would need another proxy server at the branch. Just basic static routing is all you need.
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 38848182
Kevin may have picked up on something here that I have missed so I will try and choose my words carefully but I would not countenance any Internet connection that doesn't have a firewall in the middle of it.

I am guessing that the purpose of the change is to reduce the load over the 'bridge' by directing Internet traffic from the 'branch office' out of its own, local Internet connetction.

If this assumption is correct then an obvious question needs answering:
If the main site connection required a proxy and a firewall/router to be installed in order to protect the internal network then surely the same argument holds true for putting in another internet connection. as it will need to be protected to the same level.

Secondly, if you are introducing another Internet connection, I would also assume that you have considered the new options available such as failover/resiliency i.e. if the main internet connection ever failed, you could redirect the main site over to the new Internet connection for a short period until it was fixed. Again though, you would want the same level of protecxtion on the new Internet connection as on the primary.

Use of a proxy.pac file or equivalent would allow automated configuration of the clients based on source ip to the local Internet connection nearest to them (building A or building B).

Default gateway settings/dhcp scope will also configure the clients to point to the nearest Internet connection by default and static routes can be introduced so that internal building-to-building traffic (inter-domain) continues to use the 'bridge' as normal.

Keith
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now