Need Networking Expertise
I was given this task and not sure how to go about it....Im assuming that i need a Star Topology because NY is the Corporate center and the only source of internet.....by reading the instructions below, from NY to the other remote locations how do i achieve this ...packet switching? a little confused
Design a local and wide area network at seven sites with remote
access for a 3,500 person international company in the
pharmaceutical industry. The company recently was formed through a
number of acquisitions via venture capitalists.
There are seven company locations each containing one building
including the corporate headquarters in New York, NY � 1000
employees, San Diego, CA - 250 employees, central research in
Houston, TX - 750 employees, Madrid - 500 employees, India � 50
employees, London - 150 employees, China - 300 employees and 500
remote users - sales force.
There is a diverse computing environment with no standards in place
including a combination of devices (e.g. network printers) and
desktop operating systems (e.g. Macintosh OS, UNIX, Linux and
Microsoft Windows). There are three different data centers in
operation. The first data center is located in New York, NY being
used as the main corporate data center (e.g. email, file, print,
database and intranet web servers) the second is located in San
Diego, CA being used for R&D (e.g. high performance computing,
technical application servers and video-streaming services), and
the third is located in Houston, TX being used for disaster
recovery. The company does large file transfers (e.g. video and
graphics) between San Diego, CA and Houston, TX. There is one
Internet connection located in the corporate data center that
services all company locations.
Specify the type(s) of media (fiber and copper), network devices
(switches and routers), protocols, WAN circuits and connectivity,
remote access method and authentication, fault tolerance and
security in your design.
Design a local and wide area network at seven sites with remote
access for a 3,500 person international company in the
pharmaceutical industry. The company recently was formed through a
number of acquisitions via venture capitalists.
There are seven company locations each containing one building
including the corporate headquarters in New York, NY � 1000
employees, San Diego, CA - 250 employees, central research in
Houston, TX - 750 employees, Madrid - 500 employees, India � 50
employees, London - 150 employees, China - 300 employees and 500
remote users - sales force.
There is a diverse computing environment with no standards in place
including a combination of devices (e.g. network printers) and
desktop operating systems (e.g. Macintosh OS, UNIX, Linux and
Microsoft Windows). There are three different data centers in
operation. The first data center is located in New York, NY being
used as the main corporate data center (e.g. email, file, print,
database and intranet web servers) the second is located in San
Diego, CA being used for R&D (e.g. high performance computing,
technical application servers and video-streaming services), and
the third is located in Houston, TX being used for disaster
recovery. The company does large file transfers (e.g. video and
graphics) between San Diego, CA and Houston, TX. There is one
Internet connection located in the corporate data center that
services all company locations.
Specify the type(s) of media (fiber and copper), network devices
(switches and routers), protocols, WAN circuits and connectivity,
remote access method and authentication, fault tolerance and
security in your design.
I have attached the sample design of DMVPN with IPSec.
Few Points:
1.Designate two sites as Primary Hub and Backup Hub sites. Establish back to back fiber connectivity between the Hub Sites
2. Need to establish IPsec tunnel between Hub site to spoke sites and configure DMVPN Hub tunnel on the Hub site router and configure DMVPN spoke tunnel on the spoke router.
3. You need to call the ipsec profile under the DMVPN tunnel. If you need QoS, you can apply on the tunnel too
I have attached the cisco documentation for your reference
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/29240-dcmvpn.html
Sample-Network-Design---DMVPN-witj-IPSec
Few Points:
1.Designate two sites as Primary Hub and Backup Hub sites. Establish back to back fiber connectivity between the Hub Sites
2. Need to establish IPsec tunnel between Hub site to spoke sites and configure DMVPN Hub tunnel on the Hub site router and configure DMVPN spoke tunnel on the spoke router.
3. You need to call the ipsec profile under the DMVPN tunnel. If you need QoS, you can apply on the tunnel too
I have attached the cisco documentation for your reference
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/29240-dcmvpn.html
Sample-Network-Design---DMVPN-witj-IPSec
ASKER
thank you for your response...maybe i dont understand, but how do i actually setup the connection as NY being the only place that the internet comes from? Is it just hardware and IPSEC tunnels...does the provider supply access out of NY to the remote sites? ... router, switch, VPN terms etc are fine....
can you explain the current connectivity of the sites?
does all other sites are inter connected now ? or we need to interconnect ?
if these sites are not interconnected, we just need internet connection to every sites which will be provided by the local internet service provider
Once we have internet connection to teh site, we can establish logical point to point connectivity between sites
does all other sites are inter connected now ? or we need to interconnect ?
if these sites are not interconnected, we just need internet connection to every sites which will be provided by the local internet service provider
Once we have internet connection to teh site, we can establish logical point to point connectivity between sites
ASKER
right - the sites are NOT interconnected...if the ONE internet connection comes from NY and has to go to London and China...how is that accomplished?? does the provider give one connection from NY to the other sites and share bandwidth? or is there dedicated access...what is the fastest way to get to the sites?...this is where im confused at
do u have skype or other apps?
i can call you and explain
i can call you and explain
@yoz_man,
The internet link to every sites are dedicated links from the respective site local internet service provider.
Once you have the dedicated internet access to every sites, then you can connect those sites thru logical tunnel over internet
The internet link to every sites are dedicated links from the respective site local internet service provider.
Once you have the dedicated internet access to every sites, then you can connect those sites thru logical tunnel over internet
ASKER
no i dont - very slow connection here....if you can just explain- very simply ....doesnt have to be so intense. If main connection is in NY, and now i need to connect 2 remote locations
1. router in each location?
2. what is the fastest speed to connect to those emote connections?..do i have to setup SONET ? or frame relay ? or packet switching for them to communicate?
3. After connection, then i assume ipsec tunneling for remote access..is that right?
1. router in each location?
2. what is the fastest speed to connect to those emote connections?..do i have to setup SONET ? or frame relay ? or packet switching for them to communicate?
3. After connection, then i assume ipsec tunneling for remote access..is that right?
1. router in each location? -- Yes, You need to have a router at each site
2. what is the fastest speed to connect to those emote connections?..do i have to setup SONET ? or frame relay ? or packet switching for them to communicate? --- You can get internet link and thats quite easy way to get connected
3. After connection, then i assume ipsec tunneling for remote access..is that right? --- That's right
2. what is the fastest speed to connect to those emote connections?..do i have to setup SONET ? or frame relay ? or packet switching for them to communicate? --- You can get internet link and thats quite easy way to get connected
3. After connection, then i assume ipsec tunneling for remote access..is that right? --- That's right
ASKER
ok cool...so as far as Internet link....how do i determine that? lets say cost isnt an issue....how do i get a link from NY to china communicating the fastest way..or better yet what should i be using ? ...and 1 last part.....or the 500 remote users that will connect to the network is that just a VPN connection over the network with whatever authentication rules to log in? or is there something more than that? ...im assuming that the VPN access server has to only be in the corporate location and not for each site...am i missing anything else?
@yoz_man,
dont confuse much. you need to apply for internet connection for every sites to the respective site local internet service provider.
example ; for NY site, you can apply internet connection from AT&T/verizon/ or other local provider
for china site, you can apply internet connection to china telecom..
there are two vpn method.. one is remote user vpn and another one is site to site vpn.
site to site vpn is helping to connect between sites.
remote vpn is helping the remote users to connect the main site.
while the remote users are trying to connect the network, we can apply all authentication mechanisms
site 1 router --> tunnel over internet --> main office
remote user --> tunnel over internet --> main office
dont confuse much. you need to apply for internet connection for every sites to the respective site local internet service provider.
example ; for NY site, you can apply internet connection from AT&T/verizon/ or other local provider
for china site, you can apply internet connection to china telecom..
there are two vpn method.. one is remote user vpn and another one is site to site vpn.
site to site vpn is helping to connect between sites.
remote vpn is helping the remote users to connect the main site.
while the remote users are trying to connect the network, we can apply all authentication mechanisms
site 1 router --> tunnel over internet --> main office
remote user --> tunnel over internet --> main office
ASKER
Thats why im confused...i understand what you are saying ....but in my directions "There is one Internet connection located in the corporate data center that
services all company locations."....so if that one connection is in NY , then does a company like Verizon make that connection from NY to China and NY to London Etc....for example, in a large file transfer situation would you call verizon and say i need a T3 from NY to London and also a T1 from NY to China....or is there some sot of ATM that is setup ...i guess this ONE internet connection only stemming from NY is throwing me off....BTW thank you for your responses
services all company locations."....so if that one connection is in NY , then does a company like Verizon make that connection from NY to China and NY to London Etc....for example, in a large file transfer situation would you call verizon and say i need a T3 from NY to London and also a T1 from NY to China....or is there some sot of ATM that is setup ...i guess this ONE internet connection only stemming from NY is throwing me off....BTW thank you for your responses
Got it..
So NY site has internet connection.
Yes. Companies like Verizon, AT&T and other companies provide T3 link (either Ethernet link or ATM) between NY to China and NY to London ; you can require MPLS link with BGP
If you have a budget, please go with this option and in this setup, you no need to configure tunnel between sites
I have attached the sample design
Sample-Network-Design.PNG
So NY site has internet connection.
Yes. Companies like Verizon, AT&T and other companies provide T3 link (either Ethernet link or ATM) between NY to China and NY to London ; you can require MPLS link with BGP
If you have a budget, please go with this option and in this setup, you no need to configure tunnel between sites
I have attached the sample design
Sample-Network-Design.PNG
ASKER
thanks for the drawing...since the internet connection is coming from NY....does THAT link from NY to the MPLS need to be faster because now out of that MPLS is will then be distributed to the remote sites as in terms of bandwidth loss?...if you dont have tunnel between sites, then just tunnel over internet for the 3500 users to access? ...am i seeing this correctly?
Yes.
Per your requirement, NY site will have two links. Once is Internet Link for remote users to connect network thru tunnel
other one is MPLS link ( either Ethernet or ATM) link will help to connect remote office sites.
Remote office ( china,london) will have only one mpls link to connect NY site and to other remote sites
If you will get MPLS link, its dedicated link between sites and there is no need of tunnel.
Per your requirement, NY site will have two links. Once is Internet Link for remote users to connect network thru tunnel
other one is MPLS link ( either Ethernet or ATM) link will help to connect remote office sites.
Remote office ( china,london) will have only one mpls link to connect NY site and to other remote sites
If you will get MPLS link, its dedicated link between sites and there is no need of tunnel.
ASKER
ahhhh...i think i have this now....so coming out of the MPLS ...depending on what traffic is, then i can dictate a higher bandwidth or lower if less traffic and then also control my cost....i can then have a TI to london --T3 to china or a POTS line to Houston.....i think im right.....one last question
After all these are connected and LARGE amounts of data need to go from remote site to remote site....what is used at that point? are we now using a VPN tunnel from remote site to remote site?? has to handle large amounts of data going back and forth...thank you so much BTW
After all these are connected and LARGE amounts of data need to go from remote site to remote site....what is used at that point? are we now using a VPN tunnel from remote site to remote site?? has to handle large amounts of data going back and forth...thank you so much BTW
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Great Feedback..world of help A+...got a great understanding now..TY
Nice to know :)
Do all sites including the one internet connection be connected to the MPLS?
Since you have only internet link as a source, you can have Hub and Spoke DMVPN technology with IPSec will fullfill your request with fully secured network.
Again, You can run EIGRP over DMVPN tunnels to connect between the sites.
Since you have many users and applications, you need to design proper QoS in plan too.
With respect to hardware, either you can choose cisco or juniper routers