Solved

Internet Service for Branch Office

Posted on 2013-01-11
9
474 Views
Last Modified: 2013-02-06
Hello Experts,
I am trying to come up with a good network design for my company's branch office.

Currently we have a main office with 800 users and branch office will have 30 users.
I have connected these two sites with Point to Point Wireless Bridge. Hence, the users are in same domain. The branch has a Cisco Switch configured with vlans and routing any traffic to the main office.

My major requirement.
I want to have branch office with a separate  and dedicated internet connection and simultaneously having access to the main office application. I want to have it this very securely, fast and optimum.

Our main office has Router in the edge, then ASA firewall and internal network.

What is the best solution to achieve this ?
0
Comment
Question by:cciedreamer
9 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 38767894
Get another ASA and install it at the branch office. configure either a static route or dynamic routing on the branch office switch to point at the new asa for internet-bound traffic. This assumes your branch office switch is a layer 3 switch and is being used as the gateway for the office.

Chances are you can get away with an ASA5505 Sec Plus so the cost won't be too high.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 38768039
First of all I appreciate your response.

What if get ADSL Cisco Router, connect to specific vlan and configure policy routing ? How about that ?

Samir
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 38771694
Any updates.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 26

Expert Comment

by:Fred Marshall
ID: 38772408
It's not clear to me why you are using/mention VLANs at the branch office.  So, I will ignore that for now.

I would strongly recommend keeping the configurations as much the same as makes sense to do.  Only important cost differences might change this view.  

So I would get another ASA of the same type if that's affordable and interface it to an ADSL modem in the branch office.

Apparently now you have the wireless link (or something connected to it) as the internet gateway for the branch.  This has to be changed of course.  

Now you have to deal with intersite routing.  When you say the sites are on the same domain, did you mean on the same subnet?  You have two choices it seems to me:

1) run broadcast traffic over the link.
2) use different subnets between offices.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 38792514
Sorry for the delay in response.
I would simplify my case. Currently I have connected the two buildings ( Main Office and Remote Site Office) with Point to Point Wireless Bridge. At remote site office I have layer 3 switch configured with 2 VLAN's for the staff and default static route to the wireless bridge at main office. The staff are taking domain services,application and internet service ( using main proxy server of main office).
Now I am thinking to segregate the internet services for the remote service.I want to provide them a DSL router to have there own internet access and at the same time having domain and application services from the main office.

Thanks.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 38847859
You don't need a firewall at the branch office, just a router to connect the branch to Internet. What is the proxy server at the main site used for, and do you plan on providing that same functionality at the branch? You would need another proxy server at the branch. Just basic static routing is all you need.
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 38848182
Kevin may have picked up on something here that I have missed so I will try and choose my words carefully but I would not countenance any Internet connection that doesn't have a firewall in the middle of it.

I am guessing that the purpose of the change is to reduce the load over the 'bridge' by directing Internet traffic from the 'branch office' out of its own, local Internet connetction.

If this assumption is correct then an obvious question needs answering:
If the main site connection required a proxy and a firewall/router to be installed in order to protect the internal network then surely the same argument holds true for putting in another internet connection. as it will need to be protected to the same level.

Secondly, if you are introducing another Internet connection, I would also assume that you have considered the new options available such as failover/resiliency i.e. if the main internet connection ever failed, you could redirect the main site over to the new Internet connection for a short period until it was fixed. Again though, you would want the same level of protecxtion on the new Internet connection as on the primary.

Use of a proxy.pac file or equivalent would allow automated configuration of the clients based on source ip to the local Internet connection nearest to them (building A or building B).

Default gateway settings/dhcp scope will also configure the clients to point to the nearest Internet connection by default and static routes can be introduced so that internal building-to-building traffic (inter-domain) continues to use the 'bridge' as normal.

Keith
0

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

680 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question