Switches, Hubs, and Modems
1748158 Members
4046 Online
108758 Solutions
New Discussion юеВ

Re: Question about branch office

 
jeffaz
Occasional Advisor

Question about branch office

I am setting up a branch office about two blocks away from the main office. The main office has Windows 2000 server AD and exchange server 2000 with other servers. The branch office will have a Cisco ASA5505 firewall, HP 24 port switch, I want the branch office to use main office exchange for email and also be part of main office windows domain. Setting up a site to site vpn to make this happen. I am new to VLAN's, so my question is could I set up a vlan with two Procurve 2626 switch so that the branch office would be on a vlan and be part of the windows domain so they could communicate with main office? Putting them on the same or different subnet, there will be 10 windows XP pro PC'S at branch office.
7 REPLIES 7
Jonathan Axford
Trusted Contributor

Re: Question about branch office

I would say that it depends on what connection you are going to have between the main office and the branch.

If it will be an ADSL/Broadband connection i would set the branch office up as a seperate subent and use th ASA to route between the two. That way, only traffic that needs to go to the main site will be sent over the VPN.

I set something very similar up using a Cisco PIX 515 to terminate the VPNs and Cisco 800 series ADSL routers at the remote sites, i then had HP2524's to connect the extra devices at the remote sites.

Where there is a will there is a way...
jeffaz
Occasional Advisor

Re: Question about branch office

Both offices have a T1. Can I use the HP2626's to create a vlan to put remote office on a different subnet but they will still be on AD domain as main office and use resources like my file server, would I need an additional router for this?
Jonathan Axford
Trusted Contributor

Re: Question about branch office

I would go for a seperate router and just use the 2600's as access layer switches.

in terms of AD and file sharing, there will be no problem logging on from the remote office, the idea is that for the users it would seem as if they are logging on normally.

You would need to use a seperate router to terminate the VPN to the ASA device, you could then configure the router to be in a seperate subnet to your main network and make sure that all traffic destined for the AD etc. is encapsulated and sent down the VPN tunnel.

It would probably be simplest to use the ASA to toute between the 2 subnets, using a static route.

I can;t see a way of getting the 2600 switches to do all of the routing, as you will need a router in the middle somewhere to establish the VPN tunnel...
Where there is a will there is a way...
jeffaz
Occasional Advisor

Re: Question about branch office

At main office we have a watchguard and remote office will have asa5505 firewall this will be the site to site vpn, is that what you are meaning by terminate the VPN?
Then add a router at the remote office and create static routes to send traffic from remote office to main office. and then could use the 2626's for a vlan?

Thanks...sorry for the newbie questions
Mohieddin Kharnoub
Honored Contributor

Re: Question about branch office

Hi

Terminating the VPN tunnel in your case means, creating a Site-to-Site VPN tunnel.

In your case, and if you have the VPN software on the ASA5505, i would do all the VPN job there, so i can create the correct policies, and define the sire to site VPN and define static routes or policy based ones on the ASA to send specific traffic to the Head office.

And of course on the branch office's router you need to forward any VPN session to the ASA to be terminated.

In most cases, when you have a Firewall/VPN capable device, use it for terminating VPN sessions, and leave the WAN router doing other things unless you need to do it on the router for some reason like compatibility issues.....

Good Luck !!!
Science for Everyone
jeffaz
Occasional Advisor

Re: Question about branch office

I will have the site to site vpn up, putting branch office on a different subnet, same domain as main office. after vpn is up and everything is working, would putting the branch office users on a vlan be of any benefit?
Jonathan Axford
Trusted Contributor

Re: Question about branch office

Hi jeffaz,

I would make them different VLANs purely from an admin point of view.

Even though the switches at each site will not be aware of each others VLANs, it makes it easier to reference each site as a seperate VLAN. (If this makes sense!!!)

It is not neceesary to make them seperate VLANS however, the setup will work quite happily if you leave all the hosts in the default VLAN.

Cheers

Jonboy
Where there is a will there is a way...