Hello fellow network engineers,
I turn to your collective wisdom for some advice about how to connect a customer's remote sites over the ol' Internet.
Current situation: Customer has some 7 sites 5 of which are connected over MPLS and two over IPSec. Because their MPLS is too expensive they want to do away with it and just connect over the internet. They have one single Cisco 1901 router in one of the sites and Sophos boxes in all the others. Each site has at least one Internet connection, most of the sites have two. Possible solutions: 0 - Full mesh manually built tunnels. Given the number of sites and the fact that most have redundant internet connections that I would like to take advantage, this goes right out the window. Too complicated, too dificult to maintain and troubleshoot and not at all scalable.
1 - Hub and spoke, or more likely dual redundant hub with spokes so as not to have the hub as a spof. Fortigate should have something in their portfolio to fit the bill. They have reasonable price, reasonable performance, support IPSec tunnel interfaces (needed for routing), and routing protocols. This should be a reasonable solution. I'm thinking this could also be done with some gear from Mikrotik (hub and spoke, with GRE over IPSec and OSPF or BGP for routing.)
1' - Same as above but with the Sophoses that the customer already has and perhaps a couple more. However I don't really think this is possible. As far as I know Sophos has no support for tunnel Interfaces. And without that, and the ability to run some sort of routing protocol I would have to do manual failovers in case one of the hubs fails, which I certainly don't want to do. I could go with a simple hub and spoke topology but that seems woefully fragile for a production environment.
2 - Cisco DMVPN - I've never set this up in practice but it seems an interesting solution and I'd like to give it a shot. It wouldn't be that difficult from a technical standpoint, I can lab it all up in GNS3 in a couple of hours, and see if it works how I want. Upside: I'm pretty familiar with Cisco gear and usually it's very capable and mature. Downside: Cisco routers are very pricey (given the budget I expect this customer to have), IPSec performance is appaling or something with good IPSec performance is prohibitively expensive. Also Cisco has the habit of nickel and diming you for every feature you want.
3 - Meraki Auto VPN - I don't have much experience with this, however as far as I know creating tunnels between Meraki firewalls under the same account is very easy, next to automatic. I suppose Meraki would also be able able to handle redundant internet connections. As long as your network is fairly simple Meraki should be able to handle it, but the moment you come into something like an IP overlap, you are pretty much screwed. I may be wrong here but I found Meraki to be very simplistic, and I have a feeling that once you even slightly walk away from the beaten track you are imediatelly screwed (Once you need something like a PBR or quirkier NAT to get around some issue I don't Merakis is capable of that). Seems only a little more capable than a 50$ router you can get for home use. Also not entirelly a deal breaker, but last I checked Meraki did not support IKEv2.
I also know Juniper and Checkpoint have solutions for this but I'm not at all familiar with those, and I also expect them to be pricey.
Thoughts?
No comments:
Post a Comment