We have an MPLS WAN in several cities, mostly T1s, and corporate has Metro Ethernet. All have service provider routers (default), ASA 5510 firewalls, and then various Cisco layer 2 switches.
Each site has the typical domain controller, file/print server, and wireless network, and corporate has both intranet and internet servers. One other site ties into corporate with a PTP VPN.
Internet access originally was through the corporate router, ultimately. But, we offloaded Internet traffic to cable and DSL at each site.
Now, Internet traffic routing is done at firewall level, when (as I understand it) the router dutifully kicks back packets not destined for the MPLS network, and the firewall routes them through another interface to the modems (cable/DSL).
1. Slow router changes, have to be coordinated with service provider
2. It works, but it's ugly to document, standardize, and maintain
3. No failover capability
MY OPTIONS? (one or more)
1. Adding CPE routers at each site
2. Adding Layer 3 switches at each site
3. Replacing 5510s with 5505s at each site
I haven't decided if I need any firewalling between sites, but I don't think it would hurt, in case of an outbreak. Might be a pain to have it, but...
Any suggestions, recommendations?