Tom Froschle
asked on
MAN Network setup - 5 sites
MAN Network setup.
I am tasked with setting up a MAN network. We currently have 5 offices; 3 on East Coast and 2 on the WC.
We are getting Comcast ENS 500mg circuits at these locations. The plan is to have the 3 East coast offices come back to the HQ office in NY and the 2 West Coast offices to go to the office in Seattle with Seattle being the failover option if HQ goes down somehow.
We currently have a range of ASA5506/5525/5545 at the office locations that handoff to the switches. It is a pretty flat network with the users on a /24 subnet and any VLANs at HQ are done on the 5545 handed down. Would ASAs be best for a MAN network, will they do the job or is a router needed.
Currently I have these office's on a IPSEC VPN tunnel back to HQ. Passing just their /24 subnet to HQ and we send out the required subnet(s) back to them for needed access.
Remote office - ASA5506/ASA5525 (depending on office) ISP connected to them then inside interface to L2 switch.
HQ - Layer 3 switch handoff to ASA -- multiple stack switches behind it.
Proposed_Topology.vsdx
I am tasked with setting up a MAN network. We currently have 5 offices; 3 on East Coast and 2 on the WC.
We are getting Comcast ENS 500mg circuits at these locations. The plan is to have the 3 East coast offices come back to the HQ office in NY and the 2 West Coast offices to go to the office in Seattle with Seattle being the failover option if HQ goes down somehow.
We currently have a range of ASA5506/5525/5545 at the office locations that handoff to the switches. It is a pretty flat network with the users on a /24 subnet and any VLANs at HQ are done on the 5545 handed down. Would ASAs be best for a MAN network, will they do the job or is a router needed.
Currently I have these office's on a IPSEC VPN tunnel back to HQ. Passing just their /24 subnet to HQ and we send out the required subnet(s) back to them for needed access.
Remote office - ASA5506/ASA5525 (depending on office) ISP connected to them then inside interface to L2 switch.
HQ - Layer 3 switch handoff to ASA -- multiple stack switches behind it.
Proposed_Topology.vsdx
Bryant Schaper
I am not seeing why an ASA would not work, but a 5506 and 5525 will not handle 500mb/s VPN taffic.
Is your only real question whether or not ASA's are sufficient? Difficult to answer definitively without knowing more about your traffic throughput requirements, but I would say most likely yes in the remote sites.
Have a look at this spec page: https://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733916.html
The ASA5506 series has a max throughput of 250 Mbps ... 125 Mbps if you use application control ..and 100 Mbps with VPN. The higher the series the more throughput of course so use the lower series on smaller locations.
Otherwise, that is a very nice diagram, looks like you've put in a lot of effort and thought into the planning..
Have a look at this spec page: https://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733916.html
The ASA5506 series has a max throughput of 250 Mbps ... 125 Mbps if you use application control ..and 100 Mbps with VPN. The higher the series the more throughput of course so use the lower series on smaller locations.
Otherwise, that is a very nice diagram, looks like you've put in a lot of effort and thought into the planning..
ASKER
Thanks, I guess more of my Q is best practice for this MAN setup.
Not a lot of information on the net about it just wondering how I can use OSPF for these sites.
I am debating on getting 2921s instead of the ASAs onsite and just having the MAN be the primary and the secondary route an ipsec vpn tunnel back to HQ.
Not a lot of information on the net about it just wondering how I can use OSPF for these sites.
I am debating on getting 2921s instead of the ASAs onsite and just having the MAN be the primary and the secondary route an ipsec vpn tunnel back to HQ.
Since you are using the ENS service. You do understand that all of the sites are pretty much on a flat L2 network? That said, you have to choice running Layer 3 over it, or just layer 2 with routing at a specific site. The issue you have with the ASA's is that Comcast will most likely want you the shape your traffic entering their network. ASA's are limited in that regard. They can police traffic, but that is redundant since Comcast will be policing the traffic. You also need to mark the traffic with a COS value. You want the ability to mark and shape the traffic, I would suggest you put a router at each site to connect to the handoff from Comcast.
In regards to failover you say WC sites go to Seattle, EC offices goes to New York. Are you using two separate ENS domains? Or will all site be on the same?
In regards to failover you say WC sites go to Seattle, EC offices goes to New York. Are you using two separate ENS domains? Or will all site be on the same?
ASKER
That is the thing, I am not to familiar with ENS. I came from a MPLS/eBGP - OSPF internally from my last position.
Routers at each site is what I was thinking too, just was working off the current equipment onsite to see if possible.
How does an ENS setup look on a router in order to talk to the other ENS supplied offices? I would like to keep this dynamic instead of statics.
Yes, to my knowledge all under same domain.
Routers at each site is what I was thinking too, just was working off the current equipment onsite to see if possible.
How does an ENS setup look on a router in order to talk to the other ENS supplied offices? I would like to keep this dynamic instead of statics.
Yes, to my knowledge all under same domain.
If under the same ENS domain, you essentially have all offices on the same Layer 2 domain. So your layer 3 would be completely customizable to your preference. You could put all the routers wan link in the same broadcast domain, you could separate them into separate /30 between each site. You have ton of options. You could do BGP between them if you wanted to. Honestly, you'd know best based on your business requirements.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.