Branch Versus Headend

The medium network can be a standalone organization, in which case it might have subordinate branches for which it acts as the headend, or it can be a branch of a larger enterprise. The medium network that we have described to this point is operating as a headend. As a branch under a headquarters at another location, there would be changes:

• Device management would probably be done via private connection from headquarters (note that the perimeter router, with an externally exposed interface, would need separate management because it would be external to the private connection terminus).

• AAA and other security management functions would likewise be done from headquarters via a private connection.

• The Corporate Internet module would be scaled down, commensurate with the degree of Internet access allowed from the branch and the need (if any) for a DMZ.

The private connection supporting the branch from the headend might be a leased circuit (Frame Relay or ATM), in which case the Corporate Internet module's role would be greatly reduced, or it could be an IPSec tunnel. IPSec offers the opportunity to employ an existing Internet connection and thus eliminates the expense of a leased circuit. However, it supports IP only unless GRE tunneling is added to encapsulate the IPSec and other protocols alike, such as multicast. If IPSec is used, the WAN module might not even be present.