Zero-Touch Deployment Remote Office solution?
We have a bunch of small remote offices where we deploy cheap routers with VPN tunnels back to the central office. This is a very static process with high overhead… we have to manage each remote router separately, and the offices do not have tech personnel that can handle local office issues. We're looking for a more centrally managed and automated "zero-touch" remote office solution, like the Cisco Virtual Office, where the local non-clueful people don't have to do much. http://www.cisco.com/en/US/netsol/ns855/index.html Does anyone have any experience / feeback for this Cisco Virtual Office solution or have recommendations for alternative solutions. - Matt
I handle this a different way. I'm not saying it's the easiest solution, but its very scalable to many thousands of endpoints. I take a small router and I set the "WAN" side to DHCP. I use client-intiated L2TP tunnels w/ ipsec protection to build a tunnel to the head end. The beauty of this is: 1) It works on any internet connection. NAT and dynamic IPs are not a problem. Since it's all UDP encapsulated and client intiated, they just need to supply internet access via DHCP. 2) It's stateful. The username/password defined on the remote client decides what IP block is routed to the client. All configuration is done from the head end based on the radius file. Routed IP blocks. Access lists. DNS settings. You name it. A report off the IP list data file builds the radius file. If PPP/IPCP and virtual-templating can do it, you are good. 4) It supports all your standard routing protocols, and multicast, if desired. 5) The only thing needing provisioning on the remote side is username/password. Configs are pre-seeded with a "special" username/password that provides enough access for the head office to login, change it to the final value, and reload. Now, I know there's several more mainstream solutions than this, and while this removes technical complexity from the branch office, it does add some to the headquarters. If you're looking for a more out of the box solution, Cisco has an EZ-VPN solution, amongst others. On Fri, Jan 18, 2013 at 10:41 AM, Matthew Craig <matcraig@nmsu.edu> wrote:
We have a bunch of small remote offices where we deploy cheap routers with VPN tunnels back to the central office. This is a very static process with high overhead… we have to manage each remote router separately, and the offices do not have tech personnel that can handle local office issues.
We're looking for a more centrally managed and automated "zero-touch" remote office solution, like the Cisco Virtual Office, where the local non-clueful people don't have to do much.
http://www.cisco.com/en/US/netsol/ns855/index.html
Does anyone have any experience / feeback for this Cisco Virtual Office solution or have recommendations for alternative solutions.
- Matt
I wrote to him privately.. But will post on the list too.. Meraki is pretty rad for doing just this.
From my Android phone on T-Mobile. The first nationwide 4G network.
-------- Original message -------- From: PC <paul4004@gmail.com> Date: 01/18/2013 11:34 AM (GMT-08:00) To: Matthew Craig <matcraig@nmsu.edu> Cc: nanog@nanog.org Subject: Re: Zero-Touch Deployment Remote Office solution? I handle this a different way. I'm not saying it's the easiest solution, but its very scalable to many thousands of endpoints. I take a small router and I set the "WAN" side to DHCP. I use client-intiated L2TP tunnels w/ ipsec protection to build a tunnel to the head end. The beauty of this is: 1) It works on any internet connection. NAT and dynamic IPs are not a problem. Since it's all UDP encapsulated and client intiated, they just need to supply internet access via DHCP. 2) It's stateful. The username/password defined on the remote client decides what IP block is routed to the client. All configuration is done from the head end based on the radius file. Routed IP blocks. Access lists. DNS settings. You name it. A report off the IP list data file builds the radius file. If PPP/IPCP and virtual-templating can do it, you are good. 4) It supports all your standard routing protocols, and multicast, if desired. 5) The only thing needing provisioning on the remote side is username/password. Configs are pre-seeded with a "special" username/password that provides enough access for the head office to login, change it to the final value, and reload. Now, I know there's several more mainstream solutions than this, and while this removes technical complexity from the branch office, it does add some to the headquarters. If you're looking for a more out of the box solution, Cisco has an EZ-VPN solution, amongst others. On Fri, Jan 18, 2013 at 10:41 AM, Matthew Craig <matcraig@nmsu.edu> wrote:
We have a bunch of small remote offices where we deploy cheap routers with VPN tunnels back to the central office. This is a very static process with high overhead… we have to manage each remote router separately, and the offices do not have tech personnel that can handle local office issues.
We're looking for a more centrally managed and automated "zero-touch" remote office solution, like the Cisco Virtual Office, where the local non-clueful people don't have to do much.
http://www.cisco.com/en/US/netsol/ns855/index.html
Does anyone have any experience / feeback for this Cisco Virtual Office solution or have recommendations for alternative solutions.
- Matt
participants (3)
-
Matthew Craig -
PC -
Warren Bailey