Point to Point Network

[bfliss]

[/b]I have a win2003 domain with a T1. I need to create a private, low latency network between 15 remote sites. These site range over a 80 mile radius. This is being done so we can utilize Active directory, Centralized Storage, and Network Image Scanning. I have been told by our software vendor not to use a VPN because of latency / packet issues. What connection type and protocol is recommended when I need to "try" to keep the cost down on the connection. I hope someone can point me in the right direction. Thanks for any help!

 

[blue68f100]

Apparently you vendor is not up on VPN.

If you were to setup VPN Router to Router between all offices it will work. The key is it use High END VPN Routers. Not port forwarding routers. This is very secure, IPSec Tunnel, 3DES with Auth.

VPN are normally slow due to several keys. The uplink speed is normally slow with most connections. Router that do not have a large precessor and ram are slow.

If you have a symetric T1 should not have any problems. Except VPN are tricky to setup.

I have been beta testing some firmware for routers that support VPN. The VPN Wizzard worked the first time, router to router and client to router.

You could also have your T1 tied together.

 

[fredweston]

I disagree, VPN adds a significant overhead to the traffic since everything has to be encrypted and decrypted. Plus, you have to deal with the existing latency on the Internet between all sites.

First off, a single T1 is probably not adequate if you want to link 15 sites and have all users at all sites utilizing servers at the central site. The image scanning you mention especially would worry me. Is this for a healthcare related company?

You haven't mentioned what type of connection each of the remote sites has. If it's not T1, etc then you have to keep in mind that the upstream path back to the central site is probably slow.

Other than VPN, frame relay is the only other semi cost effective solution. Frame relay will probably give you lower and more consistent latency than VPN, but it's expensive.

 

[blue68f100]

Fred, VPN based hardware with cpu power for doing the processing is not bad. The Low in stuff stinks like dial up, which is what I think you are refering to. And I agree with that. But everybody VPN hardware and connections are different. My test show that file transfer was limited to the uplink speed. Faster than some sites I visit. But I had a 1.8mbps uplink speed I tested with. Most router only to port forwarding. Very few have 64+32 meg and 266+mhz Xscale cpu to handle the 3DES.

 

[bfliss]

Yes, this is a healthcare company. We will be using this to scan patient charts back to our corporate location. Curently the remote locations have cable or dsl connections / dynamic ip. Obviously, I will have to upgrade the connections to allow the best upload speed. The only question is what type connection would meet my needs. I hate to imagine the cost of full/frac T1's, but it may be my only option. Most locations only have 2-3 PC's and a network scanner. They use limited internet access, email is via remote exchange server. I would like to use central active directory for adding / removing remote users (save me some drive time). Also would like centralized storage, backups, and antivirus scanning. We do have a VOIP 3com NBX unit at our central location, and depending on cost / headache may wish to deploy it to thew remote locations (but this is only an idea, and a long way down the road). Our central corporate office currently has a frac T1 (PRI) for VOIP and also a full T1 for our exchange server. Hope this bit of info helps. I appreciate your knowledge, I know LAN's ,but new to wan's. I am lost! Thanks.

 

[blue68f100]

T1 may not be enough. 6 VOIP phone can consume the bandwidth. What are your data file size. Are you re-sending complete records or just the updated part?

With what you want to do. I would move to the bonded T1 connections. Yes More expensive but a lot less headaches. You can always limit your bandwidth if needed using QoS. So certain applications have priority.

My experience with network scanners as long as you are not doing tiff, the size is not real large.

 

[fredweston]

T1 may not be enough. 6 VOIP phone can consume the bandwidth.

Holy crap, what kind of phones are you using? Cisco rates their VoIP stuff at around 50-80kbps, roughly translating into 8 kB/s, or about 24 calls on a T1, which makes sense considering T1s have 24 timeslots, so you can fit the same amount of voice across a T1 whether you're doing VoIP or traditional voice.

Most any business class router will surpass the specs of that Netgear, that's a small business router. Regardless of the processing power of the firewall, it's still going to add latency. Sure, not as much with a higher end unit as with a Linksys, but it's still adding some.

Bfliss, I can tell you now that you're going to have headaches if you try to store all files from 15 sites centrally without something a lot better than a single T1.

 

[blue68f100]

fred, For got to mention this was because a lot of voip equipment looks for the fastest connection to route through. What was happening was traffic from everwhere was going through his equipment. Eating up his bandwidth, at least for a short period of time. The major problem if using default ports.

 

[riser]

First, find a new Vendor. I'd recommend CDW as a strong vendor which has access to many companies that are adequate. I use them and strongly recommend them.

Since you only have a few computers... a T1 at each location is over kill. Find a business class cable connection. Get like a 5.0mbps or 8.0mbps for Business. Probably cost about $150 a month for something like that, considering a T1 is about $600/mo.

Next, invest in a good quality VPN system. We use Cisco. Have someone come in, configure it and you manage it. Its all web based to add users and what not.

I have roughly 50 locations coming back to my location. We have 3 T1s Network Load Balanced, meaning they all share bandwidth equally.

I'd start with 1 T1 in your office and move up to 2 if you find speeds not right.

Using AD, you'll want to set your replication interval further apart so you don't bog down often. Maybe set it to just work at night.

You could also set to have your images stored locally and copied to a central location every X hours. I use "Robocopy.exe" to mirror 40+ locations a few times a week. It only copies if files have changed. Though, you'll have to look more indepth to your operations before you start going in that direction.

In short, 1 or 2 T1s at your central location.
Cisco VPN Concentrator at Central location. You could use the VPN software on each individual computer to allow them to connect back to the central location though. That way you won't need a high-end Cisco PIX at each location. Actually, the software would probably be the way to go.
Business class cable. Yeah, it'll cost more, but it won't go down as long or as often. Regular cable won't be as steady.

Any questions, PM me.. I only scan the forums for problems lately. I haven't been as indepth with answering questions because of a lack of time lately.

 

[fredweston]

Remember that 5.0 mbps and 8.0 mbps refer to downstream speeds and typically have no bearing on upstream speeds. I totally disagree with the multiple VPN client suggestion unless you absolutely have no other option due to budget restrictions, supporting that would be a huge headache.

Nobody is going to be able to give you any type of educated answer without you first telling us some info about the amount of data you need to move, and how often. For example, how big the files are that the scanners generate, where the files will be stored, how often they will be accessed, how many files will be generated a day, etc.

 

[riser]

He stated he was trying to keep the cost down. Considering he has a handful of computers at each location, it wouldn't make sense to put in most VPN Endpoints. Running the software and having that automatically connect at logon, he could monitor each individual computer and treat them as remote users.

In using a Business cable system, you generally get far better upstream signals. You're not restricted like you are at home.. which is mainly so you don't host webpages. My local cable system offers 8 down, 5 up for $130/month on a business connection, plus two static IP addresses.

I would have recommended the Linksys VPN solution, Concentrator and End Point but if I recall, that only supports 4 VPN end points connecting into it at any given time. While he could set up multiple ones, that might be a headache.

Then again, dropping money into the central point and having the computers set up to use.. Cisco VPN client, configure it to log in on successful login, or have them sign into it again with a different username and password.. wouldn't really be that big of a deal. Treat remote sites as remote users and that should keep the cost down dramatically.

 

[fredweston]

In the grand scheme of things, the difference in cost is negligible, 15 VPN endpoints should cost about $6,000. For a business with 15 locations, $6,000 shouldn't be a big deal, especially a healthcare business. Even if it is, you could skimp and use a Linksys endpoint instead of a Cisco, Checkpoint, Juniper etc and cut that down to less than $2,000.

What cable company gives you 5mbps upstream for $130?