Need to join an existing Cisco VPN but also load balance

Hi everyone,

One of my customers is a retail store with 200 or so locations. They removed the MPLS they had and now just use internet like cable or DSL and have Cisco 1800 routers that do VPN back to head office. It’s a phased project, and I can’t speak for all locations yet as we’re working on just 10 for now. From what I understand so far it seems like all traffic goes through the VPN including internet from in store kiosks. I want to try and move them to a Peplink solution and am still learning all of this, but wanted to see if I could get some advice first before meeting with them.

The main reason we would be doing this is because some locations can only do 15Mbps DSL or even 6Mbps which is too slow for them, so they wanted to bond 2 together for more speed. The problem I see with that is that from what I understand, their VPN would only work on one connection not both.

Moving all sites to Peplink would be nice, but they all can’t change so anything I put at these 10 sites must work with the existing network. Does the Cisco 1800 use different types of VPN or would there be one they are most likely on? If so would a Peplink Balance be able to create a VPN back to their head office similar to what they have toady, or is Cisco proprietary? What I’m thinking would be to use a Balance device and get 2 of the 15Mbps DSL connections, dedicating one to the VPN which is for point of sale and in store kiosks, and then the other to public wifi. The problem is they have these in store kiosks to check online items, but they run through the VPN as it’s an intranet version of their public website but also a browser. So many customers would be on public wifi, but lots would still be on the kiosks. I’ll need to get more of an idea from them as to what their breakdown of traffic is, but assume the majority of their traffic is over the VPN.

Would love any feedback as to what others might do in this case as the main goal is really more bandwidth to support mainly web browsing and other tasks customers do on their phones while shopping plus the in store systems like the point of sale and the kiosks. The obvious answer is bringing in multiple WAN connections, but it’s the VPN back to head office that handles most the traffic that’s tripping me up. Thanks so much!

I don’t know every Cisco product, but I’ve not seen a modern router with VPN capabilities, that did not support IPsec. The Balance devices can simultaneously SpeedFusion (bonded multi WAN, requires the same on both ends), PepVPN (requires Peplink on both ends, only one connection at a time), and IPsec. With IPsec you have interoperability between brands.

Lets take a location where you only have 6Mb DSL. You could have SpeedFusion using two bonded 6MB links for the kiosks. That would theoretically be 12Mb but you lose some for overhead. That would require a Peplink device at the home office, but not necessarily multiple links on that end, depending on speed availability. You can have two WAN at the remote, and one WAN at home office, all blended together.

The same Peplink device at the remote site could have an IPsec VPN back to the existing home office Cisco for public wifi. That would be a third 6Mb WAN connection at the remote site. Of course you could do this with a separate PepVPN instead of IPsec when/if you someday go with all Peplink devices on both ends. PepVPN is much more robust and easier to configure.

Within the Peplink device at the remote site, you would write rules to channel the traffic to which VPN you desire. You can specify the Kiosks by IP or MAC, and route them to SpeedFusion. Everything else would default to the IPsec VPN.

Remember that each device has a maximum number of SpeedFusion and PepVPN connections. Even the smallest supports two Peplink VPNs plus IPsec, so no problem at the remote sites. You’re going to need some serious horsepower at the home office. Theoretically you have 200 sites, and ultimately you want 2 separate VPNs to each (one internal, one public).

1 Like

Thanks that’s really helpful. I’m not entirely sure what they all connect back to, but it’s a central server of some sort so might even be in a data centre. We also are just working with 10 stores to start. I’m still trying to wrap my head around SpeedFusion and bonding. At most we’d look at just 2 DSL connections to start, so just 2 6Mbps, or at most 3 of them.

You make a good point about ease of setting up PepVPN. I don’t really want to get into a hybrid deployment trying to connect to a Cisco VPN unless they really want us to. So if we were going to just use 2 of the 6Mbps DSL connections at 1 store that needs more bandwidth, what would the ideal Peplink only configuration be? Would I be putting a Balance device that supports SpeedFusion Bandwidth Bonding at the customer data centre connected into their internal network, then a Balance at the retail store replacing the Cisco 1800 with the 2 DSL connections on it? Then that would basically give them double the bandwidth they have today?


For SpeedFusion Bandwidth Bonding you require two Peplink solutions, one at each side of the VPN tunnel.
For the datacenter side, this could be a physical Peplink Balance router or FusionHub, a virtual SpeedFusion appliance.

On the customer side, the retail stores, you will need to place a Peplink Balance router which connects to the datacentre via SpeedFusion VPN.
You can connect the existing network of the retail store to the Peplink Balance router and just use it as a bonding solution.
Keep in mind that SpeedFusion VPN has a 10-15% overhead, so it will not be literally 6 Mbps + 6 Mbps = 12 Mbps.

I would suggest a Balance 380 for the datacenter if they’re planning to start small, this model supports 20 SpeedFusion VPN peers and a maximum SpeedFusion VPN throughput of 150 Mbps.
This will enable you/the customer to start with those 10 retail stores you mentioned.

For the retail stores I would suggest a Balance One Core with the optional SpeedFusion Bandwidth Bonding license key, or a Balance 210.
Both the Balance One Core and the Balance 210 support 2 SpeedFusion VPN peers, but the Balance One Core has a maximum VPN throughput of 30 Mbps, where the Balance 210 has a maximum VPN throughput of 80 Mbps.


Thanks everyone! Just spoke with my customer, they said we’re too late that they just put in Fortigate 90D at all sites. I’m not sure how Peplink compares? He’s saying it does load balancing, firewall, anti virus, and bonds all connections together. It doesn’t sound like it bonds the way SpeedFusion does though but correct me if I’m wrong, there’d be no point getting Peplink anything if they already have this would there be? He said removing it isn’t an option as it was just installed last month.