What You Need to Know about Branch Networking: Everything Else

Posted: June 2, 2011 in Industry Commentary, IT policy
Tags: , , , ,

Today we’re finishing up our series on “What You Need to Know About Branch Networking.” We’ve covered High Availability, Central Management, and Masking – so what’s left?  A garden variety of other considerations, like Fragmentation and Maximum Transmission Unit, Enforced 24h disconnect for DSL connections; and a few other things. So let’s dive right in.

Fragmenting and Maximum Transmission Unit (MTU)

An issue with branch networking is the size of the data packets when communicating via different Internet dial-up media. For example, DSL allows for packet sizes of 1492 bytes. Frequently VPN data packets, which the branch office VPN gateway sends to the router via DSL, are larger than this. This results in fragmented VPN IPsec data packets as default. And, this fragmentation has a negative effect at IP level, since various routers don’t accept fragmented IPsec packets. They do not forward such data packets, so the data is lost.

This problem can be combated with pre-fragmentation. This process doesn’t fragment the IPsec packets, but fragments the data packets prior to tunneling, which means, the IPsec tunnel header is added after fragmentation. With this method, the system only sends non-fragmented data packets that the Internet router / firewall accepts.

Modern professional VPN solutions provide this intelligent method of dynamic reduction of the MTU. Such VPN gateways are able to automatically adapt the packet size of TCP connections to the defined size prior to connection set up.

Enforced 24-hour disconnect for DSL connections

Twenty-four hour disconnect is immaterial for site-to-site VPNs. However, during “peak times” a permanent connection has to remain established. Most providers automatically carry out the enforced 24-hour disconnect, naturally, 24 hours after the first connection setup.  This means the administrator has to pay attention — as early as during VPN installation — as to whether the VPN gateway offers a feature that allows the administrator to set the time of the enforced 24 hour disconnect.

Branch office structure is decisive

Everything we discussed in this series should be taken into account when implementing a site-to-site VPN installation. In most cases , only the details make branch office networking difficult. And while most VPN gateways are suitable for simple standard networks — administration and management tools separate the wheat from the chaff.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s