VPN’s and VoIP – Getting economical “full mesh” Connectivity without MPLS!
We see a lot of VoIP deployments that come to us for trouble shooting. A common problem statement is that our HQ site can call both Chicago and Dallas, but Dallas and Chicago can’t call each other. Savvy network administrator will have figured out that there is a routing issue, but how so? Clearly HQ knows how to reach each remote site and the remote sites know how to reach HQ, so where is the break down! At about this time, we learn they have VPN’s that provide tunnel connections to each location and we go clear!
The standard “tunnel” solutions include IP Security (IPSec), GRE, Easy VPN and the new “tunneless” Group Encrypted Transport VPN or GET-VPN. Most folks make the mistake of picking IPSec for connectivity and being an inherently point-to-point technology, they end up with the problem statement summarized above. Even a “hub and spoke” solution is not ideal unless we make it possible for “spoke to spoke” connectivity. Ideally, we need to configure our VPN so Dallas can communicate with Chicago, without passing through HQ!
IPsec is really an encryption and authentication technology that enable secure communications through a public internet. It is generally used in a multiple vendor deployments. IPsec does not support any protocol other than IP, so it can not be used with the routing protocols that might otherwise be used to solve our issue. For this reason, many deployments will use GRE over IPsec. GRE to address the routing protocol issues and the IPsec to provide the security of authentication and encryption. We are still however, in a point to point mode, or in heavy manual administration mode to configure a simple mesh!
The smart money is on “next hop resolution protocol or NHRP” used in strategies like FlexVPN, GETVPN or DMVPN. These solutions provide a full mesh option while providing for encryption and data integrity. In the problem statement above, had we installed FlexVPN, the Chicago and Dallas sites could communicate directly without having to route through HQ or hub. We would have “spoke to spoke” to communications! As broadband becomes more widely accepted and bandwidth becomes less of an issue, we should see more VPN technology deployed in place or in concert with private network technologies like MPLS (GetVPN over MPLS is really kool).
Give us a call and we can noodle out what “full mesh” technology makes the most sense for your organization, both technically and economically! We are here to help make the network!