At an impressive rate, organizations are deploying site to site VPN for their corporate office connectivity.  Here a quick summary of design options:

1. Direct IPSec for smaller implementations for simplicity.  Nearly any firewall and many sub-$1000 routers will accomplish this.  Fastest failover to backup hub gateway can be achieved here in under 2 seconds.  This is the quick-and-dirty lowest-cost option.  As usual, such solutions can grow hard to manage and troubleshoot.

2. Multiple IPSec tunnels with GRE for improved reliability and redundancy.  Routers become the main option here unless another device is introduced to handle the IPSec termination only.  Per-tunnel QoS is one feature unique here.  Multicast support is introduced at this level.

3.  Dynamic Multipoint VPN uses GRE, NHRP, IPSec and an IGP to further improve resilience and scalability.  Full mesh and minimal spoke configurations are significant advantages. I’ve heard of DMVPN with hundreds of spokes on sub-$2k routers and the headend running a $5k router.  Let me know of other scalable solutions you like!

I’ve heard of DMVPN with hundreds of spokes on sub-$2k routers and the headend running a $5k router.  Let me know of other scalable solutions you like!

Sure, you’ve got most of your servers running Virtual now.  And you’ve got a couple of contexts on your Cisco ACE.  But how manageable and automatic is the provisioning?  Check out Cisco’s Vframe: 

Cisco VFrame DC offers a rich middleware platform to orchestrate the provisioning of VMware ESX Server in a quick, easy, consistent, and repeatable manner. Cisco VFrame DC will integrate with VMware VI3 to automate the provisioning of stateless, network-based ESX Server images onto a utility pool of Intel and AMD processor based servers.

Cisco VFrame Data Center manages the external dependencies VI3 does not address. It orchestrates the configuration of all the services downstream from the hypervisor

Nearly all web acceleration features of load balancers can be done on your web server, but they do give you a single, hardware-enabled place to do it.  Browser supported compression such as gzip is a nice feature because there’s no additional hit to your web servers. You also get many other options based on content  type and sometimes even speed of remote client.  Caching control transparently enhances remote browser handling of images while freeing staff from maintaining cache headers for all images.  Finally, even TCP flow enhancements are more easily handled (sometimes with more options) on an appliance than tuning the OS of your web servers.

If I were about to do this over, and this time I know everything I’ve just learned, would I do it again?  This question can help you sort out activities you might want to stop doing.

Brian Tracy says this is one of  his favorite techniques in The Power of Clarity. He calls this “Zero-based Thinking”.

What are you completely missing?  Everyone has large areas of knowledge or skills that they are unaware of.  Perhaps some of it would help you become happier or more effective.  Where to get started?

• Ask a successful acquaintance.
• Read.  Read more. Preferably nonfiction or periodicals you’d never ordinarily pick up.
• Consider the opposite course of action.
• Third-person thinking; how would a reasonable neutral party assess a situation?

Of the issues that seem obvious to you, a few are actually rather unseen to others. Look closely here to identify your unique ability. These ideas and skills are leading you to your best contribution.

…at least when all you’ve got is a hammer.